如何使用 Azure.Identity.ClientSecretCredential 访问 Azure 队列？

Question

我在 Azure 中创建了应用程序注册并添加了对 Azure 存储的访问权限 (user_impersonation)：

控制台应用程序使用这些包：

<PackageReference Include="Azure.Identity" Version="1.2.0-preview.6" />
<PackageReference Include="Azure.Storage.Queues" Version="12.4.0-preview.5" />

代码如下：

var tc = new ClientSecretCredential("{tenant-id}", "{client-id}", "{client-secret}");
var client = new QueueClient(new Uri("https://{storage-name}.queue.core.windows.net/example-q"), tc);

// this fails with error
client.SendMessage("msg");

错误信息如下：

Unhandled exception. Azure.RequestFailedException: This request is not authorized to perform this operation using this permission.
RequestId:13f45216-9003-0061-49cf-616632000000
Time:2020-07-24T15:32:44.9586872Z
Status: 403 (This request is not authorized to perform this operation using this permission.)
ErrorCode: AuthorizationPermissionMismatch

Headers:
Server: Windows-Azure-Queue/1.0,Microsoft-HTTPAPI/2.0
x-ms-request-id: 13f45216-9003-0061-49cf-616632000000
x-ms-version: 2018-11-09
x-ms-error-code: AuthorizationPermissionMismatch
Date: Fri, 24 Jul 2020 15:32:44 GMT
Content-Length: 279
Content-Type: application/xml

   at Azure.Storage.Queues.QueueRestClient.Messages.EnqueueAsync_CreateResponse(ClientDiagnostics clientDiagnostics, Response response)
   at Azure.Storage.Queues.QueueRestClient.Messages.EnqueueAsync(ClientDiagnostics clientDiagnostics, HttpPipeline pipeline, Uri resourceUri, QueueSendMessage message, String version, Nullable`1 visibilitytimeout, Nullable`1 messageTimeToLive, Nullable`1 timeout, String requestId, Boolean async, String operationName, CancellationToken cancellationToken)
   at Azure.Storage.Queues.QueueClient.SendMessageInternal(String messageText, Nullable`1 visibilityTimeout, Nullable`1 timeToLive, Boolean async, CancellationToken cancellationToken)
   at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](Task`1 task)
   at Azure.Storage.Queues.QueueClient.SendMessage(String messageText, Nullable`1 visibilityTimeout, Nullable`1 timeToLive, CancellationToken cancellationToken)
   at Azure.Storage.Queues.QueueClient.SendMessage(String messageText)

Answer 1

如果要使用服务主体访问 Azure 队列存储，必须将 Azure RABC 角色 （存储队列数据贡献者） 分配给 sp。详情请参考document

例如

创建服务主体并分配角色

az login

az ad sp create-for-rbac -n "MyApp" --role 'Storage Queue Data Contributor' \
  --scope '/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>'

代码（我用的是同版本sdk）

ClientSecretCredential cred = new ClientSecretCredential(tenantId, clientId, clientSecret);
var client = new QueueClient(new Uri("https://blobstorage0516.queue.core.windows.net/test"), cred);
string message = "First Message to azure Queue";
client.SendMessage(message);

如何使用 Azure.Identity.ClientSecretCredential 访问 Azure 队列？

How to use Azure.Identity.ClientSecretCredential to access a Azure Queue?

queue

storage

identity

azure

azure-active-directory