Java 使用rbac服务主体进行身份验证导致403访问群体验证失败。观众不匹配
使用rbac服务主体进行身份验证导致403访问群体验证失败。观众不匹配 我正在尝试授予应用程序对blob存储容器的访问权限,但具有所需的最低权限(读/写) 使用azure cli,我已完成以下步骤来尝试此操作:Java 使用rbac服务主体进行身份验证导致403访问群体验证失败。观众不匹配,java,azure-storage-blobs,adal,azure-cli,adal4j,Java,Azure Storage Blobs,Adal,Azure Cli,Adal4j,使用rbac服务主体进行身份验证导致403访问群体验证失败。观众不匹配 我正在尝试授予应用程序对blob存储容器的访问权限,但具有所需的最低权限(读/写) 使用azure cli,我已完成以下步骤来尝试此操作: az group create -l ${LOCATION} -n ${RESOURCE_GROUP_NAME} az role definition create --role-definition rw-blob-role.json rw-blob-role.json: {
az group create -l ${LOCATION} -n ${RESOURCE_GROUP_NAME}
az role definition create --role-definition rw-blob-role.json
rw-blob-role.json:
{
"assignableScopes": [
"/subscriptions/{{SUBSCRIPTION_ID}}"
],
"description": "Custom role to allow for read and write access to Azure Storage blob containers and data",
"name": "{{APP_RW_ROLE_NAME}}",
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write"
],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
],
"notActions": [],
"notDataActions": []
}
],
"type": "Microsoft.Authorization/roleDefinitions"
}
az ad sp create-for-rbac --name ${AZ_SERVICE_PRINCIPAL_NAME} --password ${APP_CLIENT_SECRET}
az role assignment delete --assignee ${AZ_SERVICE_PRINCIPAL_NAME} --role Contributor
az role assignment create --assignee ${AZ_SERVICE_PRINCIPAL_NAME} --role ${APP_RW_ROLE_NAME}
az storage account create --name ${STORAGE_ACCOUNT_NAME} --resource-group ${RESOURCE_GROUP_NAME} --location ${LOCATION} --kind BlobStorage --sku ${STORAGE_ACCOUNT_SKU} --access-tier ${STORAGE_ACCOUNT_ACCESS_TIER}
az storage container create --name ${BLOB_STORAGE_CONTAINER} --account-name ${STORAGE_ACCOUNT_NAME} --public-access off
在此基础上,我保存以下属性供我的应用程序使用:-租户ID=“$(az帐户显示--输出tsv--查询租户ID)”
-CLIENT_ID=“$(az ad sp list--spn${az_SERVICE_PRINCIPAL_NAME}--输出tsv--query[0].appId)”
-客户端密码:${APP\u Client\u secret}
-资源:${AZ_服务_主体_名称}
-存储帐户名称:${Storage\u Account\u name}
-容器名称:${BLOB\U存储\U容器} 我使用com.microsoft.azure:adal4j获取令牌:
public AuthenticationResult getToken() {
ExecutorService service = Executors.newFixedThreadPool(1);
ClientCredential credential = new ClientCredential(CLIENT_ID, APP_CLIENT_SECRET);
String authorityTenantUrl = String.format(https://login.microsoftonline.com/%s/oauth2/token, TENANT_ID);
AuthenticationContext context;
AuthenticationResult result;
try {
context = new AuthenticationContext(authorityTenantUrl, true, service);
Future<AuthenticationResult> future = context.acquireToken(AZ_SERVICE_PRINCIPAL_NAME, credential, null);
result = future.get();
} catch (Exception e) {
throw new RuntimeException(e);
} finally {
service.shutdown();
}
if (result == null) {
throw new RuntimeException("authentication result was null");
}
return result;
}
这会导致StorageException:
<Error>
<Code>AuthenticationFailed</Code>
<Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.</Message>
<AuthenticationErrorDetail>Audience validation failed. Audience did not match.</AuthenticationErrorDetail>
</Error>
我很确定问题在于acquireToken()上传递给adal4j的AZ_服务_主体_名称,但我不知道正确的值是什么。我已尝试在租户广告和服务负责人上使用客户ID和其他属性。您应该使用
https://storage.azure.com/
获取资源的价值
<Error>
<Code>AuthenticationFailed</Code>
<Message>Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.</Message>
<AuthenticationErrorDetail>Audience validation failed. Audience did not match.</AuthenticationErrorDetail>
</Error>