使用服务主体验证存储帐户

时间:2019-08-09 12:50:00

标签: java azure azure-storage-blobs

在Java中,我想使用服务主体(使用客户端证书的首选项)进行身份验证,以从blobstorage写入/读取文件。

我开始使用StorageAccount和访问密钥,但是我需要具有更细粒度的权限控制(例如,仅限于读或写)。

在azure文档中找不到有关如何执行此操作的示例,代码中也没有任何入口点。

1 个答案:

答案 0 :(得分:1)

根据我的研究,Azure没有提供build-in role,它仅具有对Blob存储资源的读/写权限。因此,我们需要根据您的需要create a custom role。然后,您可以将角色分配给服务主体。关于 要创建自定义角色,请参考以下步骤

  1. 定义角色json 

    {
  "Name": "Azure blob Writer",
  "Id": null,
  "IsCustom": true,
  "Description": "Read and write blob",
  "Actions": [
    "Microsoft.Storage/storageAccounts/blobServices/containers/read", 
    "Microsoft.Storage/storageAccounts/blobServices/containers/write", 
    "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
  ],
  "DataActions": [
    "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", 
     "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
  ],
  "NotActions": [],
  "AssignableScopes": [
    "/subscriptions/<subscription id>"
  ]

}

    1. 使用PowerShell创建自定义角色

      New-AzureRmRoleDefinition -InputFile“ JSON文件的路径”

此外,如果您使用访问密钥,则可以使用帐户密钥生成SAS toekn。可以根据需要配置SAS toekn的权限。关于如何创建SAS令牌,请参考以下代码。

SharedKeyCredentials credential = new SharedKeyCredentials(accountName, accountKey);

        // This is the name of the container and blob that we're creating a SAS to.
        String containerName = "mycontainer"; // Container names require lowercase.
        String blobName = "HelloWorld.txt"; // Blob names can be mixed case.
        String snapshotId = "2018-01-01T00:00:00.0000000Z"; // SAS can be restricted to a specific snapshot

        /*
        Set the desired SAS signature values and sign them with the shared key credentials to get the SAS query
        parameters.
         */
        ServiceSASSignatureValues values = new ServiceSASSignatureValues()
                .withProtocol(SASProtocol.HTTPS_ONLY) // Users MUST use HTTPS (not HTTP).
                .withExpiryTime(OffsetDateTime.now().plusDays(2)) // 2 days before expiration.
                .withContainerName(containerName)
                .withBlobName(blobName)
                .withSnapshotId(snapshotId);

        /*
        To produce a container SAS (as opposed to a blob SAS), assign to Permissions using ContainerSASPermissions, and
        make sure the blobName and snapshotId fields are null (the default).
         */
        BlobSASPermission permission = new BlobSASPermission()
                .withRead(true)
                .withAdd(true)
                .withWrite(true);
        values.withPermissions(permission.toString());

        SASQueryParameters params = values.generateSASQueryParameters(credential);

有关更多细节,请参见sample

相关问题
最新问题