使用 MSI 为 Azure 存储 Blob 创建 SAS 令牌时出错

Question

I'm trying to create a SAS token for a storage blob.我正在尝试为存储 blob 创建一个 SAS 令牌。 I use a StorageCredentials which was created with MSI (Managed Service Identity) to create the CloudBlobClient.我使用使用 MSI（托管服务标识）创建的 StorageCredentials 来创建 CloudBlobClient。 When creating the SAS I'm getting "Cannot create Shared Access Signature unless Account Key credentials are used".创建 SAS 时，我收到“除非使用帐户密钥凭据，否则无法创建共享访问签名”。 Is there support to SAS with MSI? MSI 是否支持 SAS？

var container = blobClient.GetContainerReference(containerName);
var blockBlob = container.GetBlockBlobReference(snapname);
var sas = string.Concat(blockBlob.Uri.ToString(), blockBlob.GetSharedAccessSignature(sasConstraints));

This is how I create the StorageCredentials:这就是我创建 StorageCredentials 的方式：

tokenCallback = CreateMsiCallback();
var initToken = await tokenCallback(audience);
return new StorageCredentials(
  new TokenCredential(initToken, async (state, token) =>
  {
    var accessToken = await _tokenCallback(audience);

    return new NewTokenAndFrequency(accessToken, TimeSpan.FromMinutes(1));
  }, null, TimeSpan.FromMinutes(1))
);

To create the token callback I use HttpClient要创建令牌回调，我使用 HttpClient

public Func<string, Task<string>> CreateMsiCallback()
{
  var handler = new HttpClientHandler
  {
     ServerCertificateCustomValidationCallback =
         (httpRequestMessage, cert, certChain, policyErrors) =>
         {
             if (policyErrors == SslPolicyErrors.None)
             {
                 return true;
             }

             return 0 == string.Compare(cert.GetCertHashString(), FabricThumbprint, StringComparison.OrdinalIgnoreCase);
        }
  };

     var client = new HttpClient(handler)
     {
         DefaultRequestHeaders =
         {
            {"secret", FabricAuthenticationCode }
         }
     };

     return async (resource) =>
     {
            var requestUri = $"{FabricMsiEndpoint}?api-version={FabricApiVersion}&resource={HttpUtility.UrlEncode(resource)}";
            var requestMessage = new HttpRequestMessage(HttpMethod.Get, requestUri);
            var response = await client.SendAsync(requestMessage);
            response.EnsureSuccessStatusCode();
            var tokenResponseString = await response.Content.ReadAsStringAsync();
            var tokenResponseObject =
                JsonConvert.DeserializeObject<ManagedIdentityTokenResponse>(tokenResponseString);
            
            return tokenResponseObject.AccessToken;
        };
    }
}

Answer 1

Based on this Github issue , you will need to assign Storage data roles to your MSI in order to generate SAS token.基于此Github issue ，您需要将存储数据角色分配给您的 MSI 以生成 SAS 令牌。 From this thread:从这个线程：

The error is because your oauth account don't have permission to generateUserDelegationKey.该错误是因为您的 oauth 帐户没有生成UserDelegationKey 的权限。 To get SAS with Oauth storage context (New-AzStorageContext -UseConnectedAuth), we need first generate UserDelegationKey from server, then use the key to generate the SAS token.要获得 SAS 和 Oauth 存储上下文（New-AzStorageContext -UseConnectedAuth），我们需要首先从服务器生成 UserDelegationKey，然后使用该密钥生成 Z2DB46C628CFB3BD1545CZ 令牌。

Please check have you assigned correct roles to the Oauth login user (with Connect-AzAccount).请检查您是否为 Oauth 登录用户（使用 Connect-AzAccount）分配了正确的角色。 like at least one of the following 4 roles on the specific storage account:至少喜欢特定存储帐户上的以下 4 个角色之一：

Storage Blob Data Owner存储 Blob 数据所有者

Storage Blob Data Contributor存储 Blob 数据贡献者

Storage Blob Data Reader存储 Blob 数据读取器

Storage Blob Delegator存储 Blob 委托人

使用 MSI 为 Azure 存储 Blob 创建 SAS 令牌时出错

问题描述

1 个解决方案

解决方案1
1 2021-05-05 09:51:41

使用 MSI 为 Azure 存储 Blob 创建 SAS 令牌时出错

问题描述

1 个解决方案

解决方案1 1 2021-05-05 09:51:41

解决方案1
1 2021-05-05 09:51:41