我希望我的 python 脚本能够将新的 blob 添加到我的 azure 容器中。使用共享访问签名 (SAS) 似乎是可行的方法。
但我不知道如何使用它们。我不想通过向脚本提供存储帐户 key 来授予脚本对 azure 帐户的完全访问权限,因此使用 SAS 并限制脚本创建和删除删除、获取和列表的能力似乎没问题。 但如何在脚本中使用 token 呢?
这是我的测试代码:
#!/usr/bin/env python3
import requests
from azure.storage.blob import BlockBlobService, ContainerPermissions, ContentSettings
# this is only for testing, account key will be removed later
account_name = 'myaccountname'
account_key = 'myaccountkey'
container_name = 'mycontainer'
existing_file = 'existing_file.jpg'
new_file = 'test.jpg'
service = BlockBlobService(
account_name=account_name,
account_key=account_key
)
# There are two ways to create a permission
# 1. Assign boolean values to `read`/`add`/`create`/`write`/`delete` operation
# permission = BlobPermissions(read=True, add=True, create=True, write=True, delete=True)
# 2. Just simply assign a string to `_str`(A string representing the permissions) like `racwd` which means assign True to all operation
permission = ContainerPermissions(write=True)
sas = service.generate_container_shared_access_signature(
container_name=container_name,
permission=permission,
protocol='https'
)
print(sas)
# Here begins the real script
service = BlockBlobService(
account_name=account_name,
sas_token=sas
)
assert service.exists(container_name=container_name, blob_name=existing_file)
service.create_blob_from_path(
container_name=container_name,
blob_name=new_file,
file_path='./%s' % new_file,
content_settings=ContentSettings(content_type=mimetypes.guess_type('./%s' % new_file)[0]),
validate_content=True
)
r = requests.head('https://%s.blob.core.windows.net/%s/%s' % (account_name, container_name, new_file), timeout=2)
assert r.status_code == 200
service.exists() 调用失败:azure.common.AzureHttpError: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
最佳答案
正如 @DavidMakogon 所说,这听起来像是指 blog 。事实上,这对你的问题有帮助。
根据你的描述,看来你已经知道如何使用这些方法generate_account_shared_access_signature
与 AccountPermission
, generate_container_shared_access_signature
与 ContainerPermission
, generate_blob_shared_access_signature
与 BlobPermission
生成不同级别(帐户、容器、blob)的 SAS,如下面 blob 级别的代码。
from azure.storage.blob import BlockBlobService, BlobPermissions
account_name = '<your storage account name>'
account_key = '<your storage account key>'
container_name = 'mycontainer'
service = BlockBlobService(account_name=account_name, account_key=account_key)
# There are two ways to create a permission
# 1. Assign boolean values to `read`/`add`/`create`/`write`/`delete` operation
# permission = BlobPermissions(read=True, add=True, create=True, write=True, delete=True)
# 2. Just simply assign a string to `_str`(A string representing the permissions) like `racwd` which means assign True to all operation
permission = BlobPermissions(_str="racwd")
sas = service.generate_blob_shared_access_signature(container_name, 'test.jpg', permission)
print sas
用于在Python脚本中使用SAS访问Azure Blob存储,如下。
- 使用SAS调用Blob Storgae REST API,可以引用文档
Service SAS Examples
将 SAS 附加到 blob url 作为查询参数来执行相关操作,如下所示。
GET https://myaccount.blob.core.windows.net/pictures/profile.jpg?sv=2012-02-12&st=2009-02-09&se=2009-02-10&sr=c&sp=r&si=YWJjZGVmZw%3d%3d&sig=dD80ihBh5jfNpymO5Hg1IdiJIEvHcJpCMiCMnN%2fRnbI%3d HTTP/1.1 Host: myaccount.blob.core.windows.net x-ms-date: <date>
- 通过 Azure Storage SDK 在 Python 脚本中使用 SAS,类的构造方法
BlockBlobService
&BaseBlobService
有一个参数sas_token
,解释如下,您可以传递sas
值。
sas_token (str) – A shared access signature token to use to authenticate requests instead of the account key. If account key and sas token are both specified, account key will be used to sign. If neither are specified, anonymous access will be used.
例如,使用 SAS 的 BlockBlobService
代码如下。
service = BlockBlobService(sas_token=sas)
关于python - 如何为 python 脚本提供对 azure blob 容器的有限访问权限,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/43071624/