由于链接服务的授权,Azure ADF ARM 模板部署失败
Azure ADF ARM template deployment failing due to authorization for linked services
我正在使用 DevOps 管道将 ARM 模板从开发环境部署到 PROD。
链接服务连接参数在部署时使用覆盖模板参数选项在发布管道中配置。
最后一天在 ADLS 上发生了从 gen1 到 Gen2 的迁移,我尝试使用 ARM 模板部署将更改从 DEV 部署到 PROD。
但是我收到以下错误并且部署失败...
Authorization failed for template resource 'PROD_DataFactory/LS_PROD_SQLDB' of type 'Microsoft.DataFactory/factories/linkedServices'. The client '555************555' with object id '555************555' does not have permission to perform action 'Microsoft.DataFactory/factories/linkedServices/write' at scope '/subscriptions/***subscriptionID***/resourceGroups/PROD-ResourceGroup/providers/Microsoft.DataFactory/factories/PROD_DataFactory/linkedServices/LS_PROD_SQLDB'.:
Authorization failed for template resource 'PROD_DataFactory/ADF_KV' of type 'Microsoft.DataFactory/factories/linkedServices'. The client '555************555' with object id '555************555' does not have permission to perform action 'Microsoft.DataFactory/factories/linkedServices/write' at scope '/subscriptions/***subscriptionID***/resourceGroups/PROD-ResourceGroup/providers/Microsoft.DataFactory/factories/PROD_DataFactory/linkedServices/ADF_KV'.:
Authorization failed for template resource 'PROD_DataFactory/ADLS_LinkedService_v2' of type 'Microsoft.DataFactory/factories/linkedServices'. The client '555************555' with object id '555************555' does not have permission to perform action 'Microsoft.DataFactory/factories/linkedServices/write' at scope '/subscriptions/***subscriptionID***/resourceGroups/PROD-ResourceGroup/providers/Microsoft.DataFactory/factories/PROD_DataFactory/linkedServices/ADLS_LinkedService_v2'.:
Authorization failed for template resource 'PROD_DataFactory/Adfblobstorageitcdatalake' of type 'Microsoft.DataFactory/factories/linkedServices'. The client '555************555' with object id '555************555' does not have permission to perform action 'Microsoft.DataFactory/factories/linkedServices/write' at scope '/subscriptions/***subscriptionID***/resourceGroups/PROD-ResourceGroup/providers/Microsoft.DataFactory/factories/PROD_DataFactory/linkedServices/Adfblobstorageitcdatalake'.:
Authorization failed for template resource 'PROD_DataFactory/Auto_Cluster' of type 'Microsoft.DataFactory/factories/linkedServices'. The client '555************555' with object id '555************555' does not have permission to perform action 'Microsoft.DataFactory/factories/linkedServices/write' at scope '/subscriptions/***subscriptionID***/resourceGroups/PROD-ResourceGroup/providers/Microsoft.DataFactory/factories/PROD_DataFactory/linkedServices/Auto_Cluster'.:
Authorization failed for template resource 'PROD_DataFactory/AzureDataLakeStore1' of type 'Microsoft.DataFactory/factories/linkedServices'. The client '555************555' with object id '555************555' does not have permission to perform action 'Microsoft.DataFactory/factories/linkedServices/write' at scope '/subscriptions/***subscriptionID***/resourceGroups/PROD-ResourceGroup/providers/Microsoft.DataFactory/factories/PROD_DataFactory/linkedServices/AzureDataLakeStore1'.:
Authorization failed for template resource 'PROD_DataFactory/AzureDataLakeStore1_v2' of type 'Microsoft.DataFactory/factories/linkedServices'. The client '555************555' with object id '555************555' does not have permission to perform action 'Microsoft.DataFactory/factories/linkedServices/write' at scope '/subscriptions/***subscriptionID***/resourceGroups/PROD-ResourceGroup/providers/Microsoft.DataFactory/factories/PROD_DataFactory/linkedServices/AzureDataLakeStore1_v2'.:
Authorization failed for template resource 'PROD_DataFactory/AzureDataLakeStore2' of type 'Microsoft.DataFactory/factories/linkedServices'. The client '555************555' with object id '555************555' does not have permission to perform action 'Microsoft.DataFactory/factories/linkedServices/write' at scope '/subscriptions/***subscriptionID***/resourceGroups/PROD-ResourceGroup/providers/Microsoft.DataFactory/factories/PROD_DataFactory/linkedServices/AzureDataLakeStore2'.:
在 30 个链接服务中,有 20 个显示相同的错误。这些之前都运行良好。
有趣的是,我确实有 2 个密钥保管库连接,它们将连接到相同的 KV 并具有相同的连接参数。在这 2 KV 中,只有一个抛出错误,另一个不抛出任何错误。
知道为什么会出现这个错误以及为什么只针对少数 LS 吗?
如果是因为数据工厂上 DevOps 项目的权限,那么有多少链接服务不抛出错误?
错误看起来是在 azure devops 的 azure 订阅服务连接中使用的服务主体没有正确的权限。
这可能是由 Automatically created service principal client secret has expired 引起的。
如果服务主体客户端密码未过期。您可以检查服务主体是否具有适当的权限并相应地添加适当的角色分配。
请参阅以下步骤,将 Data Factory Contributor 角色添加到在 Azure 数据工厂 (ie.PROD_DataFactory) 的 azure devops 中使用的服务主体。
1、转到您的 ADO 项目的项目设置-->服务连接-->单击您的 azure 订阅服务连接-->单击 Manage Service Principal
注意:如果您已经知道服务主体。您可以跳过这一步。
2,转到您的 Azure 数据工厂 (ie.PROD_DataFactory)。导航到 访问控制 部分-->单击添加以添加角色分配--> 将 Data Factory Contributor 角色添加到服务主体
我正在使用 DevOps 管道将 ARM 模板从开发环境部署到 PROD。
链接服务连接参数在部署时使用覆盖模板参数选项在发布管道中配置。
最后一天在 ADLS 上发生了从 gen1 到 Gen2 的迁移,我尝试使用 ARM 模板部署将更改从 DEV 部署到 PROD。
但是我收到以下错误并且部署失败...
