[英]OAuth token for REST API call to Azure Data Lake Storage Gen 2 using service principal
I'm working on an application (one of the core microservices) which will call the Azure ADLS Gen 2 to store files (in a filesystem) for further processing by other components.我正在开发一个应用程序(核心微服务之一),它将调用 Azure ADLS Gen 2 来存储文件(在文件系统中)以供其他组件进一步处理。
I'm trying to obtain an OAuth token for the authentication purposes by calling Azure authentication endpoint using the preliminarily created service principal.我正在尝试通过使用初步创建的服务主体调用 Azure 身份验证端点来获取用于身份验证的 OAuth 令牌。
The PowerShell code I'm using to create a service principal:我用来创建服务主体的 PowerShell 代码:
Add-AzAccount -Subscription <SUBSCRIPTION ID>
$sp = New-AzADServicePrincipal -DisplayName <PRINCIPAL NAME>
Sleep 20
New-AzRoleAssignment -RoleDefinitionName Contributor -ServicePrincipalName $sp.ApplicationId
$sp.ApplicationId
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($sp.Secret)
$UnsecureSecret = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
$UnsecureSecret
I'm using the values of $sp.ApplicationId
as < Azure AD application client ID> and $UnsecureSecret
as < Azure AD application client secret>.我使用
$sp.ApplicationId
作为 < Azure AD 应用程序客户端 ID> 和$UnsecureSecret
作为 < Azure AD 应用程序客户端机密> 的值。
The Azure AD application is then configured with API permissions:然后使用 API 权限配置 Azure AD 应用程序:
I've added the Azure AD application as a STORAGE BLOB DATA CONTRIBUTOR to the storage account's IAM blade.我已将 Azure AD 应用程序作为 STORAGE BLOB DATA CONTRIBUTOR 添加到存储帐户的 IAM 边栏选项卡中。
Next, I'm going yo obtain an OAuth token.接下来,我要获取一个 OAuth 令牌。
Below are the calls I've made using Postman:以下是我使用 Postman 拨打的电话:
GET得到
https://login.microsoftonline.com/<TENANT ID>/oauth2/token
Headers标题
Content-Type: application/x-www-form-urlencoded
Request body请求正文
grant_type:client_credentials
client_id: <Azure AD application client ID>
client_secret: <Azure AD application client secret>
scope: https://storage.azure.com/.default
After this call I'm able to get the successful response:在这个电话之后,我能够得到成功的回应:
{
"token_type": "Bearer",
"expires_in": "3600",
"ext_expires_in": "3600",
"expires_on": "1574686915",
"not_before": "1574683015",
"resource": "00000002-0000-0000-c000-000000000000",
"access_token": "eyJ0eX<..>" .
}
Then I'm trying to create a filesystem by using the following request:然后我尝试使用以下请求创建文件系统:
PUT放
https://<STORAGE ACCOUNT NAME>.dfs.core.windows.net/<FILESYSTEM NAME>?resource=filesystem
Headers标题
Authorization: Bearer <JWT token>
x-ms-date: Mon, 25 Nov 2019 12:00:00 GMT
x-ms-version: 2019-02-02
And constantly getting the following error:并不断收到以下错误:
{
"error": {
"code": "InvalidAuthenticationInfo",
"message": "Server failed to authenticate the request.
Please refer to the information in the www-authenticate header.
\nRequestId:a6bf42d7-a01f-0006-1d88-a304da000000\nTime:2019-11-25T12:05:32.3049492Z"
}
}
I have tried different scopes but it doesn't help:我尝试了不同的范围,但没有帮助:
https://dfs.core.windows.net/.default
https://blob.core.windows.net/.default
I can reproduce your issue, the Contributor
RBAC role is enough, no need to add any API permission
, the issue was caused by the way you request the token, when using the v1.0
endpoint, you need to use resource: https://storage.azure.com/
.我可以重现你的问题,
Contributor
RBAC角色就够了,不需要添加任何API permission
,问题是你请求令牌的方式引起的,使用v1.0
端点时,你需要使用resource: https://storage.azure.com/
。
GET https://login.microsoftonline.com/<TENANT ID>/oauth2/token
grant_type:client_credentials
client_id: <Azure AD application client ID>
client_secret: <Azure AD application client secret>
resource: https://storage.azure.com/
Or you can change the request URL to v2.0
endpoint, it will also work.或者您可以将请求 URL 更改为
v2.0
端点,它也可以工作。
GET https://login.microsoftonline.com/<TENANT ID>/oauth2/v2.0/token
grant_type:client_credentials
client_id: <Azure AD application client ID>
client_secret: <Azure AD application client secret>
scope: https://storage.azure.com/.default
Test:测试:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.