Windows Azure共享访问签名始终提供:禁止403 [英] Windows Azure Shared Access Signature always gives: Forbidden 403

问题描述

我试图获取单个Blob的共享访问签名，然后使用REST API下载Blob.但是，我总是收到禁止的403错误消息.在存储模拟器和云上.这是我的代码:

I am trying to get a shared access signature for a single blob and then download the blob using the REST api. However, I always get a forbidden 403 error message. Both on storage emulator and the cloud. Here is my code:

CloudStorageAccount storageAccount = CloudStorageAccount.Parse("myConnectionStringHere...");

CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();
CloudBlobContainer container = blobClient.GetContainerReference("containerName");
CloudBlob blob = container.GetBlobReference("blobName");

string sasToken = blob.GetSharedAccessSignature(new SharedAccessPolicy()
            {
                Permissions = SharedAccessPermission.Read,
                SharedAccessExpiryTime = DateTime.UtcNow + TimeSpan.FromHours(24)
            }
            );

string completeUri = string.Format(CultureInfo.InvariantCulture, "{0}{1}", blob.Uri, sasToken);

// now use the uri to make the rest call and download
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(completeUri);
request.Method = "GET";
using (HttpWebResponse resp = (HttpWebResponse)request.GetResponse())
{
    using (Stream s = resp.GetResponseStream())
        {
            using (FileStream fs = new FileStream("test.jpg", FileMode.Create, FileAccess.Write))
                {
                        byte[] buffer = new byte[8 * 1024];
                        int len;
                        while ((len = s.Read(buffer, 0, buffer.Length)) > 0)
                        {
                            fs.Write(buffer, 0, len);
                        }
                    }
                }
            }

调用GetResponse时，我一直收到403错误.任何帮助表示赞赏！

I keep getting the 403 error when invoking GetResponse. Any help appreciated!

忘了提及:我正在使用最新的Azure SDK(2.0)

forgot to mention: I am using the latest azure sdk (2.0)

我做了很多实验，发现了一个名为Azure Management Studio的工具.该工具能够创建SAS令牌.我做到了，并将其与我的REST调用代码一起使用.这工作得很好，所以错误必须在我编写的令牌创建代码内.但是，sas字符串的格式完全相同.我不知道还有什么可以尝试的

EDIT 2: I experimented a lot and found a tool called Azure Management Studio. This tool is able to create an SAS token. I did that, and used it with my REST call code. This worked just fine, so the error has to be inside the token creation code I have written. However, the format of the sas string is exactly the same. I don't know what else to try out

推荐答案

我注意到的一些事情:

1. 您提到您正在使用SDK 2.0，但是我认为您没有使用最新的存储客户端库(2.0.6).从您的代码看来，您似乎仍在使用旧的存储客户端库(1.8).如果引用的是Microsoft.WindowsAzure.StorageClient或Microsoft.WindowsAzure.Storage，可以请您输入代码吗?如果是以前的版本，则说明您正在使用旧的库.
2. 如果您使用的是旧的存储客户端库，那么请注意，对于使用旧的存储REST API的旧的存储客户端库，对于匿名SAS令牌(即没有容器访问策略的令牌)，您不能指定到期时间时间距离当前时间超过1小时(以UTC为准).如果尝试使用您的URL，则会收到以下错误消息(在AuthenticationErrorDetail节点下:

1. You mentioned that you're using SDK 2.0 however I think you're not using the latest storage client library (2.0.6). From your code, it seems you're still using old storage client library (1.8). Can you please check in your code if you're referencing Microsoft.WindowsAzure.StorageClient or Microsoft.WindowsAzure.Storage. If it is former, then you're using old library.
2. If you're using old storage client library, then please note that with old storage client library which makes use of old Storage REST API, for anonymous SAS tokens (i.e. tokens without container access policy) you can't specify an expiration time more than 1 hour from current time (in UTC of course). If I try to use your URL, I get the following error message (under AuthenticationErrorDetail node:

没有签名标识符的访问的时间窗口不能超过1 小时

Access without signed identifier cannot have time window more than 1 hour

您可以尝试创建一个有效期少于1小时的SAS令牌吗?例如

Can you try by creating a SAS token which is valid for less than 1 hour? E.g.

var sasToken = blob.GetSharedAccessSignature(new SharedAccessPolicy
    {
        Permissions = SharedAccessPermission.Read,
        SharedAccessExpiryTime = DateTime.UtcNow + TimeSpan.FromMinutes(30)
    }
);

如果您仍然想使用旧的存储客户端库，则有几种选择:

If you continue to want to use the older storage client library, you have a few choices:

1. 创建一个有效期少于一个小时的SAS令牌，如上所述.
2. 使用容器级访问策略创建SAS令牌.使用容器级别的访问策略，您将能够定义过期时间超过1小时的SAS令牌.有关此的更多信息，请单击此处: http://msdn.microsoft. com/en-us/library/windowsazure/ee393341.aspx

如果使用新的存储客户端库，则可以在不使用容器访问策略的情况下定义更长期限的令牌.但是，两个版本的库之间有很多差异，从旧版本迁移到新版本并不是一件容易的事.几天前，我写了一篇博客文章，内容涉及从旧版本到新版本的代码迁移.您可以在此处阅读: http://gauravmantri.com/tag/storage-client-library/.最后，我写了一篇有关SAS的博客文章，您可以在这里阅读: http://gauravmantri.com/2013/02/13/revisiting-windows-azure-shared-access-signature/.

If you use the new storage client library, you would be able to define longer duration token without using a container access policy. However there are a lot of differences between the two versions of the library and migration from older to newer version is not trivial. I wrote a blog post some days ago about migrating code from older version to newer version. You can read it here: http://gauravmantri.com/tag/storage-client-library/. Lastly, I wrote a blog post on SAS, which you can read here: http://gauravmantri.com/2013/02/13/revisiting-windows-azure-shared-access-signature/.

这篇关于Windows Azure共享访问签名始终提供:禁止403的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！