英文:
Azure blob storage returns Unauthorized with SAS generated URL
问题
我试图生成一个URL,用户可以访问 Azure Blob 存储容器中的文件。Blob 存储容器受到严格的IP地址限制,然后我正在构建的服务将管理请求并生成用户可以直接访问文件的URL。以下是用于生成URL的代码(我认为代码本身可能是正确的)。
CloudBlobContainer container = BlobStorage.GetContainer(_accountStatementEmailConfig.BlobStorageContainerName);
CloudBlockBlob blob = container.GetBlockBlobReference(document.StoragePath);
if (!blob.Exists())
{
return NotFound();
}
TimeSpan sasExpiryTime = TimeSpan.FromMinutes(_apiConfig.PresignedURLExpiryInMinutes);
SharedAccessBlobPermissions permissions = SharedAccessBlobPermissions.Read;
string sasToken = blob.GetSharedAccessSignature(new SharedAccessBlobPolicy
{
Permissions = permissions,
SharedAccessExpiryTime = DateTime.UtcNow.Add(sasExpiryTime)
}, new SharedAccessBlobHeaders(), _apiConfig.SharedAccessSignaturePermissionsPolicyName);
string documentUrl = $"{blob.Uri.AbsoluteUri}{sasToken}";
该代码生成URL没有问题,但当用户访问URL时,他们会收到以下错误:
<Error>
<Code>AuthorizationFailure</Code>
<Message>
This request is not authorized to perform this operation. RequestId:92d7ca35-501e-0016-2a65-973659000000 Time:2023-06-01T08:43:35.2439678Z
</Message>
</Error>
也许我对共享访问签名(SAS)的错误假设是,令牌将允许我绕过IP限制,因为我是从白名单IP生成URL。我是否采取了错误的方法,还是有一些我忽视的小问题?
英文:
I am trying to generate a URL where users can access a file that is in a blob storage container on Azure. The blob storage container is heavily restricted by IP address, and then the service I'm building will manage requests and generate a URL where users can access the file directly. Here is the code used to generate the URL (I think the code itself is probably fine).
CloudBlobContainer container = BlobStorage.GetContainer(_accountStatementEmailConfig.BlobStorageContainerName);
CloudBlockBlob blob = container.GetBlockBlobReference(document.StoragePath);
if (!blob.Exists())
{
return NotFound();
}
TimeSpan sasExpiryTime = TimeSpan.FromMinutes(_apiConfig.PresignedURLExpiryInMinutes);
SharedAccessBlobPermissions permissions = SharedAccessBlobPermissions.Read;
string sasToken = blob.GetSharedAccessSignature(new SharedAccessBlobPolicy
{
Permissions = permissions,
SharedAccessExpiryTime = DateTime.UtcNow.Add(sasExpiryTime)
}, new SharedAccessBlobHeaders(), _apiConfig.SharedAccessSignaturePermissionsPolicyName);
string documentUrl = $"{blob.Uri.AbsoluteUri}{sasToken}";
The code generates the URL fine, but when a user goes to the URL they receive the following error:
<Error>
<Code>AuthorizationFailure</Code>
<Message>
This request is not authorized to perform this operation. RequestId:92d7ca35-501e-0016-2a65-973659000000 Time:2023-06-01T08:43:35.2439678Z
</Message>
</Error>
It was perhaps my incorrect assumption about SAS that the token would allow me to bypass the IP restrictions since I am generating the URL from a whitelisted IP. Am I taking the incorrect approach, or is there something minor I am overlooking?
答案1
得分: 0
正如Gaurav Mantri在评论中指出的那样,问题在于我对Azure处理权限的理解,因为我之前的所有经验都来自于AWS。
在Azure中,存储账户和容器有单独的访问级别。可以通过将存储账户设置为公开,将每个单独的容器设置为私有来实现类似于AWS的私有+预签名URL选项的功能。然后使用生成的SAS URL来访问文件。
英文:
As Gaurav Mantri pointed out in comments, the issue is my understanding of how Azure handles permissions since all of my previous experience is from AWS.
In Azure the storage account and the containers have separate access levels. Can achieve similar functionality to AWS's private + presignedURL option by setting the Storage Account to public, and each of the individual containers to private. Then using the generated SAS URL to access the file.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论