在 Azure 存储上,CanGenerateSasUri 始终为 false
[英]On Azure Storage, CanGenerateSasUri is always false
问题描述
I have an ASP.Net Core 3.1 Web API which uses Azure Storage.
我有一个 ASP.Net Core 3.1 Web API 使用 Azure 存储。 For this, it was using the Microsoft.Azure.Storage.Blob library.为此,它使用了 Microsoft.Azure.Storage.Blob 库。 The NuGet package manager informed me that this package was deprecated, and I should rather use Azure.Storage.Blobs. NuGet package 经理通知我这个 package 已被弃用,我宁愿使用 Azure.Storage.Blobs。 I did this, and proceeded to fix all the broken code as a result of this change.我这样做了,并着手修复所有由于此更改而损坏的代码。 I didn't have many issues until I hit the code which generates a Shared Access Signature (SAS) for the client.在我点击为客户端生成共享访问签名 (SAS) 的代码之前,我没有遇到很多问题。 Anyway, I managed to make it work, by following this code:无论如何,我设法通过以下代码使其工作:
https://learn.microsoft.com/en-us/azure/storage/blobs/sas-service-create?tabs=do.net https://learn.microsoft.com/en-us/azure/storage/blobs/sas-service-create?tabs=do.net
private static Uri GetServiceSasUriForContainer(BlobContainerClient containerClient,
string storedPolicyName = null)
{
// Check whether this BlobContainerClient object has been authorized with Shared Key.
if (containerClient.CanGenerateSasUri)
{
// Create a SAS token that's valid for one hour.
BlobSasBuilder sasBuilder = new BlobSasBuilder()
{
BlobContainerName = containerClient.Name,
Resource = "c"
};
if (storedPolicyName == null)
{
sasBuilder.ExpiresOn = DateTimeOffset.UtcNow.AddHours(1);
sasBuilder.SetPermissions(BlobContainerSasPermissions.Read);
}
else
{
sasBuilder.Identifier = storedPolicyName;
}
Uri sasUri = containerClient.GenerateSasUri(sasBuilder);
Console.WriteLine("SAS URI for blob container is: {0}", sasUri);
Console.WriteLine();
return sasUri;
}
else
{
Console.WriteLine(@"BlobContainerClient must be authorized with Shared Key
credentials to create a service SAS.");
return null;
}
}
However, the line Uri sasUri = containerClient.GenerateSasUri(sasBuilder);但是,行Uri sasUri = containerClient.GenerateSasUri(sasBuilder); was giving me an error, and after further research I instead used:给我一个错误,经过进一步研究后,我改为使用:
StorageSharedKeyCredential credential = new StorageSharedKeyCredential(storageAccountName, storageAccountKey);
However, I also had to comment out the line if (containerClient.CanGenerateSasUri) because it is always false.但是,我还必须注释掉if (containerClient.CanGenerateSasUri)行,因为它始终为 false。 Apparently it's because "BlobContainerClient must be authorized with Shared Key credentials to create a service SAS."显然是因为“BlobContainerClient 必须使用共享密钥凭据授权才能创建服务 SAS。” But as far as I know, I am using Shared Key credentials.但据我所知,我正在使用共享密钥凭据。 I am not using Azure AD Authentication (even though I am aware this is the recommended .nethod).我没有使用 Azure AD 身份验证(尽管我知道这是推荐的 .nethod)。 My BlobServiceClient is being initialized like this:我的 BlobServiceClient 正在像这样初始化:
string storageConnectionString = $"DefaultEndpointsProtocol=https;AccountName=propworx;AccountKey={storageAccountKey};EndpointSuffix=core.windows.net";
BlobServiceClient blobServiceClient = new BlobServiceClient(storageConnectionString);
Does anyone have any idea why CanGenerateSasUri is false?有谁知道为什么 CanGenerateSasUri 是假的?
2 个解决方案
解决方案1
6 已采纳 2020-12-09 01:41:40
"BlobContainerClient must be authorized with Shared Key credentials to create a service SAS." “必须使用共享密钥凭据授权 BlobContainerClient 才能创建服务 SAS。” means that you should directly build the BlobContainerClient instead of BlobServiceClient with credentials, then pass it to GetServiceSasUriForContainer method.意味着您应该使用凭据直接构建BlobContainerClient而不是BlobServiceClient ,然后将其传递给GetServiceSasUriForContainer方法。
For example, use the code below:例如,使用下面的代码:
var storageAccountName = "xxx";
var storageAccountKey = "xxx";
var container_name = "xxx";
StorageSharedKeyCredential credential = new StorageSharedKeyCredential(storageAccountName, storageAccountKey);
//build the blob container url
string blobcontainer_url = string.Format("https://{0}.blob.core.windows.net/{1}", storageAccountName, container_name);
//directly build BlobContainerClient, then pass it to GetServiceSasUriForContainer() method
BlobContainerClient blobContainer = new BlobContainerClient(new Uri(blobcontainer_url), credential);
Uri mysasuri = GetServiceSasUriForContainer(blobContainer, null);
The test result:测试结果:
解决方案2
0 2023-01-18 04:30:23
If you use IAM you have to generate your own token for some reason the package doesnt like it.如果您使用 IAM,由于 package 不喜欢它的某种原因,您必须生成自己的令牌。
public Uri GetBlobSasUri(string fileLocation)
{
if (_options.UseIAM)
{
var userDelegationKey = _client.GetUserDelegationKey(DateTime.UtcNow, DateTime.UtcNow.AddMinutes(15));
var blobClient = _blobContainerClient.GetBlobClient(fileLocation);
var sasBuilder = new BlobSasBuilder()
{
BlobContainerName = blobClient.BlobContainerName,
BlobName = blobClient.Name,
Resource = "b", // b for blob, c for container
StartsOn = DateTimeOffset.UtcNow,
ExpiresOn = DateTimeOffset.UtcNow.AddHours(2),
};
sasBuilder.SetPermissions(BlobSasPermissions.Read); // read permissions
// Add the SAS token to the container URI.
var blobUriBuilder = new BlobUriBuilder(blobClient.Uri)
{
Sas = sasBuilder.ToSasQueryParameters(userDelegationKey, _client.AccountName)
};
return blobUriBuilder.ToUri();
}
else
{
BlockBlobClient blockClient = _blobContainerClient.GetBlockBlobClient(fileLocation);
return blockClient.GenerateSasUri(BlobSasPermissions.Read, DateTime.UtcNow.AddMinutes(15));
}
}
This is taken from https://www.c-sharpcorner.com/article/generate-sas-token-for-azure-blob-storage-using-managed-identity/这取自https://www.c-sharpcorner.com/article/generate-sas-token-for-azure-blob-storage-using-managed-identity/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.