当前位置: 首页 > 知识库问答 >
问题:

如何使用最新的Azure SDK在Blob上获取共享访问签名。NET API v12?

章光华
2023-03-14

我曾经能够使用v11 Azure SDK API在Blob上创建共享访问签名,如下所示:

var containerName = "mycontainer";
var blobName = "myblob";

CloudStorageAccount storageAccount 
 = CloudStorageAccount.Parse(<StorageConnectionString>);

CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();

CloudBlobContainer container = blobClient.GetContainerReference(containerName);


SharedAccessBlobPermissions permission = SharedAccessBlobPermissions.Read;

TimeSpan clockSkew = TimeSpan.FromMinutes(15d);
TimeSpan accessDuration = TimeSpan.FromMinutes(15d);

var blobSAS = new SharedAccessBlobPolicy
{
    SharedAccessStartTime = DateTime.UtcNow.Subtract(clockSkew),
    SharedAccessExpiryTime = DateTime.UtcNow.Add(accessDuration) + clockSkew,
    Permissions = permissions
};

CloudBlockBlob blob = container.GetBlockBlobReference(blobName);

string sasBlobToken = blob.GetSharedAccessSignature(blobSAS);

...

我想使用最新的v12。NET API,它似乎用BlobServiceClient取代了CloudBlobClient,用BlobContainerClient取代了CloudBlobContainer,用BlobClient取代了CloudBlockBlob。

但是,在CloudBlockBlob实例上可用的方法GetSharedAccessSignatureBlobClient实例上不可用。

问题

如何使用最新的AzureSDK. NET API v12从BobClient实例获取共享访问签名?

共有3个答案

陆城
2023-03-14

正在为使用Azure Blob存储客户端库v12。净值:

BlobSasBuilder blobSasBuilder = new BlobSasBuilder()
{
    BlobContainerName = blobContainerName,
    BlobName = blobName,
    Resource = "b", //b = blob, c = container
    StartsOn = DateTimeOffset.UtcNow,
    ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(lifetimeMinutes)
};

blobSasBuilder.SetPermissions(BlobSasPermissions.Read);

StorageSharedKeyCredential storageSharedKeyCredential = new StorageSharedKeyCredential(accountName, accountKey);

string sas = blobSasBuilder.ToSasQueryParameters(storageSharedKeyCredential).ToString();

如果必须根据分配给容器的访问策略生成共享访问签名(SAS令牌),请使用以下方法

BlobSasBuilder blobSasBuilder = new BlobSasBuilder()
{
    BlobContainerName = blobContainerName,
    BlobName = blobName,
    Resource = "b", //b = blob, c = container
    Identifier = "ReadOnlyPolicy" //string value referees to the access policy created and assigned to the container.
};

StorageSharedKeyCredential storageSharedKeyCredential = new StorageSharedKeyCredential(accountName, accountKey);

string sas = blobSasBuilder.ToSasQueryParameters(storageSharedKeyCredential).ToString();

注意:当SAS令牌生成基于分配给容器的访问策略时,您将无法在BlobSasBuilder中定义权限、开始或结束时间。您将获得运行时异常,因为“访问策略字段可以与签名或SAS标识符关联,但不能同时与两者关联”

参考号:https://www.craftedforeveryone.com/beginners-guide-and-reference-to-azure-blob-storage-sdk-v12-dot-net-csharp/

https://www.craftedforeveryone.com/beginners-guide-and-reference-to-azure-blob-storage-sdk-v12-dot-net-csharp/#generate_access_policy_based_sas_token_for_a_blob

仲孙绍元
2023-03-14

经过大量的搜寻,我找到了一些有关此的Microsoft文档:https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-user-delegation-sas-create-dotnet

这详细说明了如何使用用户委派密钥而不是帐户密钥来生成SA,但所做的更改只是不同的重载。ToSasQueryParameters(),如其他答案中所述。

文章中的一些关键片段可以将其连接起来。首先创建BlobServiceClient:

// Construct the blob endpoint from the account name.
string blobEndpoint = string.Format("https://{0}.blob.core.windows.net", accountName);

// Create a new Blob service client with Azure AD credentials.
BlobServiceClient blobClient = new BlobServiceClient(new Uri(blobEndpoint),
                                                     new DefaultAzureCredential());

获取用户委派密钥,这将用于生成SA:

// Get a user delegation key for the Blob service that's valid for seven days.
// You can use the key to generate any number of shared access signatures over the lifetime of the key.
UserDelegationKey key = await blobClient.GetUserDelegationKeyAsync(DateTimeOffset.UtcNow,
                                                                   DateTimeOffset.UtcNow.AddDays(7));

最后创建SAS URI:

// Create a SAS token that's valid for one hour.
BlobSasBuilder sasBuilder = new BlobSasBuilder()
{
    BlobContainerName = containerName,
    BlobName = blobName,
    Resource = "b",
    StartsOn = DateTimeOffset.UtcNow,
    ExpiresOn = DateTimeOffset.UtcNow.AddHours(1)
};

// Specify read permissions for the SAS.
sasBuilder.SetPermissions(BlobSasPermissions.Read);

// Use the key to get the SAS token.
string sasToken = sasBuilder.ToSasQueryParameters(key, accountName).ToString();

// Construct the full URI, including the SAS token.
UriBuilder fullUri = new UriBuilder()
{
    Scheme = "https",
    Host = string.Format("{0}.blob.core.windows.net", accountName),
    Path = string.Format("{0}/{1}", containerName, blobName),
    Query = sasToken
};
乐山
2023-03-14

