如何使用 powershell 为带有共享密钥的 Azure 文件共享构建授权标头

Question

我正在尝试使用共享密钥作为身份验证从 Azure File share rest api 获取共享统计信息，但似乎无法弄清楚授权标头

$storageAccount = 'XXXX'
$key = 'XXXXXXXX'
$resource = 'FileShare'

$sharedKey = [System.Convert]::FromBase64String($Key)
$date = [System.DateTime]::UtcNow.ToString("R")

$stringToSign = "GET`n`n`n`n`n`n`n`n`n`n`n`nx-ms-date:$date`nx-ms-type:file`nx-ms-version:2017-04-17`n/$storageAccount/$resource`nrestype:share"

$hasher = New-Object System.Security.Cryptography.HMACSHA256
$hasher.Key = $sharedKey

$signedSignature = [System.Convert]::ToBase64String($hasher.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($stringToSign)))

$authHeader = "SharedKey ${StorageAccount}:$signedSignature"

$headers = @{"x-ms-date"=$date
             "x-ms-version"="2009-09-19"
             "Authorization"=$authHeader}
$URI = "https://$storageAccount.file.core.windows.net/FileShare?restype=share&comp=stats"

$sharestats = Invoke-RestMethod -method GET -Uri  $URI -Headers $headers


Getting following error


Invoke-RestMethod : AuthenticationFailedServer failed to authenticate the 
request. Make sure the value of Authorization header is formed correctly 
including the signature.
RequestId:775d1220-801a-0183-1c21-813f18000000
Time:2020-09-02T12:06:23.5857168ZThe MAC signature found in the HTTP request 
'ZIDwiCzzRcqJuIUbtGXUSC+jZ1tXgwnyZaIH12FXXXX=' is not the same as any computed 
signature. Server used following string to sign: 'GET
x-ms-date:Wed, 02 Sep 2020 12:06:23 GMT
x-ms-version:2009-09-19
/storageaccount/fileshare
comp:stats
restype:share'.
At line:30 char:15
+ ... harestats = Invoke-RestMethod -method GET -Uri  $URI -Headers $header ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:Htt 
   pWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShe 
   ll.Commands.InvokeRestMethodCommand

参考：https://docs.microsoft.com/en-us/rest/api/storageservices/authorize-with-shared-key 和https://docs.microsoft.com/en-us/rest/api/storageservices/get-share-stats

Answer 1

根据错误信息，你应该删除“x-ms-type:file”并在stringToSign 中添加comp:stats。

例如

$storageAccount = "andyprivate"
$accesskey = "h4pP1fe76m8hdksFW3TvkO6hgw09Mjue7yJOnULPI/g2eU8LGJ+a6k6SrU6dUkOU77waZfU8CacyVMlTWAUA5A==";
$resource = 'share2'
$version="2017-04-17"

$date = [System.DateTime]::UtcNow.ToString("R",[Globalization.CultureInfo]::InvariantCulture)

$stringToSign = "GET`n`n`n`n`n`n`n`n`n`n`n`n"+
           "x-ms-date:$date`nx-ms-version:$version`n" +
           "/$storageAccount/$resource`ncomp:stats`nrestype:share" 
$hmacsha = New-Object System.Security.Cryptography.HMACSHA256
$hmacsha.key = [Convert]::FromBase64String($accesskey)
$signature = $hmacsha.ComputeHash([Text.Encoding]::UTF8.GetBytes($stringToSign))
$signature = [Convert]::ToBase64String($signature)

$headers=@{"x-ms-date"=$date;
           "x-ms-version"= $version;
           "Authorization"= "SharedKey $($storageAccount):$signature"
}
$URI = "https://$storageAccount.file.core.windows.net/$($resource)?restype=share&comp=stats"

$response = Invoke-RestMethod $URI -Method 'GET' -Headers $headers -UseBasicParsing

$response