英文:
[NODEJS][AZURE] How to get sastoken url for a file and be able to access it. [Signature did not match.]
问题
我正在尝试从Azure Blob存储获取文件URL,但无法访问该文件。
所有过程都正常进行,但当我尝试访问资源时,它给我返回了一个错误消息。
<Error>
<Code>AuthenticationFailed</Code>
<Message>服务器未能验证请求。请确保Authorization标头的值正确构建,包括签名。 RequestId:8063ce3f-201e-002e-55e0-b8107c000000 Time:2023-07-17T18:56:27.6000553Z</Message>
<AuthenticationErrorDetail>签名不匹配。使用的要签名的字符串为racwd 2023-07-17T18:46:13Z 2023-07-17T19:06:13Z /blob/xonedevelopxpinc/xone-cloud-update-components-bucket 5e828bfd-766b-492b-bbf8-e96672fd8036 24617fec-7c4a-48f1-bba4-517594462cc4 2023-07-17T18:46:13Z 2023-07-17T19:06:13Z b 2023-01-03 2023-01-03 c </AuthenticationErrorDetail>
</Error>
这是我正在使用的代码:
const accountName = "teste";
const cloudUrl = process.env.AZURE_CLOUD_URL;
process.env.AZURE_CLOUD_URL = 'https://teste.blob.core.windows.net';
const getFileLink = async (bucketName, fileName) => {
const credential = new DefaultAzureCredential();
console.log(`${cloudUrl}/${bucketName}`);
const containerClient = new ContainerClient(`${cloudUrl}/${bucketName}`, credential);
var blobFound = {};
for await (const blob of containerClient.listBlobsFlat()) {
if (blob.name.toLowerCase() === fileName.toLowerCase()) {
blobFound = blob;
console.log('BLOB FOUND '+ blob.name);
}
}
const blobName = blobFound.name;
const blobClient = containerClient.getBlobClient(blobName);
// 最佳实践:设置时间限制
const TEN_MINUTES = 10 * 60 * 1000;
const NOW = new Date();
// 最佳实践:将开始时间设置为当前时间之前一点,以确保避免任何时钟问题
const TEN_MINUTES_BEFORE_NOW = new Date(NOW.valueOf() - TEN_MINUTES);
const TEN_MINUTES_AFTER_NOW = new Date(NOW.valueOf() + TEN_MINUTES);
const blobServiceClient = new BlobServiceClient(
`${cloudUrl}`,
credential
);
const userDelegationKey = await blobServiceClient.getUserDelegationKey(
TEN_MINUTES_BEFORE_NOW,
TEN_MINUTES_AFTER_NOW
);
const sasToken = generateBlobSASQueryParameters(
{
bucketName,
// blobName,
permissions: BlobSASPermissions.parse("racwd"),
startsOn: TEN_MINUTES_BEFORE_NOW,
expiresOn: TEN_MINUTES_AFTER_NOW
},
userDelegationKey,
blobClient.accountName
)
console.log(blobClient.accountName);
console.log('SASTOKEN');
console.log(sasToken);
console.log('URL');
console.log(
`${blobClient.url}?${sasToken.toString()}`
);
};
尝试启用对文件的访问权限,然后能够通过URL打开文件。
英文:
I'm trying to get a file url from a azure blob storage but I am not able to access the file.
All procces occurs normaly but when i try to acess the resource it get's me an error message.
