如何為 Azure 存儲生成帳戶 SAS 令牌?
[英]How to generate Account SAS token for Azure Storage?
問題描述
理想情況下,我想訪問存儲中的所有容器和 blob。 Account SAS 令牌是在我的代碼中在服務器端生成的。 客戶端會調用我在Node.js中創建的API來接收。 我看到您可以使用 Azure Shell 手動創建 SAS 令牌,但我更喜歡讓它生成服務端,因為將實施身份驗證。
在帳戶 SAS 生成文檔之后,它指出字符串到簽名應該這樣構造。
StringToSign = accountname + "\n" +
signedpermissions + "\n" +
signedservice + "\n" +
signedresourcetype + "\n" +
signedstart + "\n" + // optional
signedexpiry + "\n" +
signedIP + "\n" + // optional
signedProtocol + "\n" + // optional
signedversion + "\n"
文檔中的示例令牌(為了更好的可見性而分成多行) :
sv=2019-02-02&ss=bf&srt=s&st=2019-08-01T22%3A18%3A26Z
&se=2019-08-10T02%3A23%3A26Z&sr=b&sp=rw
&sip=168.1.5.60-168.1.5.70&spr=https
&sig=F%6GRVAZ5Cdj2Pw4tgU7IlSTkWgn7bUkkAg8P6HESXwmf%4B
從 Azure Shell 生成的令牌:
se=2019-11-15&sp=rwdlac&sv=2018-03-28&ss=b&srt=sco&sig=<hidden signature>
奇怪的是,在示例令牌中,首先提供了signedversion (sv) ,而在來自 Azure Shell 的令牌中提供了signedexpiry (se) 。
下面是用於生成令牌的代碼。 我嘗試遵循與來自 Azure Shell 的令牌相同的順序:
app.get('/sas-token', (req, res, next) => {
// const start = new Date(new Date().getTime() - (15 * 60 * 1000));
const end = new Date(new Date().getTime() + (30 * 60 * 1000));
const signedpermissions = 'rwdlac';
const signedversion = '2018-03-28';
const signedservice = 'b';
const signedresourcetype = 'sco';
// const signedstart = truncateIsoDate(start);
const signedexpiry = truncateIsoDate(end);
// const signedIP = '';
const signedProtocol = 'https';
const StringToSign = STORAGE_ACCOUNT_NAME + "\n" +
signedpermissions + "\n" +
signedservice + "\n" +
signedresourcetype + "\n" +
// signedstart + "\n" +
signedexpiry + "\n" +
// signedIP + "\n" +
signedProtocol + "\n" +
signedversion + "\n"
const key = new Buffer(ACCOUNT_ACCESS_KEY, 'base64');
let sig = crypto.createHmac('sha256', key).update(StringToSign, 'utf8').digest('base64');
let sas =
`se=${signedexpiry}
&sp=${(signedpermissions)}
&sv=${(signedversion)}
&ss=${(signedservice)}
&srt=${(signedresourcetype)}
&sig=${encodeURIComponent(sig)}`;
res.json({
storageUri: STORAGE_ACCOUNT_NAME,
storageAccessToken: sas
});
});
當我的客戶最終使用生成的 SAS 令牌發出請求時,我收到一個錯誤:
403 (Server failed to authenticate the request.
Make sure the value of Authorization header is formed correctly including the signature.)
是否可以為 Node.js 中的 Blob 存儲生成帳戶 SAS 令牌?
2 個解決方案
解決方案1
7 已采納 2019-11-13 05:49:55
根據我的研究,我們可以使用 Azure storage SDK azure-storage 。 更多詳情請參考https://github.com/Azure/azure-storage-node/blob/0557d02cd2116046db1a2d7fc61a74aa28c8b557/test/accountsas-tests.js 。
var storage = require("azure-storage")
var startDate = new Date();
var expiryDate = new Date();
startDate.setTime(startDate.getTime() - 5*60*1000);
expiryDate.setTime(expiryDate.getTime() + 24*60*60*1000);
var AccountSasConstants = storage.Constants.AccountSasConstants;
var sharedAccessPolicy = {
AccessPolicy: {
Services: AccountSasConstants.Services.BLOB ,
ResourceTypes: AccountSasConstants.Resources.SERVICE +
AccountSasConstants.Resources.CONTAINER +
AccountSasConstants.Resources.OBJECT,
Permissions: AccountSasConstants.Permissions.READ +
AccountSasConstants.Permissions.ADD +
AccountSasConstants.Permissions.CREATE +
AccountSasConstants.Permissions.WRITE +
AccountSasConstants.Permissions.DELETE +
AccountSasConstants.Permissions.LIST,
Protocols: AccountSasConstants.Protocols.HTTPSORHTTP,
Start: startDate,
Expiry: expiryDate
}
};
const accountname ="blobstorage0516";
const key = "";
var sas =storage.generateAccountSharedAccessSignature(accountname,key,sharedAccessPolicy);
console.log(sas);
此外,如果您不想使用 SDK 生成 SAS 令牌,請注意,如果我們不使用StringToSign中的一個屬性,則不能省略\n並且我們在創建 ZA8A64CEF26AB72A0 時應使用StringToSign中提供的屬性。 例如
const accountname ="blobstorage0516";
