您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 Azure Active Directory 授予对 blob 和队列的访问权限Authorize access to blobs and queues using Azure Active Directory

Azure 存储支持使用 Azure Active Directory (Azure AD)授权对 Blob 和队列存储的请求。Azure Storage supports using Azure Active Directory (Azure AD) to authorize requests to Blob and Queue storage. 使用 Azure AD,你可以使用基于角色的访问控制(RBAC)向安全主体授予权限,这可能是用户、组或应用程序服务主体。With Azure AD, you can use role-based access control (RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. 通过 Azure AD 对安全主体进行身份验证,以返回 OAuth 2.0 令牌。The security principal is authenticated by Azure AD to return an OAuth 2.0 token. 然后,令牌可用于对 Blob 或队列存储的请求进行授权。The token can then be used to authorize a request against Blob or Queue storage.

使用 Azure AD 对 Azure 存储的请求进行授权,可通过共享密钥授权提供更高的安全性和易用性。Authorizing requests against Azure Storage with Azure AD provides superior security and ease of use over Shared Key authorization. Microsoft 建议尽可能将 Azure AD 授权与 blob 和队列应用程序一起使用,以最大程度地减少共享密钥中固有的潜在安全漏洞。Microsoft recommends using Azure AD authorization with your blob and queue applications when possible to minimize potential security vulnerabilities inherent in Shared Key.

使用 Azure AD 的授权适用于所有公共区域和全国云中的所有常规用途和 Blob 存储帐户。Authorization with Azure AD is available for all general-purpose and Blob storage accounts in all public regions and national clouds. 只有用 Azure 资源管理器部署模型创建的存储帐户才支持 Azure AD 授权。Only storage accounts created with the Azure Resource Manager deployment model support Azure AD authorization.

Blob 存储还支持创建使用 Azure AD 凭据签名的共享访问签名(SAS)。Blob storage additionally supports creating shared access signatures (SAS) that are signed with Azure AD credentials. 有关详细信息,请参阅使用共享访问签名授予对数据的有限访问权限For more information, see Grant limited access to data with shared access signatures.

对于已加入域的 Vm,Azure 文件仅支持通过 SMB Azure AD 的授权。Azure Files supports authorization with Azure AD over SMB for domain-joined VMs only. 若要了解如何在 Azure 文件的 SMB 上使用 Azure AD,请参阅Azure 文件的 smb 的 Azure Active Directory 授权概述To learn about using Azure AD over SMB for Azure Files, see Overview of Azure Active Directory authorization over SMB for Azure Files.

Azure 表存储不支持带有 Azure AD 的授权。Authorization with Azure AD is not supported for Azure Table storage. 使用共享密钥对表存储的请求进行授权。Use Shared Key to authorize requests to Table storage.

Blob 和队列 Azure AD 概述Overview of Azure AD for blobs and queues

当安全主体(用户、组或应用程序)尝试访问 blob 或队列资源时,必须授权该请求,除非它是可用于匿名访问的 blob。When a security principal (a user, group, or application) attempts to access a blob or queue resource, the request must be authorized, unless it is a blob available for anonymous access. 使用 Azure AD,访问资源的过程分为两个步骤。With Azure AD, access to a resource is a two-step process. 首先,对安全主体的身份进行身份验证,并返回 OAuth 2.0 令牌。First, the security principal's identity is authenticated and an OAuth 2.0 token is returned. 接下来,令牌作为请求的一部分传递到 Blob 或队列服务,并由服务用来授予对指定资源的访问权限。Next, the token is passed as part of a request to the Blob or Queue service and used by the service to authorize access to the specified resource.

身份验证步骤要求应用程序在运行时请求 OAuth 2.0 访问令牌。The authentication step requires that an application request an OAuth 2.0 access token at runtime. 如果应用程序在 Azure 实体(例如 Azure VM、虚拟机规模集或 Azure Functions 应用)中运行,则它可以使用托管标识来访问 blob 或队列。If an application is running from within an Azure entity such as an Azure VM, a virtual machine scale set, or an Azure Functions app, it can use a managed identity to access blobs or queues. 若要了解如何将托管标识发出的请求授权给 Azure Blob 或队列服务,请参阅使用 Azure 资源的 Azure Active Directory 和托管标识授予对 blob 和队列的访问权限To learn how to authorize requests made by a managed identity to the Azure Blob or Queue service, see Authorize access to blobs and queues with Azure Active Directory and managed identities for Azure Resources.

授权步骤要求向安全主体分配一个或多个 RBAC 角色。The authorization step requires that one or more RBAC roles be assigned to the security principal. Azure 存储提供了 RBAC 角色,其中包含 blob 和队列数据的公用权限集。Azure Storage provides RBAC roles that encompass common sets of permissions for blob and queue data. 分配给安全主体的角色确定主体将具有的权限。The roles that are assigned to a security principal determine the permissions that the principal will have. 若要详细了解如何为 Azure 存储分配 RBAC 角色,请参阅使用 RBAC 管理对存储数据的访问权限To learn more about assigning RBAC roles for Azure Storage, see Manage access rights to storage data with RBAC.

