无法在Azure中使用系统分配的托管身份进行blob存储操作。
问题描述 投票:0回答:1
获取 "服务器未能验证该请求。确保授权头的值正确形成,包括签名。" 在尝试使用C#语言在Azure中使用系统分配的托管身份时出现错误。
遵循的步骤是
- 创建了一个新的虚拟机,并启用了身份识别(系统分配)。
- 在IAM中使用存储账户中的角色分配添加了虚拟机。
- 能够使用C#生成令牌
- 但在读取blob时出现异常,以下是异常详情
Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
at Microsoft.Azure.Storage.Core.Executor.Executor.<ExecuteAsync>d__1`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.Storage.Blob.CloudBlockBlob.<DownloadTextAsync>d__72.MoveNext()
程序类
class Program
{
static void Main(string[] args)
{
try
{
var blob = new AzureCloudBlob();
Console.WriteLine(blob.ReadBlob());
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
Console.WriteLine(ex.StackTrace);
}
}
}
AzureCloudBlob类,用于使用系统分配的托管身份访问令牌连接和读取blob。
class AzureCloudBlob
{
public CloudBlockBlob CreateConnection()
{
var token = GetToken();
var tokenCredentials = new TokenCredential(token);
var storageCredentials = new StorageCredentials(tokenCredentials);
var serviceUri = new Uri("https://mystorageacc.blob.core.windows.net/practice/blob.txt");
return new CloudBlockBlob(serviceUri, storageCredentials);
}
public string ReadBlob()
{
var client = CreateConnection();
var blobClient = client.DownloadTextAsync();
var data = blobClient.Result;
return data;
}
public string GetToken()
{
var request = (HttpWebRequest)WebRequest.Create("http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/");
request.Headers["Metadata"] = "true";
request.Method = "GET";
try
{
var response = (HttpWebResponse)request.GetResponse();
var streamResponse = new StreamReader(response.GetResponseStream());
string stringResponse = streamResponse.ReadToEnd();
var list = (Dictionary<string, string>)JsonConvert.DeserializeObject(stringResponse, typeof(Dictionary<string, string>));
string accessToken = list["access_token"];
Console.WriteLine(accessToken);
return accessToken;
}
catch (Exception e)
{
string errorText = String.Format("{0} \n\n{1}", e.Message, e.InnerException != null ? e.InnerException.Message : "Acquire token failed");
Console.WriteLine(errorText);
return errorText;
}
}
}
1个回答
1
投票
投票
如果你想使用Azure AD auth访问Azure存储,我们应该使用 resouce=https://storage.azure.com/ 来获取Azure AD访问令牌。但你使用 resource=https://management.azure.com/. 请更换。此外,请注意,您需要为MSI分配正确的角色。角色应该是 储存Blob数据读取器, 存储Blob数据贡献者 或 存储Blob数据所有者.
具体步骤如下
在 Azure 虚拟机上启用系统分配的托管身份。
$vm = Get-AzVM -ResourceGroupName myResourceGroup -Name myVM Update-AzVM -ResourceGroupName myResourceGroup -VM $vm -AssignIdentity:$SystemAssigned在存储账户范围内为MSI分配角色。
$sp =Get-AzADServicePrincipal -displayname "<your VM name>" New-AzRoleAssignment -ObjectId $sp.id ` -RoleDefinitionName "Storage Blob Data Reader" ` -Scope "/subscriptions/<subscription>/resourceGroups/sample-resource-group/providers/Microsoft.Storage/storageAccounts/<storage-account>"编码
class Program { static void Main(string[] args) { //get token string accessToken = GetMSIToken("https://storage.azure.com/"); //create token credential TokenCredential tokenCredential = new TokenCredential(accessToken); //create storage credentials StorageCredentials storageCredentials = new StorageCredentials(tokenCredential); Uri blobAddress = new Uri("<URI to blob file>"); //create block blob using storage credentials CloudBlockBlob blob = new CloudBlockBlob(blobAddress, storageCredentials); //retrieve blob contents Console.WriteLine(blob.DownloadText()); Console.ReadLine(); } static string GetMSIToken(string resourceID) { string accessToken = string.Empty; // Build request to acquire MSI token HttpWebRequest request = (HttpWebRequest)WebRequest.Create("http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=" + resourceID); request.Headers["Metadata"] = "true"; request.Method = "GET"; try { // Call /token endpoint HttpWebResponse response = (HttpWebResponse)request.GetResponse(); // Pipe response Stream to a StreamReader, and extract access token StreamReader streamResponse = new StreamReader(response.GetResponseStream()); string stringResponse = streamResponse.ReadToEnd(); JavaScriptSerializer j = new JavaScriptSerializer(); Dictionary<string, string> list = (Dictionary<string, string>)j.Deserialize(stringResponse, typeof(Dictionary<string, string>)); accessToken = list["access_token"]; return accessToken; } catch (Exception e) { string errorText = String.Format("{0} \n\n{1}", e.Message, e.InnerException != null ? e.InnerException.Message : "Acquire token failed"); return accessToken; } } }
最新问题
- nginx 重定向到索引页面
- 如何在Python中计算math.sqrt(-1)?
- Angular 19 独立组件错误:尽管导入了 HttpClientModule,“没有 _HttpClient 的提供程序”
- 不同加数问题贪心算法
- 我无法在 Ajax 中执行 Perl 脚本
- AVX2 / gcc:通过使用不同的寄存器来提高CPU级并行性
- 我无法在ajax中执行perl脚本
- 实体框架。直接编辑集合导航属性时的奇怪行为
- 在Python中检测比例参考线坐标
- 如何防止我的Python脚本在Windows上运行后立即关闭?
- Gridgain9 是 ignite2 还是 ignite3 的下游
- 如何修改JavaFX中的ChoiceBox复选标记?
- 在pygame中实时播放带有alpha通道和同步音频的两个混合视频?
- 如何在cypher-shell中使用环境变量NEO4J_PASSWORD
- ASP Classic IPN 侦听器可以工作,但现在不行了
- 如何实际使用 cv2.estimateAffine3D 在 python 中对齐 3d 点?
- 如何在 R 中生成具有跨多个组的 FDR 校正 P 值的分层汇总表
- 我无法使用 Exact Alarm 进行颤振本地通知
- Azure OpenAI Studio Playground:在向任何函数提交输出时,我的助手总是返回未定义的错误
- 如何对Bull.js与Redis服务器的连接实现完整而非部分的TLS保护?
© www.soinside.com 2019 - 2024. All rights reserved.