const key = "";
const start = new Date(new Date().getTime() - (15 * 60 * 1000));
const end = new Date(new Date().getTime() + (30 * 60 * 1000));
const signedpermissions = 'rwdlac';
const signedservice = 'b';
const signedresourcetype = 'sco';
const signedexpiry = end.toISOString().substring(0, end.toISOString().lastIndexOf('.')) + 'Z';
const signedProtocol = 'https';
const signedversion = '2018-03-28';
const StringToSign =
accountname + '\n' +
signedpermissions + '\n' +
signedservice + '\n' +
signedresourcetype + '\n' +
'\n' +
signedexpiry + '\n' +
'\n' +
signedProtocol + '\n' +
signedversion + '\n';
let sig = crypto.createHmac('sha256', Buffer.from(key, 'base64')).update(StringToSign, 'utf8').digest('base64');
let sasToken =
`sv=${(signedversion)}&ss=${(signedservice)}&srt=${(signedresourcetype)}&sp=${(signedpermissions)}&se=${encodeURIComponent(signedexpiry)}&spr=${(signedProtocol)}&sig=${encodeURIComponent(sig)}`;
console.log(sasToken)
var storageBlobEndpoint = "https://"+ accountname +".blob.core.windows.net"
var container="blobcontainer";
var blobName="CP4.png";
var requestURL = storageBlobEndpoint + "/" + container + "/" + blobName +"?"+sasToken
console.log(requestURL)
更新
根據我的測試,我們可以使用上面代碼創建的 sas 令牌對 Azure blob 存儲進行 smoe 操作。 例如
1.列表容器
Get https://<your account>.blob.core.windows.net/?comp=list+ "&"+"<your sas token>"
2.獲取容器屬性
Get https://<your account>.blob.core.windows.net/<your container>?restype=container&comp=list +"&" +"<your sas token>"
此外,關於如何使用新的 sdk
@azure/storage-blob創建 SAS 令牌,請參考以下代碼
const accountname ="blobstorage0516";
const key = "";
const signedpermissions = 'rwdlac';
const signedservice = 'b';
const signedresourcetype = 'sco';
const signedProtocol = 'https';
const signedversion = '2018-03-28';
const cerds = new storage.StorageSharedKeyCredential(accountname,key);
var startDate = new Date();
var expiryDate = new Date();
startDate.setTime(startDate.getTime() - 5*60*1000);
expiryDate.setTime(expiryDate.getTime() + 24*60*60*1000);
expiryDate.setTime(expiryDate.getTime() + 24*60*60*1000);
var result = storage.generateAccountSASQueryParameters({
expiresOn : expiryDate,
permissions: storage.AccountSASPermissions.parse(signedpermissions),
protocol: storage.SASProtocol.Https,
resourceTypes: storage.AccountSASResourceTypes.parse(signedresourcetype).toString(),
services: storage.AccountSASServices.parse(signedservice).toString(),
startsOn: startDate,
version:signedversion
},cerds).toString();
console.log(result);
解決方案2
0 2019-11-13 03:08:07
嘗試使用@azure/storage-blob npm package
const sasString = generateAccountSASQueryParameters({... }, sharedKeyCredential).toString()
如何使用 Javascript ZF20E3C5E54C0AB3D96F5D660B36 為 Azure 存儲生成用戶委托 SAS
[英]How to generate user delegation SAS for Azure Storage using Javascript SDK
Azure 存儲 SAS 令牌在 localhost 上工作,但在部署在 Azure Z30136395F018719317C521 上時不起作用
[英]Azure Storage SAS token working on localhost but not when deployed on Azure Kubernetes
使用SAS令牌從瀏覽器訪問/更新Azure Blob存儲是否安全?
[英]Is it safe to access/update Azure Blob storage from browser using SAS token?
如何為Azure表存儲REST請求生成SharedKeyLite
[英]How to generate SharedKeyLite for Azure Table Storage REST request
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
如何在jQuery應用程序中為天藍色表存儲創建sas_token
如何使用 Javascript ZF20E3C5E54C0AB3D96F5D660B36 為 Azure 存儲生成用戶委托 SAS
在ViewerJs中將Azure存儲文件與SAS令牌一起使用
Azure 存儲 SAS 令牌在 localhost 上工作,但在部署在 Azure Z30136395F018719317C521 上時不起作用
使用JS生成Azure Blob存儲SA令牌
使用SAS令牌從瀏覽器訪問/更新Azure Blob存儲是否安全?
從 JavaScript 代碼生成 SAS 令牌?
在JavaScript(PhoneGap)中為Azure存儲創建SAS
如何為Azure表存儲REST請求生成SharedKeyLite
使用SAS密鑰直接從客戶端上載到Azure存儲
相關標簽