我的场景是这样的,前端将访问 API 并发送 blob 文件的名称,AKS 中的后端将为 blob 文件生成一个 SAS 令牌,过期时间为 15 分钟。但是,当令牌发送到前端(SPA 反应)时,它不能使用未经过身份验证的错误,但是当将我的浏览器 IP 放入白名单时,我可以访问 blob 文件。为什么会发生这种情况,如何让 sas token 在没有白名单客户端浏览器 IP 的情况下限时向公众提供访问?
我的错误
此 XML 文件似乎没有任何与之关联的样式信息。文档树如下所示。
该请求无权执行该操作。请求ID:b9efa22e-001e-004c-23f9-274133000000 时间:2023-12-06T04:07:47.4688222ZAuthorizationFailure
这是我的代码
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Configuration;
using Azure.Storage.Blobs;
using Azure.Storage.Sas;
using System;
using Azure.Storage;
namespace SAS.Container.Controllers
{
[ApiController]
[Route("api/get-sas")]
public class GetSasAzureStorageController : ControllerBase
{
private readonly IConfiguration _configuration;
public GetSasAzureStorageController(IConfiguration configuration)
{
_configuration = configuration;
}
[HttpGet("")]
public IActionResult GetSasToken()
{
try
{
string connectionString = _configuration.GetConnectionString("AzureStorageConnection");
if (string.IsNullOrEmpty(connectionString))
{
return BadRequest("AzureStorageConnection is not configured in appsettings.json");
}
BlobServiceClient blobServiceClient = new BlobServiceClient(connectionString);
string containerName = "assets";
string blobName = "myblob.png";
var accountKey="myaccountKey";
BlobClient blobClient = blobServiceClient.GetBlobContainerClient(containerName).GetBlobClient(blobName);
// Set permissions for SAS token
BlobSasBuilder sasBuilder = new BlobSasBuilder()
{
BlobContainerName = containerName,
BlobName = blobName,
Resource = "b", // 'b' for blob
StartsOn = DateTimeOffset.UtcNow,
ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(15)
};
// set permission read for SAS token
sasBuilder.SetPermissions(BlobSasPermissions.Read);
// Generate SAS token
BlobUriBuilder blobUriBuilder = new BlobUriBuilder(blobClient.Uri)
{
Sas = sasBuilder.ToSasQueryParameters(new StorageSharedKeyCredential(blobServiceClient.AccountName,accountKey ))
};
var sastoken = blobUriBuilder.ToUri().ToString();
return Ok(new
{
sastoken
});
}
catch (Exception ex)
{
return StatusCode(500, $"An error occurred: {ex.Message}");
}
}
}
}
如何在不将客户端浏览器IP列入白名单的情况下,让sas token限时提供给公众访问?
如果您需要在有限的时间内为公众访问
SAS
令牌而不将客户端浏览器IP列入白名单,则需要更改您的网络设置。
如果您的网络已为选定的虚拟网络和 IP 地址启用,您将无法在公共场合访问它们。
门户 -> 您的存储帐户 -> 网络 -> 从门户中选择从所有网络启用。
传送门:
现在您可以使用相同的代码生成
SAS
令牌来显示图像。
代码:
var AccountName = "xxx";
var AccountKey = "xxxx";
var containerName = "xxxx";
var blobName = "xxxx";
StorageSharedKeyCredential key = new StorageSharedKeyCredential(AccountName, AccountKey);
BlobServiceClient blobServiceClient = new BlobServiceClient(new Uri($"https://{AccountName}.blob.core.windows.net"), key);
BlobContainerClient containerClient = blobServiceClient.GetBlobContainerClient(containerName);
BlobClient blobClient = containerClient.GetBlobClient(blobName);
var sasBuilder = new BlobSasBuilder()
{
BlobContainerName = containerName,
BlobName = blobName,
Resource = "b", // b for blob, c for container
StartsOn = DateTimeOffset.UtcNow,
ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(15),
};
sasBuilder.SetPermissions(BlobSasPermissions.All); // All permissions like(Read,write,add,list,create,SetImmutabilityPolicy,delete)
var Sas = sasBuilder.ToSasQueryParameters(key).ToString();
Console.WriteLine(Sas);
var sasuri = blobClient.Uri.AbsoluteUri + "?" + Sas;
Console.WriteLine(sasuri);
输出:
SAStoken = sv=2023-11-03&st=2023-12-07T07%3A00%3A17Z&se=2023-12-07T07%3A15%3A17Z&sr=b&sp=racwdxyltmei&sig=xxx
BlobSASUrl = https://venkat789.blob.core.windows.net/demo/spring-flowers.jpg?sv=2023-11-03&st=2023-12-07T07%3A00%3A17Z&se=2023-12-07T07%3A15%3A17Z&sr=b&sp=racwdxyltmei&sig=xxxxx
复制
BlobSASUrl
并将其粘贴到浏览器中,它在公共场合完美运行,并且具有15 minutes
到期时间。
浏览器: