Azure 共享访问签名创建
Azure Shared Access Signature creation
我正在使用 Azure 门户为 v 2 的 blob 容器之一生成共享访问签名 (SAS)。我正在尝试从需要 SAS 的前端上传文件。问题是 SAS 每天都会过期。有没有办法使用代码自动更新 SAS,或者有没有办法使用 Azure AD 进行身份验证。
所以基本上我有一个前端,用户使用 Azure AD 登录,现在我想利用他的会话允许他上传到 Azure 存储。由于他已经获得授权,我觉得应该有一种方法可以为他的会话动态生成 SAS。
Shared access signatures are useful for providing limited permissions to your storage account to clients that should not have the account key.
如果您是将数据写入存储帐户的人,请在服务器端执行。如果这样做,您可以验证用户是否已登录。如果是这种情况,请允许您的后端使用其中一个访问密钥(或者更好的是,托管标识)写入存储帐户。
当然,您可以让 front-end 从 back-end 请求 SAS 令牌,例如从 API。这可以简单地实现,例如使用 Azure 函数。 SAS 令牌可以使用 near-term 过期时间。最后,您仍然向可以访问前端的任何人开放部分存储帐户。
With near-term expiration, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it
来源:Using shared access signatures (SAS)
摘自同一篇文章:
The following code example creates an account SAS that is valid for the Blob and File services, and gives the client permissions read, write, and list permissions to access service-level APIs. The account SAS restricts the protocol to HTTPS, so the request must be made with HTTPS.
static string GetAccountSASToken()
{
// To create the account SAS, you need to use your shared key credentials. Modify for your account.
const string ConnectionString = "DefaultEndpointsProtocol=https;AccountName=account-name;AccountKey=account-key";
CloudStorageAccount storageAccount = CloudStorageAccount.Parse(ConnectionString);
// Create a new access policy for the account.
SharedAccessAccountPolicy policy = new SharedAccessAccountPolicy()
{
Permissions = SharedAccessAccountPermissions.Read | SharedAccessAccountPermissions.Write | SharedAccessAccountPermissions.List,
Services = SharedAccessAccountServices.Blob | SharedAccessAccountServices.File,
ResourceTypes = SharedAccessAccountResourceTypes.Service,
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),
Protocols = SharedAccessProtocol.HttpsOnly
};
// Return the SAS token.
return storageAccount.GetSharedAccessSignature(policy);
}
我正在使用 Azure 门户为 v 2 的 blob 容器之一生成共享访问签名 (SAS)。我正在尝试从需要 SAS 的前端上传文件。问题是 SAS 每天都会过期。有没有办法使用代码自动更新 SAS,或者有没有办法使用 Azure AD 进行身份验证。 所以基本上我有一个前端,用户使用 Azure AD 登录,现在我想利用他的会话允许他上传到 Azure 存储。由于他已经获得授权,我觉得应该有一种方法可以为他的会话动态生成 SAS。
Shared access signatures are useful for providing limited permissions to your storage account to clients that should not have the account key.
如果您是将数据写入存储帐户的人,请在服务器端执行。如果这样做,您可以验证用户是否已登录。如果是这种情况,请允许您的后端使用其中一个访问密钥(或者更好的是,托管标识)写入存储帐户。
当然,您可以让 front-end 从 back-end 请求 SAS 令牌,例如从 API。这可以简单地实现,例如使用 Azure 函数。 SAS 令牌可以使用 near-term 过期时间。最后,您仍然向可以访问前端的任何人开放部分存储帐户。
With near-term expiration, even if a SAS is compromised, it's valid only for a short time. This practice is especially important if you cannot reference a stored access policy. Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it
来源:Using shared access signatures (SAS)
摘自同一篇文章:
The following code example creates an account SAS that is valid for the Blob and File services, and gives the client permissions read, write, and list permissions to access service-level APIs. The account SAS restricts the protocol to HTTPS, so the request must be made with HTTPS.
static string GetAccountSASToken()
{
// To create the account SAS, you need to use your shared key credentials. Modify for your account.
const string ConnectionString = "DefaultEndpointsProtocol=https;AccountName=account-name;AccountKey=account-key";
CloudStorageAccount storageAccount = CloudStorageAccount.Parse(ConnectionString);
// Create a new access policy for the account.
SharedAccessAccountPolicy policy = new SharedAccessAccountPolicy()
{
Permissions = SharedAccessAccountPermissions.Read | SharedAccessAccountPermissions.Write | SharedAccessAccountPermissions.List,
Services = SharedAccessAccountServices.Blob | SharedAccessAccountServices.File,
ResourceTypes = SharedAccessAccountResourceTypes.Service,
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),
Protocols = SharedAccessProtocol.HttpsOnly
};
// Return the SAS token.
return storageAccount.GetSharedAccessSignature(policy);
}