通过托管标识通过 Azure SQL 数据库访问 Azure Blob 存储

Question

我正在尝试通过托管标识通过 Azure SQK 数据库连接到 Azure Blob 存储，具体步骤如下：

1. 为服务器分配一个身份

2. 作为贡献者授予对 Blob 存储上服务器的访问权限

3. 执行了以下查询

   创建主密钥

    CREATE DATABASE SCOPED CREDENTIAL MSI WITH IDENTITY = 'Managed Service Identity';
   
   
        CREATE EXTERNAL DATA SOURCE [BlobStorage] WITH
    (  
        TYPE = BLOB_STORAGE,
        LOCATION = 'https://<<blobnm>>.blob.core.windows.net/<<containerNm>>',
        CREDENTIAL = MSI
    )
   
    create table test
    (
    c1 varchar(5),
    c2 varchar(4)
    )
   
    BULK INSERT test from 'poly.csv' WITH ( DATA_SOURCE = 'BlobStorage',FORMAT='csv',FIRSTROW = 2 );
   

但我收到以下错误：

Cannot bulk load because the file "msi/poly.csv" could not be opened. Operating system error code 86(The specified network password is not correct.)

那么谁能告诉我我错过了什么？

Answer 1

这个错误有很多原因。我列出了一些原因如下：

1. 检查 SAS 密钥是否已过期？请检查允许的权限。

2. 您在创建 SECRET 时是否删除了问号？

CREATE DATABASE SCOPED CREDENTIAL UploadInvoices
WITH IDENTITY = 'SHARED ACCESS SIGNATURE',
SECRET = 'sv=2019-12-12******2FspTCY%3D'

我也尝试了以下测试，效果很好。我的 csv 文件没有标题。

CREATE MASTER KEY ENCRYPTION BY PASSWORD = '***';
go

CREATE DATABASE SCOPED CREDENTIAL UploadInvoices
WITH IDENTITY = 'SHARED ACCESS SIGNATURE',
SECRET = 'sv=2019-12-12&ss=bfqt&srt=sco&sp******%2FspTCY%3D'; -- dl


CREATE EXTERNAL DATA SOURCE MyAzureInvoices
    WITH (
        TYPE = BLOB_STORAGE,
        LOCATION = 'https://***.blob.core.windows.net/<container_name>',
        CREDENTIAL = UploadInvoices
    );

BULK INSERT production.customer
FROM 'bs140513_032310-demo.csv'
WITH
    (
        DATA_SOURCE = 'MyAzureInvoices',
        FORMAT = 'CSV',
        ERRORFILE = 'load_errors_TABLE_B',
        ERRORFILE_DATA_SOURCE = 'MyAzureInvoices',
        FIRSTROW = 2
    )
GO

Answer 2

我认为您用于在 SQL 中创建 CREDENTIALS 的命令存在错误。必须是

CREATE CREDENTIAL ServiceIdentity WITH IDENTITY = 'Managed Identity';

而不是'Managed Service Identity'

参考https://docs.microsoft.com/en-us/sql/t-sql/statements/create-credential-transact-sql?view=sql-server-ver15