Authorization failed for template resource 'PROD_DataFactory/LS_PROD_SQLDB' of type 'Microsoft.DataFactory/factories/linkedServices'. The client '555************555' with object id '555************555' does not have permission to perform action 'Microsoft.DataFactory/factories/linkedServices/write' at scope '/subscriptions/***subscriptionID***/resourceGroups/PROD-ResourceGroup/providers/Microsoft.DataFactory/factories/PROD_DataFactory/linkedServices/LS_PROD_SQLDB'.:
Authorization failed for template resource 'PROD_DataFactory/ADF_KV' of type 'Microsoft.DataFactory/factories/linkedServices'. The client '555************555' with object id '555************555' does not have permission to perform action 'Microsoft.DataFactory/factories/linkedServices/write' at scope '/subscriptions/***subscriptionID***/resourceGroups/PROD-ResourceGroup/providers/Microsoft.DataFactory/factories/PROD_DataFactory/linkedServices/ADF_KV'.:
Authorization failed for template resource 'PROD_DataFactory/ADLS_LinkedService_v2' of type 'Microsoft.DataFactory/factories/linkedServices'. The client '555************555' with object id '555************555' does not have permission to perform action 'Microsoft.DataFactory/factories/linkedServices/write' at scope '/subscriptions/***subscriptionID***/resourceGroups/PROD-ResourceGroup/providers/Microsoft.DataFactory/factories/PROD_DataFactory/linkedServices/ADLS_LinkedService_v2'.:
Authorization failed for template resource 'PROD_DataFactory/Adfblobstorageitcdatalake' of type 'Microsoft.DataFactory/factories/linkedServices'. The client '555************555' with object id '555************555' does not have permission to perform action 'Microsoft.DataFactory/factories/linkedServices/write' at scope '/subscriptions/***subscriptionID***/resourceGroups/PROD-ResourceGroup/providers/Microsoft.DataFactory/factories/PROD_DataFactory/linkedServices/Adfblobstorageitcdatalake'.:
Authorization failed for template resource 'PROD_DataFactory/Auto_Cluster' of type 'Microsoft.DataFactory/factories/linkedServices'. The client '555************555' with object id '555************555' does not have permission to perform action 'Microsoft.DataFactory/factories/linkedServices/write' at scope '/subscriptions/***subscriptionID***/resourceGroups/PROD-ResourceGroup/providers/Microsoft.DataFactory/factories/PROD_DataFactory/linkedServices/Auto_Cluster'.:
Authorization failed for template resource 'PROD_DataFactory/AzureDataLakeStore1' of type 'Microsoft.DataFactory/factories/linkedServices'. The client '555************555' with object id '555************555' does not have permission to perform action 'Microsoft.DataFactory/factories/linkedServices/write' at scope '/subscriptions/***subscriptionID***/resourceGroups/PROD-ResourceGroup/providers/Microsoft.DataFactory/factories/PROD_DataFactory/linkedServices/AzureDataLakeStore1'.:
Authorization failed for template resource 'PROD_DataFactory/AzureDataLakeStore1_v2' of type 'Microsoft.DataFactory/factories/linkedServices'. The client '555************555' with object id '555************555' does not have permission to perform action 'Microsoft.DataFactory/factories/linkedServices/write' at scope '/subscriptions/***subscriptionID***/resourceGroups/PROD-ResourceGroup/providers/Microsoft.DataFactory/factories/PROD_DataFactory/linkedServices/AzureDataLakeStore1_v2'.:
Authorization failed for template resource 'PROD_DataFactory/AzureDataLakeStore2' of type 'Microsoft.DataFactory/factories/linkedServices'. The client '555************555' with object id '555************555' does not have permission to perform action 'Microsoft.DataFactory/factories/linkedServices/write' at scope '/subscriptions/***subscriptionID***/resourceGroups/PROD-ResourceGroup/providers/Microsoft.DataFactory/factories/PROD_DataFactory/linkedServices/AzureDataLakeStore2'.:
在 30 个链接服务中,有 20 个显示相同的错误。这些之前都运行良好。
有趣的是,我确实有 2 个密钥保管库连接,它们将连接到相同的 KV 并具有相同的连接参数。在这 2 KV 中,只有一个抛出错误,另一个不抛出任何错误。
知道为什么会出现这个错误以及为什么只针对少数 LS 吗?
如果是因为数据工厂上 DevOps 项目的权限,那么有多少链接服务不抛出错误?
错误看起来是在 azure devops 的 azure 订阅服务连接中使用的服务主体没有正确的权限。
这可能是由 Automatically created service principal client secret has expired 引起的。
如果服务主体客户端密码未过期。您可以检查服务主体是否具有适当的权限并相应地添加适当的角色分配。
请参阅以下步骤,将 Data Factory Contributor 角色添加到在 Azure 数据工厂 (ie.PROD_DataFactory) 的 azure devops 中使用的服务主体。
1、转到您的 ADO 项目的项目设置-->服务连接-->单击您的 azure 订阅服务连接-->单击 Manage Service Principal
注意:如果您已经知道服务主体。您可以跳过这一步。
2,转到您的 Azure 数据工厂 (ie.PROD_DataFactory)。导航到 访问控制 部分-->单击添加以添加角色分配--> 将 Data Factory Contributor 角色添加到服务主体