您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 SAS 令牌和 Azure PowerShell 部署专用 Resource Manager 模板Deploy private Resource Manager template with SAS token and Azure PowerShell

如果模板驻留在存储帐户中,可以限制对该模板的访问,并在部署过程中提供共享访问签名 (SAS) 令牌。When your template resides in a storage account, you can restrict access to the template and provide a shared access signature (SAS) token during deployment. 本主题介绍如何将 Azure PowerShell 与 Resource Manager 模板配合使用在部署过程中提供 SAS 令牌。This topic explains how to use Azure PowerShell with Resource Manager templates to provide a SAS token during deployment.

将专用模板添加到存储帐户Add private template to storage account

可以将模板添加到存储帐户,并在部署过程中使用 SAS 令牌链接到这些模板。You can add your templates to a storage account and link to them during deployment with a SAS token.

重要

通过执行以下步骤,只有帐户所有者可以访问包含模板的 blob。By following the steps below, the blob containing the template is accessible to only the account owner. 但是,如果为 blob 创建 SAS 令牌,则拥有该 URI 的任何人都可以访问 blob。However, when you create a SAS token for the blob, the blob is accessible to anyone with that URI. 如果其他用户截获了该 URI,则此用户可以访问该模板。If another user intercepts the URI, that user is able to access the template. 使用 SAS 令牌是限制对模板的访问的好方法,但不应直接在模板中包括密码等敏感数据。Using a SAS token is a good way of limiting access to your templates, but you should not include sensitive data like passwords directly in the template.

以下示例设置一个专用存储帐户容器并上传一个模板:The following example sets up a private storage account container and uploads a template:

# create a storage account for templates
New-AzureRmResourceGroup -Name ManageGroup -Location "South Central US"
New-AzureRmStorageAccount -ResourceGroupName ManageGroup -Name {your-unique-name} -Type Standard_LRS -Location "West US"
Set-AzureRmCurrentStorageAccount -ResourceGroupName ManageGroup -Name {your-unique-name}

# create a container and upload template
New-AzureStorageContainer -Name templates -Permission Off
Set-AzureStorageBlobContent -Container templates -File c:\MyTemplates\storage.json

在部署期间提供 SAS 令牌Provide SAS token during deployment

要在存储帐户中部署专用模板,请生成 SAS 令牌,并将其包括在模板的 URI 中。To deploy a private template in a storage account, generate a SAS token and include it in the URI for the template. 设置到期时间以允许足够的时间来完成部署。Set the expiry time to allow enough time to complete the deployment.

Set-AzureRmCurrentStorageAccount -ResourceGroupName ManageGroup -Name {your-unique-name}

# get the URI with the SAS token
$templateuri = New-AzureStorageBlobSASToken -Container templates -Blob storage.json -Permission r `
  -ExpiryTime (Get-Date).AddHours(2.0) -FullUri

# provide URI with SAS token during deployment
New-AzureRmResourceGroup -Name ExampleGroup -Location "South Central US"
New-AzureRmResourceGroupDeployment -ResourceGroupName ExampleGroup -TemplateUri $templateuri

有关将 SAS 令牌与链接模板配合使用的示例,请参阅将已链接的模版与 Azure 资源管理器配合使用For an example of using a SAS token with linked templates, see Using linked templates with Azure Resource Manager.

后续步骤Next steps