问题
I am trying to get the keys for all the Storage Accounts in my subscription. But I am getting this exception on one of the Storage Account using Azure Java SDK.
com.microsoft.azure.CloudException: Status code 403, {"error":{"code":"AuthorizationFailed","message":"The client '5c79ee27-#########-######91f8e3' with object id '5c79ee27-###########-#####91f8e3' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/758ad253-#######f07/resourceGroups/spcwestus/providers/Microsoft.Storage/storageAccounts/grsstorag'."}}: The client '5c79ee27-###########-#####91f8e3' with object id '5c79ee27-###########-#####91f8e3' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/758ad253-#######f07/resourceGroups/spcwestus/providers/Microsoft.Storage/storageAccounts/grsstorag'.
For most of the Storage Accounts I manage to get the keys. But for some of them the same error gets repeated. What does this mean?
回答1:
From the error you encountered, the server responded to your requests with HTTP 403 status code indicates that your request is Forbidden by the server.
HTTP 403 Status Code
A server that receives valid credentials that are not adequate to gain access ought to respond with the 403 (Forbidden) status code
(Section 6.5.3 of [RFC7231]).
This is most probably caused by some Role-Based Access Controls that are in place to prevent your account to perform the list storage account key actions for certain storage accounts based on your assigned role.
You can use the Azure PowerShell cmdlet below to verify whether the role assigned to your specific object under the specific scope has the permission to list the storage account keys.
Get-AzureRmRoleAssignment -Scope "/subscriptions/758ad253-#######f07/resourceGroups/spcwestus/providers/Microsoft.Storage/storageAccounts/grsstorag" -ObjectId 5c79ee27-###########-#####91f8e3
More information please refer to the link below:
Use Role-Based Access Control to manage access to your Azure subscription resources
来源:https://stackoverflow.com/questions/45448474/unable-to-programmatically-get-the-keys-for-azure-storage-account