<Error>
<Code>AuthenticationFailed</Code>
<Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:8063ce3f-201e-002e-55e0-b8107c000000 Time:2023-07-17T18:56:27.6000553Z</Message>
<AuthenticationErrorDetail>Signature did not match. String to sign used was racwd 2023-07-17T18:46:13Z 2023-07-17T19:06:13Z /blob/xonedevelopxpinc/xone-cloud-update-components-bucket 5e828bfd-766b-492b-bbf8-e96672fd8036 24617fec-7c4a-48f1-bba4-517594462cc4 2023-07-17T18:46:13Z 2023-07-17T19:06:13Z b 2023-01-03 2023-01-03 c </AuthenticationErrorDetail>
</Error>
This is the code that I am using:
const accountName = "teste";
const cloudUrl = process.env.AZURE_CLOUD_URL;
process.env.AZURE_CLOUD_URL = 'https://teste.blob.core.windows.net';
const getFileLink = async (bucketName, fileName) => {
const credential = new DefaultAzureCredential();
console.log(`${cloudUrl}/${bucketName}`);
const containerClient = new ContainerClient(`${cloudUrl}/${bucketName}`, credential);
var blobFound = {};
for await (const blob of containerClient.listBlobsFlat()) {
if (blob.name.toLowerCase() === fileName.toLowerCase()) {
blobFound = blob;
console.log('BLOB FOUND '+ blob.name);
}
}
const blobName = blobFound.name;
const blobClient = containerClient.getBlobClient(blobName);
// Best practice: create time limits
const TEN_MINUTES = 10 * 60 * 1000;
const NOW = new Date();
// Best practice: set start time a little before current time to
// make sure any clock issues are avoided
const TEN_MINUTES_BEFORE_NOW = new Date(NOW.valueOf() - TEN_MINUTES);
const TEN_MINUTES_AFTER_NOW = new Date(NOW.valueOf() + TEN_MINUTES);
const blobServiceClient = new BlobServiceClient(
`${cloudUrl}`,
credential
);
const userDelegationKey = await blobServiceClient.getUserDelegationKey(
TEN_MINUTES_BEFORE_NOW,
TEN_MINUTES_AFTER_NOW
);
const sasToken = generateBlobSASQueryParameters(
{
bucketName,
// blobName,
permissions: BlobSASPermissions.parse("racwd"),
startsOn: TEN_MINUTES_BEFORE_NOW,
expiresOn: TEN_MINUTES_AFTER_NOW
},
userDelegationKey ,//userDelegationKey,
blobClient.accountName
)
console.log(blobClient.accountName);
console.log('SASTOKEN');
console.log(sasToken);
console.log('URL');
console.log(
`${blobClient.url}?${sasToken.toString()}`
);
};
Trying to enable access to the file and then be able to open via url
答案1
得分: 1
- 我尝试使用您的代码进行了少许更改,但仍然出现了相同的错误。
服务器未能验证请求。请确保 Authorization 标头的值正确组成,包括签名。
-
大多数情况下,上述错误发生在您使用共享访问签名 (SAS) 来访问 blob 时,请检查 SAS 令牌是否已过期。错误消息中包含时间戳 "2023-07-17T18:46:13Z" 和 "2023-07-17T19:06:13Z",表示 SAS 令牌的有效性开始和结束时间。请检查当前时间是否在此范围内。
-
在授予签名接收者相应级别的访问权限之前,请检查是否具有 RBAC 角色权限。请查看分配对 blob 数据的访问权限。
我尝试以下代码来检索具有 SAS 令牌 URL 的特定 blob/文件。
const { BlobServiceClient, generateBlobSASQueryParameters, BlobSASPermissions, StorageSharedKeyCredential } = require("@azure/storage-blob");
const account = "mynodestoreage";
const accountKey = "given_your_accountKey";
const containerName = "metacon";
const blobName = "100MiB.bin"; // 要生成 SAS 令牌的现有 blob 的名称
async function getBlobSasToken() {
// 使用帐户 URL 和帐户密钥创建 BlobServiceClient
const blobServiceClient = new BlobServiceClient(
`https://${account}.blob.core.windows.net`,
new StorageSharedKeyCredential(account, accountKey)
);
try {
// 获取容器的引用
const containerClient = blobServiceClient.getContainerClient(containerName);
// 获取现有 blob 的 BlobClient
const blobClient = containerClient.getBlobClient(blobName);
// 最佳实践:创建时间限制
const TEN_MINUTES = 10 * 60 * 1000;
const NOW = new Date();
// 最佳实践:将开始时间设置为当前时间之前一点,以确保避免任何时钟问题
const TEN_MINUTES_BEFORE_NOW = new Date(NOW.valueOf() - TEN_MINUTES);
const TEN_MINUTES_AFTER_NOW = new Date(NOW.valueOf() + TEN_MINUTES);
// 生成用于安全 SAS 令牌生成的用户委托密钥
const userDelegationKey = await blobServiceClient.getUserDelegationKey(
TEN_MINUTES_BEFORE_NOW,
TEN_MINUTES_AFTER_NOW
);
// 使用读取、添加、创建、写入和删除权限生成 blob 的 SAS 令牌
const sasToken = generateBlobSASQueryParameters(
{
containerName,
blobName,
permissions: BlobSASPermissions.parse("racwd"), // 读取、添加、创建、写入和删除权限
startsOn: TEN_MINUTES_BEFORE_NOW,
expiresOn: TEN_MINUTES_AFTER_NOW,
},
userDelegationKey,
account
);
// 通过将其附加到 blob URL 来生成完整的 SAS 令牌 URL
const sasTokenUrl = `${blobClient.url}?${sasToken.toString()}`;
return sasTokenUrl;
} catch (error) {
console.error("SAS 令牌生成期间发生错误:", error.message);
throw error;
}
}
async function main() {
try {
const sasTokenUrl = await getBlobSasToken();
console.log("生成的 SAS 令牌 URL:");
console.log(sasTokenUrl);
} catch (error) {
console.error("发生错误:", error.message);
}
}
main();
Packages:
npm install @azure/storage-blob
Output:
英文:
- I had tried with your code made little changes, but still the same error occurred with me as-well.
