gpt4 book ai didi

具有 IP 范围限制的 Azure Blob SAS

转载 作者:行者123 更新时间:2023-12-03 02:53:34 25 4
gpt4 key购买 nike

我正在尝试创建 SAS URI/ token 以允许下载我的 Azure 存储 Blob。

我想在 blob 级别执行此操作,以免无意中授予对非预期资源的访问权限。

我当前用来执行此操作的代码是:

public static string GetBlobSasUri(string containerName, string reference)
{
// Create the CloudBlobContainer object
CloudBlobContainer container = blobClient.GetContainerReference(containerName);
container.CreateIfNotExists();

// Get a reference to a blob within the container.
CloudBlockBlob blob = container.GetBlockBlobReference(reference);

// Set the expiry time and permissions for the blob.
// In this case, the start time is specified as a few minutes in the past, to mitigate clock skew.
// The shared access signature will be valid immediately.
SharedAccessBlobPolicy sasConstraints = new SharedAccessBlobPolicy();
sasConstraints.SharedAccessStartTime = DateTimeOffset.UtcNow.AddMinutes(-5);
sasConstraints.SharedAccessExpiryTime = DateTimeOffset.UtcNow.AddMonths(1);
sasConstraints.Permissions = SharedAccessBlobPermissions.Read;

// Generate the shared access signature on the blob, setting the constraints directly on the signature.
string sasBlobToken = blob.GetSharedAccessSignature(sasConstraints);

// Return the URI string for the container, including the SAS token.
return blob.Uri + sasBlobToken;
}

这很大程度上基于此处文档中的示例:

Generate a shared access signature URI for a blob

这有效。但是,我在其他 SAS 文档中看到也可以限制特定的 IP 范围:

Service SAS Uri Example

我对 SAS token 的理解是签名对所有参数进行签名,因此我认为这并不像将我的 IP 范围附加到从我上面粘贴的代码返回的 SAS URI 那样简单,因为签名将不会匹配。

但是,SharedAccessBlobPolicy只有三个字段,分别是访问的开始/结束时间以及权限。我没有看到任何有关 IP 范围的信息。

在 blob 级别(而不是完整帐户)生成 SAS URI 时是否可以设置这些允许的范围?

最佳答案

请使用以下代码:

        public static string GetBlobSasUri(string ipAddressFrom, string ipAddressTo)
{
CloudStorageAccount storageAccount = new CloudStorageAccount(new StorageCredentials("account_name", "account_key"), true);
CloudBlobClient cloudBlobClient = storageAccount.CreateCloudBlobClient();
var cloudBlobContainer = cloudBlobClient.GetContainerReference("test-1");

cloudBlobContainer.CreateIfNotExists();

CloudBlockBlob blob = cloudBlobContainer.GetBlockBlobReference("a.txt");

var ipAddressRange = new IPAddressOrRange(ipAddressFrom, ipAddressTo);

var sasBlobToken = blob.GetSharedAccessSignature(new SharedAccessBlobPolicy()
{
Permissions = SharedAccessBlobPermissions.List,
SharedAccessExpiryTime = new DateTimeOffset(DateTime.UtcNow.AddHours(1))
}, null, null,null, ipAddressRange);


return blob.Uri + sasBlobToken;
}

关于具有 IP 范围限制的 Azure Blob SAS,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/54545136/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com