“Microsoft.Sql/servers/auditingSettings”要求对非 vnet 存储帐户进行 StorageBlobContributor 访问

编程问答 2022-05-16

问题描述

我正在通过 ARM 模板部署 sql Server。使用存储帐户为此 sql 服务器设置审核设置时,它要求权限。

根据 link 我们需要权限,仅当存储帐户位于防火墙后面时。但是,我的存储帐户对 Internet 开放,因此权限先决条件不应适用于此。

我已使用 Powershell cmdlet 'Set-AzsqlServerAudit' 来设置此配置,并且它有效。但这在 ARM 模板中失败了。

模板片段:

{
            "type": "Microsoft.sql/servers/auditingSettings","apiVersion": "2020-08-01-preview","name": "[concat(parameters('serverName'),'/Default')]","dependsOn": [
                "[resourceId('Microsoft.sql/servers',parameters('serverName'))]"
            ],"properties": {
                "isDevopsAuditEnabled": false,"retentionDays": 0,"auditactionsAndGroups": [
                    "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP","Failed_DATABASE_AUTHENTICATION_GROUP","BATCH_COMPLETED_GROUP"
                ],"isstorageSecondaryKeyInUse": false,"isAzureMonitorTargetEnabled": false,"state": "Enabled","storageEndpoint": "[parameters('centralMonitoringStorageAccount')]","storageAccountSubscriptionId": "[parameters('centralMonitoringStorageAccountSubscriptionId')]"
            }
        },

错误

New-AzResourceGroupDeployment : 4:37:56 AM - Resource Microsoft.sql/servers/auditingSettings 'coe-extollo-apis-sqlserver-dev/Default' Failed with message '{
  "status": "Failed","error": {
    "code": "ResourceDeploymentFailure","message": "The resource operation completed with terminal provisioning state 'Failed'.","details": [
      {
        "code": "BlobAuditingInsufficientStorageAccountPermissions","message": "Insufficient read or write permissions on storage account 'xtocoeeucommonsdev'. Add permissions to the server Identity to the storage account."
      }
    ]
  }
}'

解决方法

关于该问题,您没有在模板中添加 storageAccountAccessKey,则 SQL 服务器无权访问存储帐户。如果不添加,则需要在 Azure SQL 服务器上启用标识并在存储帐户级别将 Storage Blob Data Contributor 分配给该标识。然后 SQL 就可以拥有访问存储帐户的权限。详情请参阅hereenter image description here

所以请更新您的模板如下。

{
            "type": "Microsoft.Sql/servers/auditingSettings","apiVersion": "2020-08-01-preview","name": "[concat(parameters('serverName'),'/Default')]","dependsOn": [
                "[resourceId('Microsoft.Sql/servers',parameters('serverName'))]"
            ],"properties": {
                "isDevopsAuditEnabled": false,"retentionDays": 0,"auditActionsAndGroups": [
                    "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP","FAILED_DATABASE_AUTHENTICATION_GROUP","BATCH_COMPLETED_GROUP"
                ],"isStorageSecondaryKeyInUse": false,"isAzureMonitorTargetEnabled": false,"state": "Enabled","storageEndpoint": "[parameters('centralMonitoringStorageAccount')]","storageAccountAccessKey":"<account key>"
                "storageAccountSubscriptionId": "[parameters('centralMonitoringStorageAccountSubscriptionId')]"
            }
        },
azureazureazure-powershellazure-rbacazure-resource-managerazure-storage