英文:
Azure identity access to blob storage
问题
我在访问我的 Azure Blob 存储权限时遇到了问题。
我的应用程序位于 Azure 外部,需要访问 Azure Blob 存储以获取文件。
我已在 Azure AD 中注册了应用程序并拥有一个秘密密钥。
该秘密密钥在 1 年后过期。
我已设置环境变量 AZURE_CLIENT_ID、AZURE_CLIENT_SECRET 和 AZURE_TENANT_ID。
BlobServiceClient storageClient = new BlobServiceClientBuilder()
.endpoint("https://myaccount.blob.core.windows.net")
.credential(newDefaultAzureCredentialBuilder().build())
.buildClient();
BlobContainerClient blobContainerClient = storageClient.getBlobContainerClient("mycontainer");
BlobClient blobClient = blobContainerClient.getBlobClient("Sample.pdf");
File destinationDir = new File("/somedir/");
File downloadedFile = new File(destinationDir, "Sample.pdf");
blobClient.downloadToFile(downloadedFile.getAbsolutePath(), true);
在尝试下载时,我遇到了以下问题:
状态代码 403,“<?xml version="1.0" encoding="utf-8"?>
<Error>
<Code>AuthorizationPermissionMismatch</Code><Message>此请求未被授权执行此操作。
RequestId:f0c2de14-401e-0050-0bfd-6f97ad000000
Time:2020-08-11T16:34:29.1943093Z</Message></Error>”
我承认我现在有点困惑。我是否需要先获取令牌。我假设我已经拥有一切,因为示例非常明确,但我在搜索时看到了有关获取令牌的引用,也有些没有..
我还尝试使用 SAS,但遇到了相同的问题。我的帐户已设置为 Storage Blob 数据贡献者。
以下是使用 SAS 连接的示例
BlobServiceClient storageClient = new BlobServiceClientBuilder()
.endpoint("https://mystorageaccount.blob.core.windows.net/?sv=2019-12-12&ss=b&srt=c&sp=rlx&se=2020-08-12T22:37:28Z&st=2020-08-12T14:37:28Z&spr=https&sig=<mysig>")
.buildClient();
BlobContainerClient blobContainerClient = storageClient.getBlobContainerClient("mycontainer");
BlobClient blobClient = blobContainerClient.getBlobClient("Sample.pdf");
File destinationDir = new File("/mydir");
File downloadedFile = new File(destinationDir, "Sample.pdf");
blobClient.downloadToFile(downloadedFile.getAbsolutePath(), true);
英文:
I'm having an issue with permissions accessing my azure blob storage.
My application is sitting outside Azure and is going to acces Azure Blob storage to get the files.
I've registered the app in Azure AD and have a secret key.
The secret expired in 1 yr.
I have set up the environment variables AZURE_CLIENT_ID, AZURE_CLIENT_SECRET and AZURE_TENANT_ID.
BlobServiceClient storageClient = new BlobServiceClientBuilder()
.endpoint("https://myaccount.blob.core.windows.net")
.credential(newDefaultAzureCredentialBuilder().build())
.buildClient();
BlobContainerClient blobContainerClient = storageClient.getBlobContainerClient("mycontainer");
BlobClient blobClient = blobContainerClient.getBlobClient("Sample.pdf");
File destinationDir = new File("/somedir/");
File downloadedFile = new File(destinationDir, "Sample.pdf");
blobClient.downloadToFile(downloadedFile.getAbsolutePath(),true);
When trying to download I'm getting:
<Code>AuthorizationPermissionMismatch</Code><Message>This request is not authorized to perform
this operation using this permission.
RequestId:f0c2de14-401e-0050-0bfd-6f97ad000000
Time:2020-08-11T16:34:29.1943093Z</Message></Error>"
I'll admit I'm now confused. Do I need to get a token first. I assumed I had everything since the examples were pretty explicit, but searching around I'm seeing references to getting a token and some not..
I also tried using SAS and I'm getting the same issue. I have Storage Blob Data Contributor set for my account.
Here is an example of the connection using SAS
BlobServiceClient storageClient = new BlobServiceClientBuilder()
.endpoint("https://mystorageaccount.blob.core.windows.net/?sv=2019-
12-12&ss=b&srt=c&sp=rlx&se=2020-08-12T22:37:28Z&st=2020-08-
12T14:37:28Z&spr=https&sig=<mysig>")
.buildClient();
BlobContainerClient blobContainerClient =
storageClient.getBlobContainerClient("mycontainer");
BlobClient blobClient =
blobContainerClient.getBlobClient("Sample.pdf");
File destinationDir = new File("/mydir");
File downloadedFile = new File(destinationDir, "Sample.pdf");
blobClient.downloadToFile(downloadedFile.getAbsolutePath(),true);
答案1
得分: 1
You should assign the Blob Storage Contributor Role to the service principal associated with your Azure AD app.
UPDATE:
Not sure why Authenticate with Azure Identity doesn't work for you.
But if you use sasToken, make sure you have the enough permissions.
Please refer to my code:
BlobServiceClient blobServiceClient = new BlobServiceClientBuilder()
.endpoint("https://allen3545635.blob.core.windows.net/")
.sasToken("sv=2019-12-12&ss=bfqt&srt=sco&sp=rwdlacupx&se=2020-08-13T15:18:15Z&st=2020-08-13T07:18:15Z&spr=https&sig=XXX")
.buildClient();
Remember to remove the "?" at the beginning of sasToken which is generated on Azure portal.
英文:
You should assign the Blob Storage Contributor Role to the service principal associated with your Azure AD app.
UPDATE:
Not sure why Authenticate with Azure Identity doesn't work for you.
But if you use sasToken, make sure you have the enough permissions.
Please refer to my code:
BlobServiceClient blobServiceClient = new BlobServiceClientBuilder()
.endpoint("https://allen3545635.blob.core.windows.net/")
.sasToken("sv=2019-12-12&ss=bfqt&srt=sco&sp=rwdlacupx&se=2020-08-13T15:18:15Z&st=2020-08-13T07:18:15Z&spr=https&sig=XXX")
.buildClient();
Remember to remove the "?" at the beginning of sasToken which is generated on Azure portal.
答案2
得分: 0
All the code is correct. I spoke with MS Azure support. I missed setting the application permission. I had set my username permission by mistake. As usual, a simple fix.
So now using both secretKey and SAS work.
英文:
So all the code is correct. I spoke with MS Azure support. I missed setting the application permission. I had set my username permission by mistake.. As usual, a simple fix
So now using both secretKey and SAS work
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论