Azure Blob 存储共享访问签名 (SAS) - 签名不匹配
Azure Blob Storage Shared Access Signature (SAS) - Signature did not match
我正在尝试通过将 ARM 模板和参数文件上传到私有 Blob 存储容器来部署 VM,然后在需要时下载它们。文件可以很好地上传到容器中,但是当尝试下载它们时,SAS 令牌无法通过身份验证并给出错误:
Microsoft.Rest.Azure.CloudException:
Unable to download deployment content from 'https://cloudstationsbackendsa.blob.core.windows.net/workstation-templates/CreateVMTemplate.json?sv=2018-03-28&sr=b&sig=GHgWUiEG7bG3%2FDN4cjSsmHGrBTdM8F2LRxNTss5cJB0%3D&st=2019-03-06T11:16:42Z&se=2019-03-06T11:31:42Z&sp=r'
在浏览器中访问此 URL 会产生以下错误:
<Error>
<Code>AuthenticationFailed</Code>
<Message>
Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:8e274bc1-101e-0011-3f0c-d45f43000000 Time:2019-03-06T11:03:53.3144543Z
</Message>
<AuthenticationErrorDetail>
Signature did not match. String to sign used was r 2019-03-06T10:58:39Z 2019-03-06T11:13:39Z /blob/cloudstationsbackendsa/workstation-templates/CreateVMTemplate.json 2018-03-28
</AuthenticationErrorDetail>
</Error>
这是用于上传文件和生成 SAS 令牌的方法:
public async Task<StorageAccountAccessDTO> UploadTemplatesAsync(string azureIdentifier)
{
// Access to Storage Account
var account = CloudStorageAccount.Parse(_config.GetValue<string>("ConnectionStrings:StorageAccount"));
var serviceClient = account.CreateCloudBlobClient();
var container = serviceClient.GetContainerReference("workstation-templates");
// Upload VM ARM Template
var templateBlob = container.GetBlockBlobReference("CreateVMTemplate.json");
await templateBlob.UploadFromFileAsync("CreateVMTemplate.json");
// Upload VM ARM Parameters
var parameterBlob = container.GetBlockBlobReference("Parameters.json");
await parameterBlob.UploadFromFileAsync("Parameters.json");
// Create SAS Tokens
SharedAccessBlobPolicy sasConstraints = new SharedAccessBlobPolicy();
sasConstraints.SharedAccessStartTime = DateTimeOffset.UtcNow.AddMinutes(-5);
sasConstraints.SharedAccessExpiryTime = DateTimeOffset.UtcNow.AddMinutes(10);
sasConstraints.Permissions = SharedAccessBlobPermissions.Read;
var accessDTO = new StorageAccountAccessDTO()
{
TemplateURL = templateBlob.Uri + templateBlob.GetSharedAccessSignature(sasConstraints),
ParametersURL = templateBlob.Uri + parameterBlob.GetSharedAccessSignature(sasConstraints)
};
return accessDTO;
}
SAS 令牌附加到 blob 的 URI 并在 StorageAccountAccessDTO 中返回,这被传递到下面的方法中以生成 VM:
public async Task CreateVirtualMachineAsync(string azureIdentifier, StorageAccountAccessDTO accessDTO)
{
await _azure.Deployments.Define("myDeployment")
.WithExistingResourceGroup(azureIdentifier + "-RG")
.WithTemplateLink(accessDTO.TemplateURL, "1.0.0.0")
.WithParametersLink(accessDTO.ParametersURL, "1.0.0.0")
.WithMode(DeploymentMode.Incremental)
.CreateAsync();
}
感谢您抽出时间,如果您需要任何额外的详细信息,请告诉我!
您正在尝试将 templateBlob 的 URL 与 parameterBlob 的签名一起使用。
就在那里:
ParametersURL = templateBlob.Uri + parameterBlob.GetSharedAccessSignature(sasConstraints)
使用正确的变量会更好:
ParametersURL = parameterBlob.Uri + parameterBlob.GetSharedAccessSignature(sasConstraints)
干杯!