>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
-
Mostly, the above error occurs when you use a Shared Access Signature (SAS) to access the blob, check that the SAS token has not expired. The error message includes the timestamps "2023-07-17T18:46:13Z" and "2023-07-17T19:06:13Z," which represent the start and end times of the SAS token validity. Re-check that the current time is within the range.
-
Check whether you have the RBAC role permissions before you grant that level of access to your signature recipient. please check
Assign access to blob data
I had tried the below code to retrieve a specific blob/file of SAS token URL.
const { BlobServiceClient, generateBlobSASQueryParameters, BlobSASPermissions, StorageSharedKeyCredential } = require("@azure/storage-blob");
const account = "mynodestoreage";
const accountKey = "given_your_accountKey";
const containerName = "metacon";
const blobName = "100MiB.bin"; // The name of the existing blob you want to generate a SAS token for
async function getBlobSasToken() {
// Create a BlobServiceClient using the account URL and the account key
const blobServiceClient = new BlobServiceClient(
`https://${account}.blob.core.windows.net`,
new StorageSharedKeyCredential(account, accountKey)
);
try {
// Get a reference to the container
const containerClient = blobServiceClient.getContainerClient(containerName);
// Get the BlobClient for the existing blob
const blobClient = containerClient.getBlobClient(blobName);
// Best practice: create time limits
const TEN_MINUTES = 10 * 60 * 1000;
const NOW = new Date();
// Best practice: set start time a little before the current time to
// make sure any clock issues are avoided
const TEN_MINUTES_BEFORE_NOW = new Date(NOW.valueOf() - TEN_MINUTES);
const TEN_MINUTES_AFTER_NOW = new Date(NOW.valueOf() + TEN_MINUTES);
// Generate a user delegation key for secure SAS token generation
const userDelegationKey = await blobServiceClient.getUserDelegationKey(
TEN_MINUTES_BEFORE_NOW,
TEN_MINUTES_AFTER_NOW
);
// Generate the SAS token for the blob with read, add, create, write, and delete permissions
const sasToken = generateBlobSASQueryParameters(
{
containerName,
blobName,
permissions: BlobSASPermissions.parse("racwd"), // read, add, create, write, and delete permissions
startsOn: TEN_MINUTES_BEFORE_NOW,
expiresOn: TEN_MINUTES_AFTER_NOW,
},
userDelegationKey,
account
);
// Generate the full SAS token URL by appending it to the blob URL
const sasTokenUrl = `${blobClient.url}?${sasToken.toString()}`;
return sasTokenUrl;
} catch (error) {
console.error("Error occurred during SAS token generation:", error.message);
throw error;
}
}
async function main() {
try {
const sasTokenUrl = await getBlobSasToken();
console.log("Generated SAS Token URL:");
console.log(sasTokenUrl);
} catch (error) {
console.error("Error occurred:", error.message);
}
}
main();
Packages:
npm install @azure/storage-blob
Output:
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论