如何使用python中的Azure存储Blob对用户进行身份验证? [英] How do I authenticate a user against an Azure storage blob in python?

问题描述

我正在寻找一种针对Azure blob容器对用户进行身份验证的方法.使用存储帐户的访问密钥，示例代码(是的，新手警报)可以很好地工作，但是感觉很不舍得像是将所有存储帐户的全部控制权交给任何窃取凭据的人一样.

I'm looking for a way to authenticate a user against an Azure blob container. The sample code (yep, newbie alert) works just fine, using an access key for the storage account, but that feels uncomfortably like giving away full control of the entire storage account to anyone who steals the credentials.

身份验证示例(来自 https://azure.microsoft.com/zh-CN/resources/samples/storage-python-getting-started/)如下所示:

The auth sample (from https://azure.microsoft.com/en-us/resources/samples/storage-python-getting-started/) looks like this:

block_blob_service = BlockBlobService(account_name='<acc>', account_key='<key>')

我在Active Directory中设置了一个服务用户，该用户在存储帐户中的角色限制了对Blob容器的使用；除了将新项目写入一个特定的容器外，它什么也不做.

I have a service user set up in Active Directory with a role in the storage account restricting its use of the blob container; it's intended to do nothing but write new items into one specific container.

我想在python脚本中使用该用户的凭据，以便在泄漏时无法访问其他存储资源.是否有一种基于资源/标识组合生成访问密钥的方法，或实现该目的的类似方法?我一直在浏览Azure Python API文档，但没有取得任何进展.

I'd like to use that user's credentials in the python script so that if it leaks, there's no access to other storage resources. Is there a way to generate an access key based on a resource/id combination, or similar way to achieve that? I've been browsing the Azure Python API docs, but not making any headway.

我已经取得了一些进展.我创建了具有适当IAM限制的服务主体.当我打电话给我时，这似乎已成功登录:

I've made a little progress. I've created a service principal with appropriate IAM restrictions. That appears to log in successfully when I call this:

credentials = ServicePrincipalCredentials( client_id=<>, secret=<>, tenant=<>)
print(credentials)

哪个给了我一个对象

<msrestazure.azure_active_directory.ServicePrincipalCredentials object at 0x7f34f52668d0>

如果我给它不正确的凭据，则会出现错误.所以，太好了，我有一个凭据对象.怎么办?我找不到将其输入BlockBlobService的方法.

And an error if I give it incorrect credentials. So, great, I have a credentials object. Now what? I can't find a way to feed it into BlockBlobService.

推荐答案

您可以参考此

You could refer to this article to authenticate with Azure Active Directory from an application for access to blobs.

1. 2. 3.Python代码:

3.Python code:

import adal
from azure.storage.blob import (
    BlockBlobService,
    ContainerPermissions,
)
from azure.storage.common import (
    TokenCredential
)

RESOURCE = "https://storage.azure.com/"
clientId = "***"
clientSecret = "***="
tenantId = "***"
authority_url = "https://login.microsoftonline.com/" + tenantId

print(authority_url)
context = adal.AuthenticationContext(authority_url)

token = context.acquire_token_with_client_credentials(
    RESOURCE,
    clientId,
    clientSecret)
print(token)

tokenCre = TokenCredential(token["accessToken"])

blobService = BlockBlobService(account_name="***", token_credential=tokenCre)

blobService.list_blobs(container_name="***")
for i in blobService.list_blobs(container_name="***"):
    print(i.properties.name)

这篇关于如何使用python中的Azure存储Blob对用户进行身份验证?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！