使用 rbac 服务主体进行身份验证会导致 403 访问群体验证失败。受众不匹配我正在尝试向应用程序授予对 Blob 存储容器的访问权限，但具有所需的最低权限（读取/写入）使用 azure cli，我已完成以下步骤来尝试此操作：az group create -l ${LOCATION} -n ${RESOURCE_GROUP_NAME}az role definition create --role-definition rw-blob-role.jsonrw-blob-role.json:{  "assignableScopes": [    "/subscriptions/{{SUBSCRIPTION_ID}}"  ],  "description": "Custom role to allow for read and write access to Azure Storage blob containers and data",  "name": "{{APP_RW_ROLE_NAME}}",  "permissions": [    {      "actions": [        "Microsoft.Storage/storageAccounts/blobServices/containers/read",        "Microsoft.Storage/storageAccounts/blobServices/containers/write"      ],      "dataActions": [        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",        "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"      ],      "notActions": [],      "notDataActions": []    }  ],  "type": "Microsoft.Authorization/roleDefinitions"}az ad sp create-for-rbac --name ${AZ_SERVICE_PRINCIPAL_NAME} --password ${APP_CLIENT_SECRET}az role assignment delete --assignee ${AZ_SERVICE_PRINCIPAL_NAME} --role Contributoraz role assignment create --assignee ${AZ_SERVICE_PRINCIPAL_NAME} --role ${APP_RW_ROLE_NAME}az storage account create --name ${STORAGE_ACCOUNT_NAME} --resource-group ${RESOURCE_GROUP_NAME} --location ${LOCATION} --kind BlobStorage --sku ${STORAGE_ACCOUNT_SKU} --access-tier ${STORAGE_ACCOUNT_ACCESS_TIER}az storage container create --name ${BLOB_STORAGE_CONTAINER} --account-name ${STORAGE_ACCOUNT_NAME} --public-access off从这里我保存以下属性以供我的应用程序使用：- TENANT_ID=“$（az account show --output tsv --query tenantId）”- CLIENT_ID=“$（az ad sp sp list --spn ${AZ_SERVICE_PRINCIPAL_NAME} --output tsv --query [0].appId）”- 客户端机密： ${APP_CLIENT_SECRET}- 资源： ${AZ_SERVICE_PRINCIPAL_NAME}- 存储帐户名称： ${STORAGE_ACCOUNT_NAME}- 容器名称： ${BLOB_STORAGE_CONTAINER}我很确定问题是AZ_SERVICE_PRINCIPAL_NAME传递给收购Token（）上的adal4j，但我不知道正确的值是什么。我已尝试在租户 AD 和服务主体上使用CLIENT_ID和其他属性。