通过 AzureServiceTokenProvider 对 CloudTableClient 进行 Azure 存储身份验证
Posted
技术标签:
【中文标题】通过 AzureServiceTokenProvider 对 CloudTableClient 进行 Azure 存储身份验证【英文标题】:Azure Storage authentication via AzureServiceTokenProvider for CloudTableClient 【发布时间】:2019-01-06 16:50:56 【问题描述】:我正在研究使用 Azure AD 来验证对 Azure 存储帐户的访问。
https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/services-support-msi#azure-services-that-support-azure-ad-authentication
using Microsoft.Azure.Services.AppAuthentication; // 1.1.0-preview
using Microsoft.WindowsAzure.Storage; // 9.3.0
using Microsoft.WindowsAzure.Storage.Auth;
using Microsoft.WindowsAzure.Storage.Blob;
using Microsoft.WindowsAzure.Storage.Queue;
using Microsoft.WindowsAzure.Storage.Table;
using System;
using System.Threading.Tasks;
class Program
static async Task Main(string[] args)
string storageAccountName = "fill_in";
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
string accessToken = await azureServiceTokenProvider.GetAccessTokenAsync("https://storage.azure.com/");//, tenantId);
TokenCredential tokenCredential = new TokenCredential(accessToken);
StorageCredentials storageCredentials = new StorageCredentials(tokenCredential);
// blobs access
CloudBlobClient cloudBlobClient = new CloudBlobClient(new StorageUri(new Uri($"https://storageAccountName.blob.core.windows.net")), storageCredentials);
ContainerResultSegment containerResultSegment = await cloudBlobClient.ListContainersSegmentedAsync(null);
CloudBlobContainer cloudBlobContainer = cloudBlobClient.GetContainerReference("test" + DateTime.Now.Ticks);
await cloudBlobContainer.CreateIfNotExistsAsync();
// queue access
CloudQueueClient cloudQueueClient = new CloudQueueClient(new StorageUri(new Uri($"https://storageAccountName.queue.core.windows.net")), storageCredentials);
QueueResultSegment queueResultSegment = await cloudQueueClient.ListQueuesSegmentedAsync(null);
CloudQueue cloudQueue = cloudQueueClient.GetQueueReference("test" + DateTime.Now.Ticks);
await cloudQueue.CreateIfNotExistsAsync();
// table access
CloudTableClient cloudTableClient = new CloudTableClient(new StorageUri(new Uri($"https://storageAccountName.table.core.windows.net")), storageCredentials);
// this http request results in "HTTP/1.1 403 Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature."
TableResultSegment tableResultSegment = await cloudTableClient.ListTablesSegmentedAsync(null);
CloudTable cloudTable = cloudTableClient.GetTableReference("test" + DateTime.Now.Ticks);
await cloudTable.CreateIfNotExistsAsync();
尝试使用表,导致 Microsoft.WindowsAzure.Storage.StorageException: 'Server failed to authenticate the request。确保 Authorization 标头的值格式正确,包括签名。'
在 portal.azure.com 我确实看到了角色
存储 Blob 数据 ___(预览版) 存储队列数据___(预览版)现在以这种方式使用 Azure 存储表超出了范围,还是我遗漏了什么?
问候, 弗洛里安
【问题讨论】:
【参考方案1】:AAD 身份验证尚不支持表。 从可用角色中只能看到 Blob 和队列。
【讨论】:
【参考方案2】:Azure AD 集成目前可用于 Blob 和队列服务的预览版。暂不支持表格服务。
【讨论】:
以上是关于通过 AzureServiceTokenProvider 对 CloudTableClient 进行 Azure 存储身份验证的主要内容,如果未能解决你的问题,请参考以下文章
java是通过值传递,也就是通过拷贝传递——通过方法操作不同类型的变量加深理解