Sajeetharan的回答让我寻找一个BlobSasBuilder类,它实际上是存在的。

以下是如何在服务器上构建一个:

//  Creates a client to the BlobService using the connection string.
var blobServiceClient = new BlobServiceClient(storageConnectionString);

//  Gets a reference to the container.
var blobContainerClient = blobServiceClient.GetBlobContainerClient(<ContainerName>);

//  Gets a reference to the blob in the container
BlobClient blobClient = containerClient.GetBlobClient(<BlobName>);

//  Defines the resource being accessed and for how long the access is allowed.
var blobSasBuilder = new BlobSasBuilder
{
    StartsOn = DateTime.UtcNow.Subtract(clockSkew), 
    ExpiresOn = DateTime.UtcNow.Add(accessDuration) + clockSkew,
    BlobContainerName = <ContainerName>,
    BlobName = <BlobName>,
};
    
//  Defines the type of permission.
blobSasBuilder.SetPermissions(BlobSasPermissions.Write);
       
//  Builds an instance of StorageSharedKeyCredential      
var storageSharedKeyCredential = new StorageSharedKeyCredential(<AccountName>, <AccountKey>);

//  Builds the Sas URI.
BlobSasQueryParameters sasQueryParameters = blobSasBuilder.ToSasQueryParameters(storageSharedKeyCredential);

以下是如何在客户端使用它:

//  Builds the URI to the blob storage.
UriBuilder fullUri = new UriBuilder()
{
    Scheme = "https",
    Host = string.Format("{0}.blob.core.windows.net", <AccountName>),
    Path = string.Format("{0}/{1}", <ContainerName>, <BlobName>),
    Query = sasQueryParameters.ToString()
};

//  Get an instance of BlobClient using the URI.
var blobClient = new BlobClient(fullUri.Uri, null);

//  Upload stuff in the blob.
await blobClient.UploadAsync(stream);

补遗

正如@one2012在评论中提到的,几个月后,在这个答案之后出现了一个页面,展示了Azure中的所有功能。存储命名空间。该链接可用于获取更多信息。

更新

在服务器端,我有一个Azure Function,它现在正在将Azure存储与Function的托管标识连接起来。当我连接存储时,我不再使用帐户,只使用存储的endpoint:

BlobContainerClient blobContainerClient = new(new Uri(containerEndpoint), new DefaultAzureCredential());  

这使得来自初始服务器html" target="_blank">代码的以下部分有点棘手,因为我曾经使用CloudStorageUser。凭据。GetExportKeys()方法来获取帐户的密钥。使用托管身份时,我似乎不再有权访问它:

//  Builds an instance of StorageSharedKeyCredential      
    var storageSharedKeyCredential = new StorageSharedKeyCredential(<AccountName>, <AccountKey>);

事实证明,我必须使用用户委派来构建SAS Uri:

...
BlobServiceClient blobServiceClient = blobClient.GetParentBlobContainerClient().GetParentBlobServiceClient();

UserDelegationKey userDelegationKey = await blobServiceClient.GetUserDelegationKeyAsync
(
    DateTimeOffset.UtcNow,
    DateTimeOffset.UtcNow.AddMinutes(5d)
);
            
BlobUriBuilder blobUriBuilder = new (blobClient.Uri)
{
    // Specify the user delegation key.
    Sas = blobSasBuilder.ToSasQueryParameters(userDelegationKey, blobServiceClient.AccountName)
};

string uri = blobUriBuilder.ToUri();

    
 类似资料:
  • 问题内容: 这是服务器端的问题。我有一个BlobKey,仅此而已。如何从所说的BlobKey中获取Blob文件名?我知道如何将 但我怎么得到的文件名作为保存/所示为实例?我正在使用Java-不是python。 问题答案: 使用该类。

  • 如何更改blob访问策略? 目前,我可以使用azure quick Start创建一些测试blob。这很好用,但在我的例子中,Blob的公共访问级别默认为private。我想将公共访问级别从Private(无匿名访问)设置为Blob(仅对Blob进行匿名读取访问)。 当我运行这段代码时,它将引发以下异常,我认为这是因为没有正确设置。 异常StackTrace: 通过一些代码示例向我解释如何为Blo

  • 问题内容: 我有一个带有.groovy脚本的共享库,可以在jenkinsfile中这样调用: 我要执行的共享库中也有一个.ps1文件。但是,如果当我从jenkinsfile调用共享库函数时从共享库函数中执行该操作,则当前工作目录就是jenkinsfile所在管道的jenkins工作目录(通常是您想要的)。 有没有办法访问共享库中的文件?我想要做 问题答案: 您只能使用内置步骤获得内容。这就是为什么

  • 如何知道使用Exchange EWS API共享了哪个日历。

  • 我有一个默认ACL设置为private的bucket。我想生成预签名的url,并将其分发给用户,以便他们可以上传文件,上传后文件需要公开访问。 我可以生成预签名的url并上传文件,但文件始终保持私有。如果我在创建签名url时将ACL设置为“public-read”,那么getSignedUrl()正在生成签名url,但对该签名url的PUT请求会拒绝访问。 bucket可以包含私有或公共可访问的文

  • 我想使用API dropbox=python打印文件中的共享链接,我的代码: 现在我想获取url来共享,比如: 什么印刷品???谢谢兄弟