gpt4 book ai didi

azure - 使用 Terraform 将 Synapse 工作区分配给存储容器

转载 作者:行者123 更新时间:2023-12-03 01:17:41 25 4
gpt4 key购买 nike

我正在尝试使用 Terraform 创建 Synapse 工作区。工作区部署成功,但在 Synapse studio 中测试与 WorkSpaceDefaultStorage 的连接时,我收到以下错误:

ADLS Gen2 operation failed for: Storage operation '' on container 'testconnection' get failed with 'Operation returned an invalid status code 'Forbidden''.

Synapse 工作区部署的代码:


resource "azurerm_storage_account" "sa" {
name = var.storage_account_name
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
account_tier = "Standard"
account_replication_type = "GRS"
account_kind = "StorageV2"
is_hns_enabled = true
}

resource "azurerm_storage_data_lake_gen2_filesystem" "adlfs" {
name = var.azure_data_lake_name
storage_account_id = azurerm_storage_account.sa.id
}

resource "azurerm_synapse_workspace" "synapseworkspace" {
name = var.synapse_workspace_name
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.adlfs.id
sql_administrator_login = var.synapse_sql_admin_user
sql_administrator_login_password = var.synapse_sql_admin_password

managed_resource_group_name = var.synapse_managed_resource_group_name

aad_admin {
login = var.azure_ad_admin_login
object_id = data.azurerm_client_config.current.object_id
tenant_id = data.azurerm_client_config.current.tenant_id
}

identity {
type = "SystemAssigned"
}

# Add tags
tags = {
source = "terraform"
}

}

resource "azurerm_synapse_firewall_rule" "synapsefirewall" {
name = "AllowAll"
synapse_workspace_id = azurerm_synapse_workspace.synapseworkspace.id
start_ip_address = "0.0.0.0"
end_ip_address = "255.255.255.255"
}

我假设可以使用 Azure 门户中的角色管理轻松修复该错误,但使用 Terraform 解决该错误将是最佳选择。

最佳答案

尝试以下操作?

I found it's not enough for the app and account to be added as owners.I would go into your storage account > IAM > Add role assignment, and add the special permissions for this type of request:

  • Storage Blob Data Contributor
  • Storage Queue Data Contributor

引用自:Azure Blob Storage "Authorization Permission Mismatch" error for get request with AD token

使用 terraform 模块 azurerm_role_assignment,您可以将给定主体(用户或组)分配给给定角色。 https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment

特别是对于 Azure Synapse Workspace,可以使用以下方式检索主体身份azurerm_synapse_workspace.synapseworkspace.identity[0].principal_id

并分配给角色:

# Create storage account
resource "azurerm_storage_account" "sa" {
...
}

# Create synapse workspace
resource "azurerm_synapse_workspace" "synapseworkspace" {
...
}

# Grant Synapse Workspace access to storage as Storage Blob Data Contributor
resource "azurerm_role_assignment" "synapsedatacontributor" {
role_definition_name = "Storage Blob Data Contributor"
scope = azurerm_storage_account.sa.id
principal_id = azurerm_synapse_workspace.synapseworkspace.identity[0].principal_id
}

关于azure - 使用 Terraform 将 Synapse 工作区分配给存储容器,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/73944698/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com