如何使用服务主体或 oauth2 通过 azure Active Directory 获取用于 azure 存储帐户访问的令牌?
[英]How to fetch token for azure storage account access via azure active directory using service principal or oauth2?
问题描述
I am looking for examples to fetch access token for azure storage account access via azure active directory with service principal in python
我正在寻找示例来获取访问令牌以通过 azure 活动目录和 python 中的服务主体访问 azure 存储帐户
It seems like https://github.com/AzureAD/azure-activedirectory-library-for-python/blob/dev/sample/client_credentials_sample.py doesn't support service principal access似乎https://github.com/AzureAD/azure-activedirectory-library-for-python/blob/dev/sample/client_credentials_sample.py不支持服务主体访问
are there other ways in fetching token via service principal?还有其他方法可以通过服务主体获取令牌吗?
1 个解决方案
解决方案1
0 2022-07-19 12:55:26
• Yes, you can surely fetch an access token for an Azure storage account via Azure Active Directory using a service principal, ie, an app registration by following the steps below as given in the below documentation link: - • 是的,您当然可以使用服务主体通过 Azure Active Directory 获取 Azure 存储帐户的访问令牌,即按照以下文档链接中给出的步骤进行应用注册:-
https://docs.microsoft.com/en-us/azure/developer/python/sdk/authentication-azure-hosted-apps?tabs=azure-portal%2Cazure-app-service https://docs.microsoft.com/en-us/azure/developer/python/sdk/authentication-azure-hosted-apps?tabs=azure-portal%2Cazure-app-service
As per the above documentation, you will have to host your python application code in a web app service and create a system assigned managed identity for it.根据上述文档,您必须将Python 应用程序代码托管在 Web 应用程序服务中,并为其创建系统分配的托管标识。 Once created, then an application will be created in Azure AD with the same 'Object ID' as shown in the managed identity section of the web app service .创建后,将在 Azure AD 中创建具有相同“对象 ID”的应用程序,如 Web 应用服务的托管标识部分所示。 Before moving onto this application created in Azure AD, assign the required roles to this system assigned managed identity through the 'IAM' tab .在转到在 Azure AD 中创建的此应用程序之前,请通过“IAM”选项卡将所需角色分配给此系统分配的托管标识。 So, in your case, you should assign the role of 'Storage Account Contributor' to the 'System-assigned managed identity' created for the web app service.因此,在您的情况下,您应该将“存储帐户参与者”的角色分配给为 Web 应用服务创建的“系统分配的托管标识” 。
• Once, the role has been assigned, then go to the 'Enterprise application' and search for the 'Object ID' of the managed identity, you will encounter an application with the name of the web app service, in that, go to 'Permissions' under 'Security' tab and assign the required permissions and admin consent required to the application. • 一旦分配了角色,然后转到“企业应用程序”并搜索托管标识的“对象 ID” ,您将遇到一个具有 Web 应用服务名称的应用程序,其中,转到“ “安全”选项卡下的“权限”,并为应用程序分配所需的权限和管理员同意。 The permissions shown are those that are allowed under the scope of 'Storage Account Contributor' and similarly, you must assign permissions from it to the app/service principal .显示的权限是“存储帐户参与者”范围内允许的权限,同样,您必须将权限分配给应用程序/服务主体。 Then ensure that you are correctly calling the environment variables of this application created in Azure AD regarding the managed identity and implement the 'DefaultAzureCredential' from the 'azure.identity' module .然后确保您正确调用在 Azure AD 中创建的有关托管标识的此应用程序的环境变量,并从“azure.identity”模块实现“DefaultAzureCredential” 。 For this purpose, kindly refer to the below subsection of the above documentation: -为此,请参阅上述文档的以下小节:-
https://docs.microsoft.com/en-us/azure/developer/python/sdk/authentication-azure-hosted-apps?tabs=azure-portal%2Cazure-app-service#3---implement-defaultazurecredential-in-your-application https://docs.microsoft.com/en-us/azure/developer/python/sdk/authentication-azure-hosted-apps?tabs=azure-portal%2Cazure-app-service#3---implement-defaultazurecredential-在您的应用程序中
In this way, you can fetch an access token for the Azure storage account via Azure Active Directory using a service principal.通过这种方式,您可以使用服务主体通过 Azure Active Directory 获取 Azure 存储帐户的访问令牌。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.