我正在尝试通过将 ARM 模板和参数文件上传到私有 Blob 存储容器来部署 VM,然后在需要时下载它们。文件可以很好地上传到容器中,但是当尝试下载它们时,SAS 令牌无法通过身份验证并给出错误:
Microsoft.Rest.Azure.CloudException:
Unable to download deployment content from 'https://cloudstationsbackendsa.blob.core.windows.net/workstation-templates/CreateVMTemplate.json?sv=2018-03-28&sr=b&sig=GHgWUiEG7bG3%2FDN4cjSsmHGrBTdM8F2LRxNTss5cJB0%3D&st=2019-03-06T11:16:42Z&se=2019-03-06T11:31:42Z&sp=r'
在浏览器中访问此 URL 会产生以下错误:
<Error>
<Code>AuthenticationFailed</Code>
<Message>
Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:8e274bc1-101e-0011-3f0c-d45f43000000 Time:2019-03-06T11:03:53.3144543Z
</Message>
<AuthenticationErrorDetail>
Signature did not match. String to sign used was r 2019-03-06T10:58:39Z 2019-03-06T11:13:39Z /blob/cloudstationsbackendsa/workstation-templates/CreateVMTemplate.json 2018-03-28
</AuthenticationErrorDetail>
</Error>
这是用于上传文件和生成 SAS 令牌的方法:
public async Task<StorageAccountAccessDTO> UploadTemplatesAsync(string azureIdentifier)
{
// Access to Storage Account
var account = CloudStorageAccount.Parse(_config.GetValue<string>("ConnectionStrings:StorageAccount"));
var serviceClient = account.CreateCloudBlobClient();
var container = serviceClient.GetContainerReference("workstation-templates");
// Upload VM ARM Template
var templateBlob = container.GetBlockBlobReference("CreateVMTemplate.json");
await templateBlob.UploadFromFileAsync("CreateVMTemplate.json");
// Upload VM ARM Parameters
var parameterBlob = container.GetBlockBlobReference("Parameters.json");
await parameterBlob.UploadFromFileAsync("Parameters.json");
// Create SAS Tokens
SharedAccessBlobPolicy sasConstraints = new SharedAccessBlobPolicy();
sasConstraints.SharedAccessStartTime = DateTimeOffset.UtcNow.AddMinutes(-5);
sasConstraints.SharedAccessExpiryTime = DateTimeOffset.UtcNow.AddMinutes(10);
sasConstraints.Permissions = SharedAccessBlobPermissions.Read;
var accessDTO = new StorageAccountAccessDTO()
{
TemplateURL = templateBlob.Uri + templateBlob.GetSharedAccessSignature(sasConstraints),
ParametersURL = templateBlob.Uri + parameterBlob.GetSharedAccessSignature(sasConstraints)
};
return accessDTO;
}
SAS 令牌附加到 blob 的 URI 并在 StorageAccountAccessDTO 中返回,这被传递到下面的方法中以生成 VM:
public async Task CreateVirtualMachineAsync(string azureIdentifier, StorageAccountAccessDTO accessDTO)
{
await _azure.Deployments.Define("myDeployment")
.WithExistingResourceGroup(azureIdentifier + "-RG")
.WithTemplateLink(accessDTO.TemplateURL, "1.0.0.0")
.WithParametersLink(accessDTO.ParametersURL, "1.0.0.0")
.WithMode(DeploymentMode.Incremental)
.CreateAsync();
}
感谢您抽出时间,如果您需要任何额外的详细信息,请告诉我!
您正在尝试将 templateBlob 的 URL 与 parameterBlob 的签名一起使用。
就在那里:
ParametersURL = templateBlob.Uri + parameterBlob.GetSharedAccessSignature(sasConstraints)
使用正确的变量会更好:
ParametersURL = parameterBlob.Uri + parameterBlob.GetSharedAccessSignature(sasConstraints)
干杯!