答案 0 :(得分:0)
如果要使用Azure AD访问令牌来访问Azure Blob Rest API,我们需要分配Azure RABC角色(存储Blob数据所有者,存储Blob数据贡献者或 Storage Blob数据读取器)来服务主体或AD用户。有关更多详细信息,请参阅document
例如(我使用服务主体) 1.创建服务主体并为sp分配Azure RABC角色。
az login
az account set --subscription "<your subscription id>"
# it will assign Storage Blob Data Reader to the sp at storage accountlevel
az ad sp create-for-rbac -n "mysample" --role Storage Blob Data Reader --scopes <the resource id of storage account>
POST /<your sp tenant id>/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type =client_credentials
&client_id=<your sp appId>
&client_secret=<your sp password>k
&resource=https://storage.azure.com/
GET https://myaccount.blob.core.windows.net/mycontainer?restype=container&comp=list
x-ms-version: 2017-11-09
Authorization: Bearer <access token>