我已从门户内创建了 SAS token ,一切正常,我可以访问私有(private) blob。
我正在尝试使用此函数动态创建新的 SAS token :
function generateSasToken($uri, $sasKeyName, $sasKeyValue)
{
$targetUri = strtolower(rawurlencode(strtolower($uri)));
$expires = time();
$expiresInMins = 60;
$week = 60*60*24*7;
$expires = $expires + $week;
$toSign = $targetUri . "\n" . $expires;
$signature = rawurlencode(base64_encode(hash_hmac('sha256',
$toSign, $sasKeyValue, TRUE)));
$token = "SharedAccessSignature sr=" . $targetUri . "&sig=" . $signature . "&se=" . $expires . "&skn=" . $sasKeyName;
return $token;
}
这确实会生成 SAS token ,但其格式与从门户生成的帐户范围略有不同。
当尝试使用 token 时,我收到错误:
<Error>
<Code>AuthenticationFailed</Code>
<Message>
Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. RequestId:1d65690e-e01e-00a6-3d3f-b505c1000000 Time:2018-03-06T11:40:20.5662128Z
</Message>
<AuthenticationErrorDetail>Signature fields not well formed.</AuthenticationErrorDetail>
</Error>
正确工作的帐户范围 SAS 具有以下格式:
?sv=2017-07-29&ss=b&srt=sco&sp=rwdlac&se=2019-03-03T04:26:37Z&st=2018-03-02T20:26:37Z&spr=https&sig=LjxZDst%2F1Ec745%2BMpZ8PueQErDCySr%2BQLRV1UKBtEGE%3D
失败的函数生成的 SAS token 具有以下格式:
SharedAccessSignature
sr=<URL>%2fnewteamofficialfc%2fsummarydata.csv&sig=8cURAqmkXFVbq7CYyfk3BsXZJ0dJbHwNhiwJ1jL8jMA%3D&se=1520941694&skn=key2
最佳答案
使用最新版本的 PHP API(2020 年 8 月),您可以使用以下类来生成 SAS。您所需要的只是:
- 帐户名称
- 帐户 key
- 容器名称
- Blob 名称
use MicrosoftAzure\Storage\Common\Internal\Resources;
$sas_helper = new MicrosoftAzure\Storage\Blob\BlobSharedAccessSignatureHelper($_ENV['azure_account_name'], $_ENV['azure_account_key']);
$sas = $sas_helper->generateBlobServiceSharedAccessSignatureToken(
Resources::RESOURCE_TYPE_BLOB, # Resource name to generate the canonicalized resource. It can be Resources::RESOURCE_TYPE_BLOB or Resources::RESOURCE_TYPE_CONTAINER
"{$container}/{$blob}", # The name of the resource, including the path of the resource. It should be {container}/{blob}: for blobs.
"r", # Signed permissions.
(new \DateTime())->modify('+10 minute'), # Signed expiry
(new \DateTime())->modify('-5 minute'), # Signed start
'', # Signed IP, the range of IP addresses from which a request will be accepted, eg. "168.1.5.60-168.1.5.70"
'https', # Signed protocol, should always be https
);
echo "https://{$_ENV['azure_account_name']}.blob.core.windows.net/{$container}/{$blob}?{$sas}";
将 $_ENV 变量替换为您访问 API key 的首选方法。
要了解有关上面内容的更多信息,请查看此处: https://learn.microsoft.com/en-us/rest/api/storageservices/create-service-sas#service-sas-example
关于php - Azure - 从 PHP 为 Blob 生成 SAS token ,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/49130174/