stackoom
  简体   繁体   中英

How do you generate the signature for an Azure Blob storage SAS token in Python?

 原文  2016-12-22 14:47:08       python/ azure/ authentication/ azure-storage-blobs

Question

I am trying to build the SAS token required for a blob download URL in Python, following the instructions from MSDN .

My string to sign looks like:

r\n
2016-12-22T14%3A00%3A00Z\n
2016-12-22T15%3A00%3A00Z\n
%2Fblob%2Fmytest%2Fprivatefiles%2F1%2Fqux.txt\n
\n
\n
https\n
2015-12-11\n
\n
\n
\n
\n
_

I've added the newline symbols for clarity and the last line is supposed to be an empty line (with no newline at the end).

The Python method I use for signing the string is:

def sign(self, string):
    hashed = hmac.new(base64.b64decode(self.account_key), digestmod=sha256)
    hashed.update(string)
    base64_str = base64.encodestring(hashed.digest()).strip()
    return base64_str

The final URL I build looks like:

https://mytest.blob.core.windows.net/privatefiles/1/qux.txt?sv=2015-12-11&st=2016-12-22T14%3A00%3A00Z&se=2016-12-22T15%3A00%3A00Z&sr=b&sp=r&spr=https&sig=BxkcpoRq3xanEHwU6u5%2FYsULEtOCJebHmupUZaPmBgM%3D

Still, the URL fails with a 403. Any idea on what I am doing wrong?

4 answers

solution1
 7  2020-07-01 08:46:28

Update, with the latest storage python library, this is what I used to generate the sas token:

def generate_sas_token(file_name):
    sas = generate_blob_sas(account_name=AZURE_ACC_NAME,
                            account_key=AZURE_PRIMARY_KEY,
                            container_name=AZURE_CONTAINER,
                            blob_name=file_name,
                            permission=BlobSasPermissions(read=True),
                            expiry=datetime.utcnow() + timedelta(hours=2))

    logging.info('https://'+AZURE_ACC_NAME+'.blob.core.windows.net/'+AZURE_CONTAINER+'/'+file_name+'?'+sas)
    sas_url ='https://'+AZURE_ACC_NAME+'.blob.core.windows.net/'+AZURE_CONTAINER+'/'+file_name+'?'+sas
    return sas_url

Python 3.6 and azure-storage-blob package.

solution2
 6  2016-12-23 03:33:26

The easiest way to generate SAS token in python is to leverage Azure Storage SDK for Python . Please consider following code snippet:

import time
import uuid
import hmac
import base64
import hashlib
import urllib
from datetime import datetime, timedelta
from azure.storage import (
    AccessPolicy,
    ResourceTypes,
    AccountPermissions,
    CloudStorageAccount,
)
from azure.storage.blob import (
    BlockBlobService,
    ContainerPermissions,
    BlobPermissions,
    PublicAccess,
)

AZURE_ACC_NAME = '<account_name>'
AZURE_PRIMARY_KEY = '<account_key>'
AZURE_CONTAINER = '<container_name>'
AZURE_BLOB='<blob_name>'

def generate_sas_with_sdk():
    block_blob_service = BlockBlobService(account_name=AZURE_ACC_NAME, account_key=AZURE_PRIMARY_KEY)    
    sas_url = block_blob_service.generate_blob_shared_access_signature(AZURE_CONTAINER,AZURE_BLOB,BlobPermissions.READ,datetime.utcnow() + timedelta(hours=1))
    #print sas_url
    print 'https://'+AZURE_ACC_NAME+'.blob.core.windows.net/'+AZURE_CONTAINER+'/'+AZURE_BLOB+'?'+sas_url

generate_sas_with_sdk()

Furthermore, to generate SAS token via plain python script, you can refer to the source code at https://github.com/Azure/azure-storage-python/blob/master/azure/storage/sharedaccesssignature.py#L173 for more hints.

solution3
 3  2019-08-12 23:46:49

Here's an updated code snippet for Python3 and the updated Azure Storage Blob SDK:

from datetime import datetime, timedelta
from azure.storage.blob import (
    BlockBlobService,
    ContainerPermissions,
    BlobPermissions,
    PublicAccess,
)

AZURE_ACC_NAME = '<account_name>'
AZURE_PRIMARY_KEY = '<account_key>'
AZURE_CONTAINER = '<container_name>'
AZURE_BLOB='<blob_name>'

block_blob_service = BlockBlobService(account_name=AZURE_ACC_NAME, account_key=AZURE_PRIMARY_KEY)
sas_url = block_blob_service.generate_blob_shared_access_signature(AZURE_CONTAINER,AZURE_BLOB,permission=BlobPermissions.READ,expiry= datetime.utcnow() + timedelta(hours=1))
print('https://'+AZURE_ACC_NAME+'.blob.core.windows.net/'+AZURE_CONTAINER+'/'+AZURE_BLOB+'?'+sas_url)

solution4
 2 ACCPTED  2017-01-03 12:41:43

Based on the documentation (Please see Constructing the Signature String section), the parameters passed to string to sign must be URL decoded. From the link:

To construct the signature string of a shared access signature, first construct the string-to-sign from the fields comprising the request, then encode the string as UTF-8 and compute the signature using the HMAC-SHA256 algorithm. Note that fields included in the string-to-sign must be URL-decoded.

Please use un-encoded parameter values in your string to sign and that should fix the problem.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Generate SAS token for a directory in Azure blob storage in Python Azure Blob Storage: Download blob with SAS token How can I generate an Azure blob SAS URL in Python? Azure Blob Storage Python SDK MAC signature How to generate azure storage container SAS url using python Azure-blob-storage. Get access to container with SAS token Apply SAS Permissions on Azure Blob Storage Container in Python How to download a list of files from Azure Blob Storage given SAS URI and container name using Python? Generated sas token using python is not working for azure blob How do I authenticate a user against an Azure storage blob in python?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM