我正在尝试使用managedIdentity从VM规模集自定义脚本中的私有容器下载blob。这是我的terraform代码：

# https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-linux#property-values
resource "azurerm_virtual_machine_scale_set_extension" "res-extension" {
  depends_on = [
        azurerm_storage_blob.example
    ]

  name                         = "nn-extension"
  virtual_machine_scale_set_id = module.vmss.vmss.id
  publisher                    = "Microsoft.Azure.Extensions"
  type                         = "CustomScript"
  type_handler_version         = "2.1"

  protected_settings = jsonencode({
      "fileUris" = ["${azurerm_storage_blob.example.url}"],
      "commandToExecute" = "sh createfile.sh ; ls -al",
      "managedIdentity" : { "objectId": module.vmss.vmss.identity.0.principal_id }
    }
  )
}

但是，它失败了，并显示以下消息：

"Error message: \"Enable failed: processing file downloads failed: failed to download file[0]: failed to download response and write to file: /var/lib/waagent/custom-script/download/1/createfile: failed to create http request: Unable to get managed identity with object id 2c8.....8. Please make sure that the user assigned managed identity is added to the VM"

我在门户中进行了检查，我在VM规模集上有一个活动的托管身份，具有匹配的主体ID。
当我将设置更改为使用'clientId'而不是'objectId'时，它会抛出类似的错误。
那么，是否可以使用托管身份来下载blob？或者我必须将用户分配的身份分配给规模集中的各个VM示例或其他东西吗？？
有人有这方面的经验吗？