向 Azure Blob 或队列服务发出请求的本机应用程序和 web 应用程序也可以使用 Azure AD 授予访问权限。Native applications and web applications that make requests to the Azure Blob or Queue service can also authorize access with Azure AD. 若要了解如何请求访问令牌并使用它来授权对 blob 或队列数据的请求,请参阅使用 Azure 存储应用程序中的 Azure AD 授予对 Azure 存储的访问权限To learn how to request an access token and use it to authorize requests for blob or queue data, see Authorize access to Azure Storage with Azure AD from an Azure Storage application.

为访问权限分配 RBAC 角色Assign RBAC roles for access rights

Azure Active Directory (Azure AD) 通过基于角色的访问控制 (RBAC) 授权访问受保护的资源。Azure Active Directory (Azure AD) authorizes access rights to secured resources through role-based access control (RBAC). Azure 存储空间定义了一组内置的 RBAC 角色,这些角色包含用于访问 blob 和队列数据的公用权限集。Azure Storage defines a set of built-in RBAC roles that encompass common sets of permissions used to access blob and queue data. 你还可以定义自定义角色,以便访问 blob 和队列数据。You can also define custom roles for access to blob and queue data.

将 RBAC 角色分配到 Azure AD 安全主体时,Azure 会向该安全主体授予对这些资源的访问权限。When an RBAC role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. 可以将访问权限限定于订阅、资源组、存储帐户、单个容器或队列级别。Access can be scoped to the level of the subscription, the resource group, the storage account, or an individual container or queue. Azure AD 安全主体可以是用户、组、应用程序服务主体或Azure 资源的托管标识An Azure AD security principal may be a user, a group, an application service principal, or a managed identity for Azure resources.

Blob 和队列的内置 RBAC 角色Built-in RBAC roles for blobs and queues

Azure 提供以下内置 RBAC 角色,用于授权使用 Azure AD 和 OAuth 访问 blob 和队列数据:Azure provides the following built-in RBAC roles for authorizing access to blob and queue data using Azure AD and OAuth:

备注

RBAC 角色分配最多可能需要五分钟才能传播。RBAC role assignments may take up to five minutes to propagate.

仅对数据访问显式定义的角色允许安全主体访问 blob 或队列数据。Only roles explicitly defined for data access permit a security principal to access blob or queue data. 所有者参与者存储帐户参与者等角色允许安全主体来管理存储帐户,但不提供对该帐户内的 blob 或队列数据的访问权限。Roles such as Owner, Contributor, and Storage Account Contributor permit a security principal to manage a storage account, but do not provide access to the blob or queue data within that account.

若要了解如何向安全主体分配内置 RBAC 角色,请参阅以下文章之一:To learn how to assign a built-in RBAC role to a security principal, see one of the following articles:

有关如何为 Azure 存储定义内置角色的详细信息,请参阅了解角色定义For more information about how built-in roles are defined for Azure Storage, see Understand role definitions. 有关创建自定义 RBAC 角色的详细信息,请参阅为 Azure 基于角色的访问控制创建自定义角色For information about creating custom RBAC roles, see Create custom roles for Azure Role-Based Access Control.

数据操作的访问权限Access permissions for data operations

有关调用特定 Blob 或队列服务操作所需的权限的详细信息,请参阅调用 Blob 和队列数据操作的权限For details on the permissions required to call specific Blob or Queue service operations, see Permissions for calling blob and queue data operations.

资源作用域Resource scope

向安全主体分配 RBAC 角色之前,请确定安全主体应具有的访问权限的范围。Before you assign an RBAC role to a security principal, determine the scope of access that the security principal should have. 最佳做法规定,始终最好只授予最小的可能范围。Best practices dictate that it's always best to grant only the narrowest possible scope.

以下列表描述了从最窄的范围开始,可以将对 Azure blob 和队列资源的访问范围的级别:The following list describes the levels at which you can scope access to Azure blob and queue resources, starting with the narrowest scope:

  • 单个容器。An individual container. 在此范围内,角色分配适用于容器中的所有 blob,以及容器属性和元数据。At this scope, a role assignment applies to all of the blobs in the container, as well as container properties and metadata.
  • 单个队列。An individual queue. 在此范围内,角色分配适用于队列中的消息,以及队列属性和元数据。At this scope, a role assignment applies to messages in the queue, as well as queue properties and metadata.
  • 存储帐户。The storage account. 在此范围内,角色分配适用于所有容器及其 blob,或者应用于所有队列及其消息。At this scope, a role assignment applies to all containers and their blobs, or to all queues and their messages.
  • 资源组。The resource group. 在此范围内,角色分配适用于资源组中所有存储帐户的所有容器或队列。At this scope, a role assignment applies to all of the containers or queues in all of the storage accounts in the resource group.
  • 订阅。The subscription. 在此范围内,角色分配适用于订阅中所有资源组的所有存储帐户中的所有容器或队列。At this scope, a role assignment applies to all of the containers or queues in all of the storage accounts in all of the resource groups in the subscription.

