我是 Azure 安全新手,想知道如何在没有连接字符串的情况下访问 Key Vault 或存储帐户容器等资源。
模型 1 - 连接字符串
azure:
storage:
connection-string: efau;AccountName=sprin..ge;AccpointSuffix=core.windows.net
container-name: files
代码:
//service
new BlobServiceClientBuilder().connectionString(azureStorageConnectionString).buildAsyncClient();
// client
return blobServiceClient().getBlobContainerAsyncClient(azureStorageContainerName);
//download
BlobAsyncClient blobAsyncClient = blobContainerAsyncClient.getBlobAsyncClient(fileName);
return blobAsyncClient.downloadContent().block().toBytes();
这样就可以了。(conn String 模型)
我想使用 Entra ID。应用程序 -> Entra -> 存储帐户
我做了这些修改(门户上的配置已完成)
spring:
cloud:
azure:
active-directory:
enabled: true
profile:
tenant-id: fa33eae07d908b94f0
credential:
client-id: 41c1b67-078d9e3822be
client-secret: Tuw8Q~4VuXt0q0VsLegtlc7L
我不知道要创建什么bean。
返回新的 DefaultAzureCredentialBuilder().build();
但我在资格方面受到挑战。这是正确的吗?
如何避免受到挑战并使用提供的属性进行连接并下载 blob?
要使用服务主体访问 Blob 存储,请更新
application.properties
文件夹下的 src=>main=>resources
中的客户端凭据,请参阅 @Devesh Kumar 撰写的文章。
spring.application.name=demo
spring.cloud.azure.storage.blob.credential.client-id=Client_ID
spring.cloud.azure.storage.blob.profile.tenant-id=Tenant_ID
spring.cloud.azure.storage.blob.credential.client-secret=Client_Secret
spring.cloud.azure.storage.blob.endpoint=blobendpoint
spring.cloud.azure.storage.blob.container-name=container
pom.xml:
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-storage-blob</artifactId>
<version>12.18.0</version>
</dependency>
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-identity</artifactId>
<version>1.6.1</version>
</dependency>
</dependencies>
DemoClass.java:
@RestController
@Data
@Configuration
@Slf4j
public class Hellocontroller
{
@Value("${spring.cloud.azure.storage.blob.credential.client-id}")
private String clientId;
@Value("${spring.cloud.azure.storage.blob.credential.client-secret}")
private String clientSecret;
@Value("${spring.cloud.azure.storage.blob.profile.tenant-id}")
private String tenantId;
@Value("${spring.cloud.azure.storage.blob.endpoint}")
private String storageEndpoint;
@Value("${spring.cloud.azure.storage.blob.container-name}")
private String storageContainer;
@Bean
public BlobServiceClientBuilder blobServiceClientBuilder() {
return new BlobServiceClientBuilder()
.credential(getAzureClientCredentials())
.endpoint(getStorageEndpoint());
}
private ClientSecretCredential getAzureClientCredentials() {
return new ClientSecretCredentialBuilder()
.clientId(clientId)
.clientSecret(clientSecret)
.tenantId(tenantId)
.build();
}
public String getStorageEndpoint() {
return storageEndpoint.replace("{STORAGE-ID}", <storageId>);
}
@Bean(name = "blobServiceAsyncClient")
public BlobServiceAsyncClient blobServiceAsyncClient(
BlobServiceClientBuilder blobServiceClientBuilder) {
return blobServiceClientBuilder.retryOptions(
new RequestRetryOptions(
RetryPolicyType.EXPONENTIAL,
5,
200,
null,
null,
null)).buildAsyncClient();
}
}
(或)
您还可以直接在 main() 中定义客户端凭据:
package com.example.demo;
import java.util.Locale;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import com.azure.core.credential.TokenCredential;
import com.azure.identity.ClientSecretCredentialBuilder;
import com.azure.storage.blob.BlobClient;
import com.azure.storage.blob.BlobContainerClient;
import com.azure.storage.blob.BlobContainerClientBuilder;
@SpringBootApplication
public class DemoApplication {
public static void main(String[] args) {
String accountName = "<storage_account_name>";
String containerName = "<container_name>";
String blobName = "<blob_name>";
String clientSecret = "<client_secret>";
String clientId = "<client_id>";
String tenantId = "<tenant_id>";
TokenCredential credential = new ClientSecretCredentialBuilder()
.tenantId(tenantId)
.clientId(clientId)
.clientSecret(clientSecret)
.build();
String endpoint = String.format(Locale.ROOT, "https://<storage_account>.blob.core.windows.net", accountName);
BlobContainerClient containerClient = new BlobContainerClientBuilder()
.endpoint(endpoint)
.credential(credential)
.containerName(containerName)
.buildClient();
// Download the blob
String destinationPath = "C:\\Users\\XX\\sample.txt";
BlobClient blobClient = containerClient.getBlobClient(blobName);
blobClient.downloadToFile(destinationPath, true);
System.out.println("Downloaded successfully");
}
}
为您的应用程序分配
Storage Blob Data reader
和 Storage Blob Data Contributor
角色以执行 Blob 相关操作。
参考资料: