Azure服务主体和带有Python的storage.blob

时间:2017-12-20 13:00:48

标签: python azure azure-storage service-principal

我正在尝试通过python对服务主体进行身份验证,然后访问azure.storage.blob

用于:

NAME = '****'
KEY = '****'
block_blob_service = BlockBlobService(account_name=NAME, account_key=KEY, protocol='https')

但我不能让它与服务主管合作:

TENANT_ID = '****'

CLIENT = '****'

KEY_SERVICE = '****'

credentials = ServicePrincipalCredentials(
    client_id = CLIENT,
    secret = KEY_SERVICE,
    tenant = TENANT_ID
    )

我有点困惑我如何配对那些2和我尝试的任何东西只是在我尝试上传blob时给我一个超时。

3 个答案:

答案 0 :(得分:0)

我认为Azure Storage Service不支持服务主体凭据。实际上它目前只接受两种凭证:共享密钥和共享访问签名(SAS)。

答案 1 :(得分:0)

Azure存储专门用于帐户名+密钥(无论是主要还是次要)。没有服务主体/基于AD的访问概念。

您的第一个示例(使用帐户名+密钥设置blob服务端点)是正确的操作方式。

注意:正如昭兴所说,你也可以使用SAS。但从程序化的角度来看,假设您是存储帐户所有者,那并不会给您带来太大的收益。

服务主体(以及AD一般)发挥作用的唯一地方是管理资源本身(例如,从部署/管理/删除的角度来看存储帐户)。

答案 2 :(得分:0)

这非常令人困惑。 一旦服务主体(SP)在Azure门户中注册并创建了新的秘密...

enter image description here

...在资源组级别分配了Contributor角色...

enter image description here

...其中的任何存储帐户和容器都将继承此角色。

enter image description here

enter image description here

在您的应用程序中,您可以从注册的SP创建ServicePrincipalCredentials()ClientSecretCredential() ... 

service_credential = ServicePrincipalCredentials(
    tenant = '<yourTenantID>',
    client_id = '<yourClientID>',
    secret = '<yourClientSecret>'
)

client_credential = ClientSecretCredential(
    '<yourTenantID>',
    '<yourClientID>',
    '<yourClientSecret>'
)

从这里创建一个ResourceManagementClient() ... 

resource_client = ResourceManagementClient(service_credential, subscription_id)

...列出RG的资源,存储帐户。

for item in resource_client.resource_groups.list():
    print(item.name)

for item in resource_client.resources.list():
    print(item.name + " " + item.type)

for item in resource_client.resources.list_by_resource_group('azureStorage'):
    print(item.name)

但是...根据我的研究,您无法使用ResourceManagementClient()列出blob容器或给定容器中的blob。因此,我们转到BlobServiceClient() 

blob_service_client = BlobServiceClient(account_url = url, credential=client_credential)

从这里,您可以列出Blob容器... 

blob_list = blob_service_client.list_containers()
for blob in blob_list:
    print(blob.name + " " + str(blob.last_modified))

但是...根据我的研究,您无法列出容器中的斑点!

container_client = blob_service_client.get_container_client('testcontainer')

blob_list = container_client.list_blobs()
for blob in blob_list:
    print("\t" + blob.name)

---------------------------------------------------------------------------
StorageErrorException                     Traceback (most recent call last)
~/anaconda3_501/lib/python3.6/site-packages/azure/storage/blob/_models.py in _get_next_cb(self, continuation_token)
    599                 cls=return_context_and_deserialized,
--> 600                 use_location=self.location_mode)
    601         except StorageErrorException as error:

~/anaconda3_501/lib/python3.6/site-packages/azure/storage/blob/_generated/operations/_container_operations.py in list_blob_flat_segment(self, prefix, marker, maxresults, include, timeout, request_id, cls, **kwargs)
   1142             map_error(status_code=response.status_code, response=response, error_map=error_map)
-> 1143             raise models.StorageErrorException(response, self._deserialize)
   1144 

StorageErrorException: Operation returned an invalid status 'This request is not authorized to perform this operation using this permission.'

During handling of the above exception, another exception occurred:

HttpResponseError                         Traceback (most recent call last)
<ipython-input-104-7517e7a6a19f> in <module>
      1 container_client = blob_service_client.get_container_client('testcontainer')
      2 blob_list = container_client.list_blobs()
----> 3 for blob in blob_list:
      4     print("\t" + blob.name)

~/anaconda3_501/lib/python3.6/site-packages/azure/core/paging.py in __next__(self)
    120         if self._page_iterator is None:
    121             self._page_iterator = itertools.chain.from_iterable(self.by_page())
--> 122         return next(self._page_iterator)
    123 
    124     next = __next__  # Python 2 compatibility.

~/anaconda3_501/lib/python3.6/site-packages/azure/core/paging.py in __next__(self)
     72             raise StopIteration("End of paging")
     73 
---> 74         self._response = self._get_next(self.continuation_token)
     75         self._did_a_call_already = True
     76 

~/anaconda3_501/lib/python3.6/site-packages/azure/storage/blob/_models.py in _get_next_cb(self, continuation_token)
    600                 use_location=self.location_mode)
    601         except StorageErrorException as error:
--> 602             process_storage_error(error)
    603 
    604     def _extract_data_cb(self, get_next_return):

~/anaconda3_501/lib/python3.6/site-packages/azure/storage/blob/_shared/response_handlers.py in process_storage_error(storage_error)
    145     error.error_code = error_code
    146     error.additional_info = additional_data
--> 147     raise error
    148 
    149 

HttpResponseError: This request is not authorized to perform this operation using this permission.
RequestId:e056fe39-b01e-0007-425c-20a63f000000
Time:2020-05-02T08:32:02.2204809Z
ErrorCode:AuthorizationPermissionMismatch
Error:None

我发现列出容器中的blob(以及执行其他操作,例如复制blob等)的唯一方法是使用连接字符串而不是BlobServiceClient创建TenantID, ClientID, ClientSecret

关于使用令牌访问blob资源hereherehere的更多信息,但是我还没有能够进行测试。

相关问题
最新问题