重要

如果你的订阅包含 Azure DataBricks 命名空间,则作用域为该订阅的角色将不会授予对 blob 和队列数据的访问权限。If your subscription includes an Azure DataBricks namespace, roles that are scoped to the subscription will not grant access to blob and queue data. 将角色作用域改为资源组、存储帐户、容器或队列。Scope roles to the resource group, storage account, or container or queue instead.

使用 Azure AD 帐户访问数据Access data with an Azure AD account

可以通过使用用户的 Azure AD 帐户或使用帐户访问密钥(共享密钥授权)来授权通过 Azure 门户、PowerShell 或 Azure CLI 访问 blob 或队列数据。Access to blob or queue data via the Azure portal, PowerShell, or Azure CLI can be authorized either by using the user's Azure AD account or by using the account access keys (Shared Key authorization).

Azure 门户的数据访问Data access from the Azure portal

Azure 门户可以使用 Azure AD 帐户或帐户访问密钥访问 Azure 存储帐户中的 blob 和队列数据。The Azure portal can use either your Azure AD account or the account access keys to access blob and queue data in an Azure storage account. Azure 门户使用哪种授权方案取决于分配给你的 RBAC 角色。Which authorization scheme the Azure portal uses depends on the RBAC roles that are assigned to you.

尝试访问 blob 或队列数据时,Azure 门户首先会检查是否已向你分配了具有 storageAccounts/listkeys/ action的 RBAC 角色。When you attempt to access blob or queue data, the Azure portal first checks whether you have been assigned an RBAC role with Microsoft.Storage/storageAccounts/listkeys/action. 如果已通过此操作分配了角色,则 Azure 门户使用帐户密钥通过共享密钥授权访问 blob 和队列数据。If you have been assigned a role with this action, then the Azure portal uses the account key for accessing blob and queue data via Shared Key authorization. 如果尚未为此操作分配角色,则 Azure 门户会尝试使用 Azure AD 帐户访问数据。If you have not been assigned a role with this action, then the Azure portal attempts to access data using your Azure AD account.

若要使用你的 Azure AD 帐户从 Azure 门户访问 blob 或队列数据,你需要访问 blob 和队列数据的权限,并且还需要在 Azure 门户的存储帐户资源中导航的权限。To access blob or queue data from the Azure portal using your Azure AD account, you need permissions to access blob and queue data, and you also need permissions to navigate through the storage account resources in the Azure portal. Azure 存储提供的内置角色授予对 blob 和队列资源的访问权限,但不授予对存储帐户资源的权限。The built-in roles provided by Azure Storage grant access to blob and queue resources, but they don't grant permissions to storage account resources. 出于此原因,访问门户还需要分配 Azure 资源管理器角色,如 "读者" 角色,其作用域为存储帐户或更高级别。For this reason, access to the portal also requires the assignment of an Azure Resource Manager role such as the Reader role, scoped to the level of the storage account or higher. "读取者" 角色授予最受限制的权限,但另一个授予对存储帐户管理资源的访问权限的 Azure 资源管理器角色也是可接受的。The Reader role grants the most restricted permissions, but another Azure Resource Manager role that grants access to storage account management resources is also acceptable. 若要详细了解如何使用 Azure AD 帐户将 Azure 门户中的数据访问的权限分配给用户,请参阅在 Azure 门户中使用 RBAC 授予对 Azure blob 和队列数据的访问权限。To learn more about how to assign permissions to users for data access in the Azure portal with an Azure AD account, see Grant access to Azure blob and queue data with RBAC in the Azure portal.

Azure 门户指示导航到容器或队列时使用的是哪个授权方案。The Azure portal indicates which authorization scheme is in use when you navigate to a container or queue. 有关门户中的数据访问的详细信息,请参阅使用 Azure 门户访问 blob 或队列数据For more information about data access in the portal, see Use the Azure portal to access blob or queue data.

从 PowerShell 或 Azure CLI 进行数据访问Data access from PowerShell or Azure CLI

Azure CLI 和 PowerShell 支持通过 Azure AD 凭据进行登录。Azure CLI and PowerShell support signing in with Azure AD credentials. 登录后,你的会话将在这些凭据下运行。After you sign in, your session runs under those credentials. 若要了解详细信息,请参阅使用 Azure AD 凭据运行 Azure CLI 或 PowerShell 命令以访问 blob 或队列数据To learn more, see Run Azure CLI or PowerShell commands with Azure AD credentials to access blob or queue data.

后续步骤Next steps