Azure 身份访问 Blob 存储

huangapple go评论84阅读模式
英文:

Azure identity access to blob storage

问题

我在访问我的 Azure Blob 存储权限时遇到了问题。

我的应用程序位于 Azure 外部,需要访问 Azure Blob 存储以获取文件。

我已在 Azure AD 中注册了应用程序并拥有一个秘密密钥。
该秘密密钥在 1 年后过期。

我已设置环境变量 AZURE_CLIENT_ID、AZURE_CLIENT_SECRET 和 AZURE_TENANT_ID。

BlobServiceClient storageClient = new BlobServiceClientBuilder()
.endpoint("https://myaccount.blob.core.windows.net")
.credential(newDefaultAzureCredentialBuilder().build())
.buildClient();

BlobContainerClient blobContainerClient = storageClient.getBlobContainerClient("mycontainer");
BlobClient blobClient = blobContainerClient.getBlobClient("Sample.pdf");
File destinationDir = new File("/somedir/");
File downloadedFile = new File(destinationDir, "Sample.pdf");

blobClient.downloadToFile(downloadedFile.getAbsolutePath(), true);

在尝试下载时,我遇到了以下问题:

状态代码 403,“<?xml version="1.0" encoding="utf-8"?>
<Error>
   <Code>AuthorizationPermissionMismatch</Code><Message>此请求未被授权执行此操作。
    RequestId:f0c2de14-401e-0050-0bfd-6f97ad000000
    Time:2020-08-11T16:34:29.1943093Z</Message></Error>”

我承认我现在有点困惑。我是否需要先获取令牌。我假设我已经拥有一切,因为示例非常明确,但我在搜索时看到了有关获取令牌的引用,也有些没有..

我还尝试使用 SAS,但遇到了相同的问题。我的帐户已设置为 Storage Blob 数据贡献者。

以下是使用 SAS 连接的示例

BlobServiceClient storageClient = new BlobServiceClientBuilder()
    .endpoint("https://mystorageaccount.blob.core.windows.net/?sv=2019-12-12&ss=b&srt=c&sp=rlx&se=2020-08-12T22:37:28Z&st=2020-08-12T14:37:28Z&spr=https&sig=<mysig>")
    .buildClient();

BlobContainerClient blobContainerClient = storageClient.getBlobContainerClient("mycontainer");
BlobClient blobClient = blobContainerClient.getBlobClient("Sample.pdf");
File destinationDir = new File("/mydir");
File downloadedFile = new File(destinationDir, "Sample.pdf");

blobClient.downloadToFile(downloadedFile.getAbsolutePath(), true);
英文:

I'm having an issue with permissions accessing my azure blob storage.

My application is sitting outside Azure and is going to acces Azure Blob storage to get the files.

I've registered the app in Azure AD and have a secret key.
The secret expired in 1 yr.

I have set up the environment variables AZURE_CLIENT_ID, AZURE_CLIENT_SECRET and AZURE_TENANT_ID.

    BlobServiceClient storageClient = new BlobServiceClientBuilder()
			                         .endpoint(&quot;https://myaccount.blob.core.windows.net&quot;)
			                         .credential(newDefaultAzureCredentialBuilder().build())
			                         .buildClient();
	 
	BlobContainerClient blobContainerClient =  storageClient.getBlobContainerClient(&quot;mycontainer&quot;);
	BlobClient blobClient = blobContainerClient.getBlobClient(&quot;Sample.pdf&quot;);
	File destinationDir = new File(&quot;/somedir/&quot;);
	File downloadedFile = new File(destinationDir, &quot;Sample.pdf&quot;);
	
	blobClient.downloadToFile(downloadedFile.getAbsolutePath(),true);

When trying to download I'm getting:

   &lt;Code&gt;AuthorizationPermissionMismatch&lt;/Code&gt;&lt;Message&gt;This request is not authorized to perform 
    this operation using this permission.
    RequestId:f0c2de14-401e-0050-0bfd-6f97ad000000
    Time:2020-08-11T16:34:29.1943093Z&lt;/Message&gt;&lt;/Error&gt;&quot;

I'll admit I'm now confused. Do I need to get a token first. I assumed I had everything since the examples were pretty explicit, but searching around I'm seeing references to getting a token and some not..

I also tried using SAS and I'm getting the same issue. I have Storage Blob Data Contributor set for my account.

Here is an example of the connection using SAS

     BlobServiceClient storageClient = new BlobServiceClientBuilder()						 
               .endpoint(&quot;https://mystorageaccount.blob.core.windows.net/?sv=2019- 
               12-12&amp;ss=b&amp;srt=c&amp;sp=rlx&amp;se=2020-08-12T22:37:28Z&amp;st=2020-08- 
                12T14:37:28Z&amp;spr=https&amp;sig=&lt;mysig&gt;&quot;)	
				 .buildClient();
		 
		BlobContainerClient blobContainerClient =  
                    storageClient.getBlobContainerClient(&quot;mycontainer&quot;);
		BlobClient blobClient = 
                   blobContainerClient.getBlobClient(&quot;Sample.pdf&quot;);
		File destinationDir = new File(&quot;/mydir&quot;);
		File downloadedFile = new File(destinationDir, &quot;Sample.pdf&quot;);
		
		blobClient.downloadToFile(downloadedFile.getAbsolutePath(),true);

答案1

得分: 1

You should assign the Blob Storage Contributor Role to the service principal associated with your Azure AD app.

UPDATE:

Not sure why Authenticate with Azure Identity doesn't work for you.

But if you use sasToken, make sure you have the enough permissions.

Please refer to my code:

BlobServiceClient blobServiceClient = new BlobServiceClientBuilder()
.endpoint("https://allen3545635.blob.core.windows.net/")
.sasToken("sv=2019-12-12&ss=bfqt&srt=sco&sp=rwdlacupx&se=2020-08-13T15:18:15Z&st=2020-08-13T07:18:15Z&spr=https&sig=XXX")
.buildClient();

Remember to remove the "?" at the beginning of sasToken which is generated on Azure portal.

英文:

You should assign the Blob Storage Contributor Role to the service principal associated with your Azure AD app.

Azure 身份访问 Blob 存储

UPDATE:

Not sure why Authenticate with Azure Identity doesn't work for you.

But if you use sasToken, make sure you have the enough permissions.

Azure 身份访问 Blob 存储

Please refer to my code:

    BlobServiceClient blobServiceClient = new BlobServiceClientBuilder()
            .endpoint(&quot;https://allen3545635.blob.core.windows.net/&quot;)
            .sasToken(&quot;sv=2019-12-12&amp;ss=bfqt&amp;srt=sco&amp;sp=rwdlacupx&amp;se=2020-08-13T15:18:15Z&amp;st=2020-08-13T07:18:15Z&amp;spr=https&amp;sig=XXX&quot;)
            .buildClient();

Remember to remove the "?" at the beginning of sasToken which is generated on Azure portal.

答案2

得分: 0

All the code is correct. I spoke with MS Azure support. I missed setting the application permission. I had set my username permission by mistake. As usual, a simple fix.

So now using both secretKey and SAS work.

英文:

So all the code is correct. I spoke with MS Azure support. I missed setting the application permission. I had set my username permission by mistake.. As usual, a simple fix

So now using both secretKey and SAS work

huangapple
  • 本文由 发表于 2020年8月12日 01:12:20
  • 转载请务必保留本文链接:https://go.coder-hub.com/63363146.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定