使用服务主体访问 Azure Blob 存储
tam*_*203 5 azure azure-active-directory azure-blob-storage
我想通过使用来自活动目录服务主体的凭据从 python 访问私有 blob 存储。
我知道这个相关问题How do I authenticate a user against an Azure storage blob in python? 这帮助我走到了这一步,但现在我陷入了困境。
我可以进行身份验证并获取令牌,该令牌允许我列出容器、创建新容器,但不允许我列出或访问任何 blob。
我希望通过 cli 进行设置az。
服务主体的设置如下:
az ad sp create-for-rbac -n "http://$NAME" --role Contributor \
--scopes "/subscriptions/$SUB_ID/resourceGroups/$RESOURCE_GROUP"
我认为应该提供完全访问权限,但我还添加了以下内容以确保:
az role assignment create \
--role "Storage Blob Data Contributor" \
--assignee-object-id "$OBJECT_ID" \
--assignee-principal-type "ServicePrincipal" \
--scope "/subscriptions/$SUB_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Storage/storageAccounts/$STORAGE_ACCOUNT/blobServices/default/containers/$CONTAINER"
然后我像这样进行身份验证:
from azure.common.credentials import ServicePrincipalCredentials
import adal
from azure.storage.blob import (
BlockBlobService,
ContainerPermissions,
)
from azure.storage.common import (
TokenCredential
)
# Tenant ID for your Azure Subscription
TENANT_ID = TENANT
# Your Service Principal App ID
CLIENT = APP_ID
# Your Service Principal Password
KEY = PASSWORD
# RESOURCE = "https://storage.azure.com/" # using this resource has the same behaviour as uncommented one. Using no resource fails with authentication errors
RESOURCE = f"https://{ACCOUNT_NAME}.blob.core.windows.net"
credentials = ServicePrincipalCredentials(
client_id = CLIENT,
secret = KEY,
tenant = TENANT_ID,
resource = RESOURCE
)
tokenCre = TokenCredential(credentials.token["access_token"])
然后我尝试像这样使用 blob 服务
blobService = BlockBlobService(account_name=ACCOUNT_NAME, token_credential=tokenCre)
print ([c.name for c in blobService.list_containers()]) # successfully lists containers
print(blobService.create_container('test')) # prints "True" and the container is created
blobService.list_blobs(CONTAINER_NAME) # fails with AzureHttpError: This request is not authorized to perform this operation using this permission. ErrorCode: AuthorizationPermissionMismatch
blobService.get_blob_to_bytes("test", "hello.txt") # fails with same error
如上面的代码块所示,我似乎能够执行“容器”级别的操作,但不能执行“blob”级别的操作。任何诸如列出 blob、读取 blob 等操作都会出现错误:
AzureHttpError: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. ErrorCode: AuthenticationFailed
<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthenticationFailed</Code><Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
RequestId:86ff0241-c01e-00d4-512c-6e22b5000000
Time:2019-09-18T14:20:23.5619727Z</Message><AuthenticationErrorDetail>Audience validation failed. Audience did not match.</AuthenticationErrorDetail></Error>
有任何想法吗?
如果要使用 Azure AD 访问令牌来访问 Azure 存储,则必须为资源分配必要的存储 ** 角色(在第二个 az 命令中执行此操作)。
但是,在第二个 az 命令中:
az role assignment create \
--role "Storage Blob Data Contributor" \
--assignee-object-id "$OBJECT_ID" \
--assignee-principal-type "ServicePrincipal" \
--scope "/subscriptions/$SUB_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Storage/storageAccounts/$STORAGE_ACCOUNT/blobServices/default/containers/$CONTAINER"
您只需将范围设置为特定容器:$CONTAINER。因此,您只能访问该容器下的 blob。
我测试了一下,并成功了。
from azure.common.credentials import ServicePrincipalCredentials
import adal
from azure.storage.blob import (
BlockBlobService,
ContainerPermissions,
)
from azure.storage.common import (
TokenCredential
)
# Tenant ID for your Azure Subscription
TENANT_ID = "e4c9****-****-****-****-230b****57fb"
# Your Service Principal App ID
CLIENT = "3bee****-****-****-****-b0b8****f7a4"
# Your Service Principal Password
KEY = "*******************"
ACCOUNT_NAME = "storagetest789"
CONTAINER_NAME = "newcontainer"
RESOURCE = "https://storage.azure.com/"
credentials = ServicePrincipalCredentials(
client_id = CLIENT,
secret = KEY,
tenant = TENANT_ID,
resource = RESOURCE
)
tokenCre = TokenCredential(credentials.token["access_token"])
blobService = BlockBlobService(account_name=ACCOUNT_NAME, token_credential=tokenCre)
print("\nList blobs in the container")
generator = blobService.list_blobs(CONTAINER_NAME)
for blob in generator:
print("\t Blob name: " + blob.name)
print("\nOutput test.txt")
blob = blobService.get_blob_to_text(CONTAINER_NAME, "test.txt")
print(blob.content)
结果:
如果我尝试访问其他容器,我将得到与您相同的错误。但我不知道为什么允许容器创建操作。这似乎是访问控制的疏忽。
如果您想管理整个存储帐户,则需要将存储帐户范围分配给您的服务主体。然后您可以访问该存储帐户中的其他容器。
| 归档时间: |
|
| 查看次数: |
16359 次 |
| 最近记录: |