使用托管标识时的存储账户 SAS

huangapple go评论66阅读模式
英文:

Storage Account SAS while using Managed Identity

问题

我的应用作为 Function App 在 Azure 中运行。有一个存储帐户,应用程序使用托管标识连接到存储帐户(因此不使用连接字符串)。
现在我需要为队列生成 SAS Url(位于存储帐户中)。SAS Url 应该保持 30 天有效。

但同时,我需要确保存储帐户访问密钥进行了轮换。

我遵循此方法 https://learn.microsoft.com/en-us/azure/key-vault/secrets/tutorial-rotation-dual?tabs=azure-cli 来轮换密钥。

在使用连接字符串的情况下,如何在 SAS Url 生成时交换密钥是清楚的。我们只需要在密钥轮换时更改连接字符串。然后我们在代码中生成 SAS Url,它是基于存储在连接字符串中的密钥生成的。

但在使用托管标识访问的情况下,如何选择用于 SAS Url 生成的密钥呢?

英文:

My application runs as Function App, in Azure. There is Storage Account, and App connects to the storage account using Managed Identity (so no connection string is used).
Now I need to generate SAS Url for the Queue (which lives in the Storage Account). SAS Url should live 30 days.

But also, I need to make sure that storage account access keys are being rotated.

I follow this approach https://learn.microsoft.com/en-us/azure/key-vault/secrets/tutorial-rotation-dual?tabs=azure-cli to rotate the keys.

In case of connection string usage, it is clear how to swap the keys for SAS Url generation. We just need to change connection string when keys are rotated. Then we generate SAS Url in the code, and it is generated based on the key which is stored in the connection string.

But how to do it in case of Managed Identity access? How to select key which is used for SAS Url generation?

答案1

得分: 1

在使用托管标识访问时,如何选择用于生成 SAS URL 的密钥呢?

在托管标识访问的情况下,您不需要使用访问密钥。SAS URL 将使用分配给托管标识的权限来生成 SAS URL。您将要生成的 SAS URL 称为用户委派 SAS

以下是在具有读取权限的 Blob 容器上生成用户委派 SAS 令牌的伪代码。SAS 令牌的有效期为 1 小时。

var credentials = new ManagedIdentityCredential();
var blobServiceClient = new BlobServiceClient(new Uri("https://account.blob.core.windows.net", credentials));
var sasExpiry = DateTimeOffset.UtcNow.AddHours(1);
var userDelegationKey = await blobServiceClient.GetUserDelegationKeyAsync(null, sasExpiry, CancellationToken.None);
var containerClient = blobServiceClient.GetBlobContainerClient("containername");
var sasBuilder = new BlobSasBuilder()
{
    BlobContainerName = "containername",
    Resource = "c",
    ExpiresOn = sasExpiry
};
sasBuilder.SetPermissions(BlobSasPermissions.Read);
var blobUriBuilder = new BlobUriBuilder(containerClient.Uri)
{
    Sas = sasBuilder.ToSasQueryParameters(userDelegationKey,
        blobServiceClient.AccountName)
};
return blobUriBuilder.ToUri();
英文:

> But how to do it in case of Managed Identity access? How to select key
> which is used for SAS Url generation?

In case of Managed Identity access, you do not need to use access keys. The SAS URL will use the permissions assigned to the managed identity for generating the SAS URL. The SAS URL you will be generating is called User Delegation SAS.

Here's the pseudo code for generating a user delegation sas token on a blob container with read permission. The sas token is valid for 1 hour.

var credentials = new ManagedIdentityCredential();
var blobServiceClient = new BlobServiceClient(new Uri("https://account.blob.core.windows.net", credentials));
var sasExpiry = DateTimeOffset.UtcNow.AddHours(1);
var userDelegationKey = await blobServiceClient.GetUserDelegationKeyAsync(null, sasExpiry, CancellationToken.None);
var containerClient = blobServiceClient.GetBlobContainerClient("containername");
var sasBuilder = new BlobSasBuilder()
{
    BlobContainerName = "containername",
    Resource = "c",
    ExpiresOn = sasExpiry
};
sasBuilder.SetPermissions(BlobSasPermissions.Read);
var blobUriBuilder = new BlobUriBuilder(containerClient.Uri)
{
    Sas = sasBuilder.ToSasQueryParameters(userDelegationKey,
        blobServiceClient.AccountName)
};
return blobUriBuilder.ToUri();

huangapple
  • 本文由 发表于 2023年6月1日 18:21:30
  • 转载请务必保留本文链接:https://go.coder-hub.com/76380917.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定