我在 SE 上看到了许多有关 SAS 令牌的相关问题,但不是这种情况。
我创建了一个只有读取和列出权限的 SAS 令牌,这似乎是 Microsoft 文档“创建帐户 SAS:按操作的帐户 SAS 权限”对于“列出 Blob”和“获取 Blob”操作所需的全部内容. 当我使用 azcopy 下载到 Azure VM(使用存储帐户允许的公共 IP)时,我收到错误“无法列出 blob”。
我的 SAS 令牌需要哪些权限才能执行此操作?阅读和列出不应该就足够了吗?
SAS 令牌(见下文编辑)包括:
- 签名服务
ss=bblob - SignedResourceTypes
srt=co容器、对象 - SignedPermission
sp=rl读取,列出
请注意,尽管我尝试复制单个文件,但我使用该--recursive标志作为解决与复制单个文件无关的问题的解决方法。
这是 azcopy 输出(版本 10.3.4):
myazurehost[/home/user]<180> azcopy copy "$AZ_STORAGE_URL/server-backups/backup.tar.gz$AZ_SAS_KEY" /tmp --recursive
INFO: Scanning...
failed to perform copy command due to error: cannot start job due to error: cannot list blobs. Failed with error -> github.com/Azure/azure-storage-blob-go/azblob.newStorageError, /home/vsts/go/pkg/mod/github.com/!azure/azure-storage-blob-go@v0.7.0/azblob/zc_storage_error.go:42
===== RESPONSE ERROR (ServiceCode=AuthorizationFailure) =====
Description=This request is not authorized to perform this operation.
RequestId:-----------------------------
Time:2020-11-23T15:56:16.0747148Z, Details:
Code: AuthorizationFailure
GET https://mystorageaccount.blob.core.windows.net/server-backups?comp=list&include=metadata&prefix=backup.tar.gz%2F&restype=container&se=2025-11-23t23%3A44%3A28z&sig=-REDACTED-&sp=rl&spr=https&srt=co&ss=b&st=2020-11-23t15%3A44%3A28z&sv=2019-12-12&timeout=901
User-Agent: [AzCopy/10.3.4 Azure-Storage/0.7 (go1.13; linux)]
X-Ms-Client-Request-Id: [-----------------------------]
X-Ms-Version: [2018-03-28]
--------------------------------------------------------------------------------
RESPONSE Status: 403 This request is not authorized to perform this operation.
Content-Length: [246]
Content-Type: [application/xml]
Date: [Mon, 23 Nov 2020 15:56:15 GMT]
Server: [Microsoft-HTTPAPI/2.0]
X-Ms-Error-Code: [AuthorizationFailure]
X-Ms-Request-Id: [-----------------------------]
确切的 SAS 令牌(编辑签名):
?sv=2019-12-12&ss=b&srt=co&sp=rl&se=2025-11-23T23:44:28Z&st=2020-11-23T15:44:28Z&spr=https&sig=REDACTED