问题描述
我已经阅读了有关类似查询的几篇文章,例如这个,但我不断收到403.
I've read several posts regarding similar queries, like this one, but I keep getting 403.
最初,我在Visual Studio中编写了代码-访问存储blob的azure函数-一切正常.但是,当我部署完全相同的功能时,它会抛出403!我尝试了建议,移至x64等位置并删除了其他文件,但没有任何效果.
Initially I wrote code in Visual Studio - azure function accessing a storage blob - and everything runs fine. But when I deploy the very same function, it throws 403! I tried the suggested, moving to x64 etc and removing additional files, but nothing works.
请注意-我已多次验证-访问密钥正确且有效.
Please note - i have verified several times - the access key is correct and valid.
所以,我做了以下所有事情
So, I did all the following
(1)-我在Portal本身上编写了一个简单的Azure函数(以排除部署怪癖),瞧,同样是403!
(1) - I wrote a simple Azure function on Portal itself (to rule out the deployment quirks), and voila, same 403!
var storageConnection = "DefaultEndpointsProtocol=https;AccountName=[name];AccountKey=[key1];EndpointSuffix=core.windows.net";
var cloudStorageAccount = CloudStorageAccount.Parse(storageConnection);
var blobClient = cloudStorageAccount.CreateCloudBlobClient();
var sourceContainer = blobClient.GetContainerReference("landing");
CloudBlockBlob blob = container.GetBlockBlobReference("a.xlsx");
using (var inputStream = new MemoryStream())
{
log.Info($"Current DateTime: {DateTime.Now}");
log.Info("Starting download of blob...");
blob.DownloadToStream(inputStream); // <--- 403 thrown here!!
log.Info("Download Complete!");
}
(2)-我通过记录日期时间及其在功能服务器上的UTC来验证了日期时间
(2) - I verified the date time by logging it, and its UTC on the function server
(3)-我使用了在门户网站上生成的Account SAS密钥,但仍然提供了403.我已经在SAS密钥生成后等待了30秒钟以上,以确保SAS密钥能够传播.
(3) - I used Account SAS key, generated on portal, but still gives 403. I had waited for over 30seconds after SAS key generation, to ensure that the SAS key propagates.
var sasUri = "https://[storageAccount].blob.core.windows.net/?sv=2017-11-09&ss=b&srt=sco&sp=rwdlac&se=2019-07-31T13:08:46Z&st=2018-09-01T03:08:46Z&spr=https&sig=Hm6pA7bNEe8zjqVelis2y842rY%2BGZg5CV4KLn288rCg%3D";
StorageCredentials accountSAS = new StorageCredentials(sasUri);
var cloudStorageAccount = new CloudStorageAccount(accountSAS, "[storageAccount]", endpointSuffix: null, useHttps: true);
// rest of the code same as (1)
(4)-我在代码中即时生成了SAS密钥,但还是生成了403.
(4) - I generated the SAS key on the fly in code, but again 403.
static string GetContainerSasUri(CloudBlobContainer container)
{
//Set the expiry time and permissions for the container.
//In this case no start time is specified, so the shared access signature becomes valid immediately.
SharedAccessBlobPolicy sasConstraints = new SharedAccessBlobPolicy();
sasConstraints.SharedAccessStartTime = DateTimeOffset.UtcNow.AddMinutes(-5);
sasConstraints.SharedAccessExpiryTime = DateTimeOffset.UtcNow.AddMinutes(25);
sasConstraints.Permissions = SharedAccessBlobPermissions.Write | SharedAccessBlobPermissions.Add | SharedAccessBlobPermissions.Create;
//Generate the shared access signature on the container, setting the constraints directly on the signature.
string sasContainerToken = container.GetSharedAccessSignature(sasConstraints);
//Return the URI string for the container, including the SAS token.
return container.Uri + sasContainerToken + "&comp=list&restype=container";
}
,并将以上内容用作
var sourceContainer = blobClient.GetContainerReference("landing");
var sasKey = GetContainerSasUri(sourceContainer);
var container = new CloudBlobContainer(new Uri(sasKey));
CloudBlockBlob blob = container.GetBlockBlobReference("a.xlsx");
我完全无法理解为什么在Visual Studio中运行代码,访问云中的存储(而非仿真器)时代码可以完美运行,但是当在门户上部署或明确运行代码时却无法运行.
I completely fail to understand why the code works flawlessly when running from visual studio, accessing the storage (not emulator) on cloud, but when same is either deployed or run explicitly on the portal, it fails to run.
我在这里想念什么?
推荐答案
由于您已经排除了许多可能的原因,因此重现问题的唯一方法是在存储帐户上配置防火墙.
Since you have excluded many possible causes, the only way I can reproduce your problem is to configure Firewall on Storage Account.
在本地代码可以正常工作,因为您可能已将本地IP添加到白名单"中,而功能"省略了此步骤.在门户网站上,转到平台功能"下的资源管理器".搜索 outboundIpAddresses
并将那些(通常是四个)IP添加到存储帐户白名单"中.
Locally the code works as you may have added your local IP into White List while this step was omitted for Function. On portal, go to Resource Explorer under Platform features. Search outboundIpAddresses
and add those(usually four) IPs into Storage Account White List.
如果添加了功能IP,但仍然出现403错误,请检查存储和功能"应用的位置.如果他们住在同一地区(就像美国中部地区一样),那么两个人将以内部方式进行交流,而无需通过 outboundIpAddresses
.如果您的计划中需要防火墙,我可以提供的解决方法是在其他区域中创建存储.否则,只允许所有网络进行存储.
If you have added Function IPs but still get 403 error, check location of Storage and Function app. If they live in the same region(like both in Central US), two communicate in an internal way without going through outboundIpAddresses
. Workaround I can offer is to create a Storage in different region if Firewall is necessary in your plan. Otherwise just allow all networks to Storage.
这篇关于Azure Blob返回从门户网站上运行的Azure函数禁止的403的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!