If you want to access Azure blob REST API with Azure AD auth, please refer to the following steps
- Assign
Storage Blob Data Contributor
to AD user or service principal. For more details, please refer to here and here
az role assignment create \
--role "Storage Blob Data Contributor" \
--assignee " supported format: object id, user sign-in name, or service principal name." \
--scope "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>"
- Get Azure AD token
If you use Service principal, we can get access token with the following API. But please note that if you call the rest API in react application, you will get cors error and we cannot enable cors on Azure AD. So I suggest you call the rest API in back-end application
POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=
&scope=http//storage.azure.com/.default
&client_secret=
&grant_type=client_credentials
If you use Azure AD user, you can integrate Azure AD auth in your react application with package react-aad-msal
. Regarding how to configure it, please refer to the sample
- Call the API
try {
const azureRes = await axios({
method: 'GET',
url:
'https://<accountname>.blob.core.windows.net/?comp=list',
headers: {
'x-ms-version': '2017-11-09',
Authorization:
'Bearer <access_token>'
}
});
console.log('azureRes', azureRes);
} catch (err) {
console.log('err:', err);
}
Update
Regarding how to create sas token, please refer to the following code
- install pcakge
crypto-js
npm install crypto-js
- code
import * as CryptoJS from 'crypto-js';
const accountName =<>;
const key=<>;
const start = new Date(new Date().getTime() - (15 * 60 * 1000));
const end = new Date(new Date().getTime() + (30 * 60 * 1000));
const signedpermissions = 'rwdlac';
const signedservice = 'b';
const signedresourcetype = 'sco';
const signedexpiry = end.toISOString().substring(0, end.toISOString().lastIndexOf('.')) + 'Z';
const signedProtocol = 'https';
const signedversion = '2018-03-28';
const StringToSign =
accountName+ '\n' +
signedpermissions + '\n' +
signedservice + '\n' +
signedresourcetype + '\n' +
'\n' +
signedexpiry + '\n' +
'\n' +
signedProtocol + '\n' +
signedversion + '\n';
var str =CryptoJS.HmacSHA256(StringToSign,CryptoJS.enc.Base64.parse(key));
var sig = CryptoJS.enc.Base64.stringify(str);
const sasToken =`sv=${(signedversion)}&ss=${(signedservice)}&srt=${(signedresourcetype)}&sp=${(signedpermissions)}&se=${encodeURIComponent(signedexpiry)}&spr=${(signedProtocol)}&sig=${encodeURIComponent(sig)}`;
const blobUrl= `<you blob URL>?{sasToken }`