Azure Data Lake gen2（Data Lake Storage）使用托管标识在容器级别进行访问控制

Question

我尝试为 Azure Data Lake gen2 编写授权角色脚本。为服务帐户添加这个没有问题：

$storageAccount = Get-AzResource -Name $StorageAccountName -ResourceGroupName $ResourceGroupName
$datafactory = Get-AzDataFactoryV2 -Name $DataFactoryName -ResourceGroupName $ResourceGroupName
$contributorRoleDefinition = Get-AzRoleDefinition -Scope $storageAccount.ResourceId -Name 'Contributor'

$dataFactoryRole = Get-AzRoleAssignment -Scope $storageAccount.ResourceId -ObjectId $datafactory.Identity.PrincipalId -RoleDefinitionId $contributorRoleDefinition.Id
if(!$dataFactoryRole)
{
    New-AzRoleAssignment -Scope $storageAccount.ResourceId -ObjectId $datafactory.Identity.PrincipalId -RoleDefinitionId $contributorRoleDefinition.Id
    Write-Host "Access to blob storage for data factory was granted"
}
else
{
    Write-Host "Access to blob storage for data factory has already been granted"
}

问题是我想获得容器级别的大权限 - 而不是服务帐户级别。以上脚本在容器级别生成：父资源（继承），但需要的是：此资源。

我可以通过门户网站完成，但对我的情况来说不是有效的解决方案。

Answer 1

如果你想获得容器级别的grand权限，请参考以下脚本

Connect-AzAccount

$container=Get-AzRmStorageContainer -Name $StorageAccountName -ResourceGroupName $ResourceGroupName -Name $containerName

$datafactory = Get-AzDataFactoryV2 -Name <> -ResourceGroupName <>

$role=Get-AzRoleDefinition -Name "Storage Blob Data Reader"

$dataFactoryRole = Get-AzRoleAssignment -Scope $container.Id -ObjectId $datafactory.Identity.PrincipalId -RoleDefinitionId $role.Id
if(!$dataFactoryRole)
{
    New-AzRoleAssignment -Scope $container.Id -ObjectId $datafactory.Identity.PrincipalId -RoleDefinitionId $role.Id
    Write-Host "Access to blob storage for data factory was granted"
}
else
{
    Write-Host "Access to blob storage for data factory has already been granted"
}

此外，请注意，如果要使用 AD 身份验证访问 Azure Blob，则需要使用以下角色：Storage Blob Data Contributor、Storage Blob Data Reader 和存储 Blob 数据所有者。更多详情请参考here和here