无法从ARM模板正确生成SAS令牌中的signedVersion

时间:2019-04-02 13:54:41

标签: azure azure-storage azure-resource-manager arm-template

我使用以下示例生成SAS并将App Service配置为将https和应用程序日志发送到blob

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "storageAccountName": {
            "type": "string",
            "defaultValue": "[concat('storage', uniqueString(resourceGroup().id))]",
            "metadata": {
                "description": "The name of Storage Account."
            }
        },
        "blobContainerName": {
            "type": "string",
            "defaultValue": "[concat(parameters('webAppName'), '-logs')]",
            "metadata": {
                "description": "The name of Blob Container to store diagnostics logs from Web App."
            }
        },
        "storageAccountSkuName": {
            "type": "string",
            "defaultValue": "Standard_LRS",
            "metadata": {
                "description": "The name of the App Service Plan."
            }
        },
        "storageAccountKind": {
            "type": "string",
            "defaultValue": "StorageV2",
            "metadata": {
                "description": "The name of the Storage Account Type."
            }
        },
        "appServicePlanName": {
            "type": "string",
            "defaultValue": "[concat('appServicePlan', '-', uniqueString(resourceGroup().id))]",
            "metadata": {
                "description": "The name of the App Service Plan."
            }
        },
        "appServicePlanSkuName": {
            "type": "string",
            "defaultValue": "F1",
            "metadata": {
                "description": "The SKU name of the App Serivce Plan."
            }
        },
        "webAppName": {
            "type": "string",
            "defaultValue": "[concat('webApp', '-', uniqueString(resourceGroup().id))]",
            "metadata": {
                "description": "The name of the Web App."
            }
        },
        "diagnosticsLogsLevel": {
            "type": "string",
            "defaultValue": "Verbose",
            "allowedValues": [
                "Verbose",
                "Information",
                "Warning",
                "Error"
            ],
            "metadata": {
                "description": "The degree of severity for diagnostics logs."
            }
        },
        "diagnosticsLogsRetentionInDays": {
            "type": "int",
            "defaultValue": 10,
            "metadata": {
                "description": "Number of days for which the diagnostics logs will be retained."
            }
        },
        "location": {
            "type": "string",
            "defaultValue": "[resourceGroup().location]",
            "metadata": {
                "description": "Location for all resources."
            }
        }
    },
    "variables": {
        "blobContainerName": "[toLower(parameters('blobContainerName'))]",
        "listAccountSasRequestContent": {
            "signedServices": "bfqt",
            "signedPermission": "rwdlacup",
            "signedStart": "2018-10-01T00:00:00Z",
            "signedExpiry": "2218-10-30T00:00:00Z",
            "signedResourceTypes": "sco"
        }
    },
    "resources": [
        {
            "apiVersion": "2018-02-01",
            "type": "Microsoft.Storage/storageAccounts",
            "name": "[parameters('storageAccountName')]",
            "location": "[parameters('location')]",
            "sku": {
                "name": "[parameters('storageAccountSkuName')]"
            },
            "kind": "[parameters('storageAccountKind')]",
            "resources": [
                {
                    "name": "[concat('default/', variables('blobContainerName'))]",
                    "type": "blobServices/containers",
                    "apiVersion": "2018-02-01",
                    "dependsOn": [
                        "[concat('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]"
                    ],
                    "properties": {
                        "publicAccess": "Blob"
                    }
                }
            ]
        },
        {
            "apiVersion": "2018-02-01",
            "type": "Microsoft.Web/serverfarms",
            "name": "[parameters('appServicePlanName')]",
            "location": "[parameters('location')]",
            "sku": {
                "Name": "[parameters('appServicePlanSkuName')]"
            }
        },
        {
            "apiVersion": "2018-02-01",
            "type": "Microsoft.Web/sites",
            "name": "[parameters('webAppName')]",
            "location": "[parameters('location')]",
            "dependsOn": [
                "[concat('Microsoft.Web/serverfarms/', parameters('appServicePlanName'))]",
                "[concat('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]"
            ],
            "properties": {
                "name": "[parameters('webAppName')]",
                "serverFarmId": "[concat('/subscriptions/', subscription().id,'/resourcegroups/', resourceGroup().name, '/providers/Microsoft.Web/serverfarms/', parameters('appServicePlanName'))]"
            },
            "resources": [
                {
                    "apiVersion": "2018-02-01",
                    "type": "config",
                    "name": "logs",
                    "dependsOn": [
                        "[concat('Microsoft.Web/sites/', parameters('webAppName'))]"
                    ],
                    "properties": {
                        "applicationLogs": {
                            "azureBlobStorage": {
                                "level": "[parameters('diagnosticsLogsLevel')]",
                                "sasUrl": "[concat(reference(concat('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))).primaryEndpoints.blob, variables('blobContainerName'), '?', listAccountSas(parameters('storageAccountName'), '2018-02-01', variables('listAccountSasRequestContent')).accountSasToken)]",
                                "retentionInDays": "[parameters('diagnosticsLogsRetentionInDays')]"
                            }
                        }
                    }
                }
            ]
        }
    ]
}

当我尝试记录使用此ARM模板部署的AppService之一的流时,看到以下错误消息:缺少有效的共享访问签名的必需参数。 listAccountSasRequestContent

https://xxxstorage.blob.core.windows.net/httplogs?sv=2015-04-05&ss=bfqt&srt=sco&sp=rwdlacup&st=2018-01-01T00:00:00.0000000Z&se=2118-01-01T00:00:00.0000000Z&sig=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

此错误的根本原因是什么?

P.S如果我从Portal或Azure Storage Explorer手动生成SAS,我会看到sv = 2018-03-28,Portal和Azure Storage Explorer的SAS也具有sr = c参数。

2 个答案:

答案 0 :(得分:1)

Azure团队工程师提供了工作代码。见下文。

 "variables": {
    "blobContainerName": "[toLower(parameters('blobContainerName'))]",
    "serviceSasProperties": {
        "canonicalizedResource": "[concat('/blob/', parameters('storageAccountName'),'/',parameters('blobContainerName'))]",
        "signedResource": "c",
        "signedPermission": "rwdl",
        "signedstart":"2017-08-20T11:00:00Z",
        "signedExpiry": "2020-08-20T11:00:00Z",
        "signedversion": "2015-04-05"
    }
},

"sasUrl": "[concat('https://',parameters('storageAccountName'),'.blob.core.windows.net/',parameters('blobContainerName'),'?',listServiceSas(parameters('storageAccountName'), '2018-07-01', variables('serviceSasProperties')).serviceSasToken)]",

答案 1 :(得分:0)

您提供的SAS URI似乎不正确,它混合了帐户SAS和服务SAS的参数。 https://xxxstorage.blob.core.windows.net/httplogs这一部分看起来应该是Service SAS URI,但是它具有ss=bfqtsrt=sco参数,它们属于帐户SAS令牌的参数。

有关更多详细信息,您可以参考这些链接。