Azure sdk for Java 如何设置用户委派密钥和共享身份验证签名 SAS

Posted 2023-02-19

【中文标题】Azure sdk for Java 如何设置用户委派密钥和共享身份验证签名 SAS

【英文标题】：Azure sdk for Java How to Setup User Delegation Key and Shared Authentication Signatures SAS

【发布时间】：2021-01-22 07:30:33

【问题描述】：

以下代码在最后一行抛出异常：

            // Create a BlobServiceClient object which will be used to create a container client
            System.out.println(String.format("Connection String %s", connectStr));
            blobServiceClient = new BlobServiceClientBuilder().connectionString(connectStr).buildClient();

            // Get a user delegation key for the Blob service that's valid for seven days.
            // You can use the key to generate any number of shared access signatures over the lifetime of the key.
            keyStart = OffsetDateTime.now();
            keyExpiry = OffsetDateTime.now().plusHours(7);
 error ->   userDelegationKey = blobServiceClient.getUserDelegationKey(keyStart, keyExpiry);

例外： </Message><AuthenticationErrorDetail>Only authentication scheme Bearer is supported</AuthenticationErrorDetail></Error>"

Caused by: com.azure.storage.blob.models.BlobStorageException: Status code 403, "<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthenticationFailed</Code><Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:d375b3bf-b01e-0044-1191-9c75a8000000

我尝试将 .NET 教程改编为 Java，但到目前为止没有运气。

这个错误似乎与 REST API 调用有关，有什么想法吗？

【参考方案1】：

因此，经过多次尝试，使用存储帐户的连接字符串使用用户委派密钥不起作用。我必须注册一个应用程序并添加新的应用程序环境变量。最后，在 IAM 控制面板中检查正确的权限。

在我的例子中，我使用的是带有 Spring 的 Azure，

仅添加了以下依赖项：

        <dependency>
            <groupId>com.azure</groupId>
            <artifactId>azure-storage-blob</artifactId>
            <version>12.8.0</version>
        </dependency>
        <dependency>
            <groupId>com.azure</groupId>
            <artifactId>azure-identity</artifactId>
            <version>1.1.2</version>
        </dependency>

在 Azure 上创建/注册应用 使用证书和机密创建应用的客户端机密。 在环境变量中存储应用程序客户端 ID、租户 ID 和客户端密码 即在 macOS 上：

export AZURE_CLIENT_ID="xxxxxxx"
launchctl setenv AZURE_CLIENT_ID $AZURE_CLIENT_ID

export AZURE_TENANT_ID="xxxxxxx"
launchctl setenv AZURE_TENANT_ID $AZURE_TENANT_ID 

export AZURE_CLIENT_SECRET="xxxxxxx"
launchctl setenv AZURE_CLIENT_SECRET $AZURE_CLIENT_SECRET

为存储帐户的用户和应用添加正确的Storage Blob Data Contributor 角色分配。 see this

现在可以使用以下代码生成用户委托密钥和示例容器 SAS：

String endpoint = String.format(Locale.ROOT, "https://%s.blob.core.windows.net", "accountName");

// Create a BlobServiceClient object which will be used to create a container client
blobServiceClient = new BlobServiceClientBuilder().endpoint(endpoint)
        .credential(new DefaultAzureCredentialBuilder().build()).buildClient();

// Get a user delegation key for the Blob service that's valid for seven days.
// You can use the key to generate any number of shared access signatures over the lifetime of the key.
keyStart = OffsetDateTime.now();
keyExpiry = OffsetDateTime.now().plusDays(7);
userDelegationKey = blobServiceClient.getUserDelegationKey(keyStart, keyExpiry);

BlobContainerSasPermission blobContainerSas = new BlobContainerSasPermission();
blobContainerSas.setReadPermission(true);
BlobServiceSasSignatureValues blobServiceSasSignatureValues = new BlobServiceSasSignatureValues(keyExpiry,
        blobContainerSas);
BlobContainerClient blobContainerClient = blobServiceClient.getBlobContainerClient("containerName");
if (!blobContainerClient.exists())
    blobContainerClient.create();

String sas = blobContainerClient
        .generateUserDelegationSas(blobServiceSasSignatureValues, userDelegationKey);

希望这对其他人有帮助！