您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

配置 Azure 存储连接字符串Configure Azure Storage connection strings

连接字符串包含应用程序在运行时使用共享密钥授权访问 Azure 存储帐户中的数据所需的授权信息。A connection string includes the authorization information required for your application to access data in an Azure Storage account at runtime using Shared Key authorization. 可以将连接字符串配置为:You can configure connection strings to:

  • 连接到 Azure 存储模拟器。Connect to the Azure storage emulator.
  • 在 Azure 中访问存储帐户。Access a storage account in Azure.
  • 通过共享访问签名 (SAS) 访问 Azure 中的指定资源。Access specified resources in Azure via a shared access signature (SAS).

提示

Azure 存储支持使用 Azure Active Directory (Azure AD) 将请求授权给 Blob 和队列存储。Azure Storage supports authorizing requests to Blob and Queue storage using Azure Active Directory (Azure AD). 使用 Azure AD 返回的 OAuth 2.0 令牌授权用户或应用程序可提供更高的安全性, 并通过共享密钥授权轻松使用。Authorizing users or applications using an OAuth 2.0 token returned by Azure AD provides superior security and ease of use over Shared Key authorization. 使用 Azure AD 时,不需将帐户访问密钥与代码存储在一起,因此没有潜在的安全漏洞风险。With Azure AD, there is no need to store the account access key with your code and risk potential security vulnerabilities.

此外, Azure 存储还支持 Blob 存储的用户委托共享访问签名 (SAS)。Additionally, Azure Storage supports the user delegation shared access signature (SAS) for Blob storage. 用户委托 SAS 用 Azure AD 凭据进行签名。The user delegation SAS is signed with Azure AD credentials. 当应用程序设计要求使用共享访问签名来访问 Blob 存储时, 请使用 Azure AD 凭据来创建用户委托 SAS 以实现高级安全性。When your application design requires shared access signatures for access to Blob storage, use Azure AD credentials to create a user delegation SAS for superior security.

Microsoft 建议尽可能使用 Azure 存储应用程序 Azure AD。Microsoft recommends using Azure AD with your Azure Storage applications when possible. 有关详细信息,请参阅使用 Azure Active Directory 授予对 Azure Blob 和队列的访问权限For more information, see Authorize access to Azure blobs and queues using Azure Active Directory.

重要

存储帐户密钥类似于存储帐户的根密码。Your storage account key is similar to the root password for your storage account. 始终要小心保护帐户密钥。Always be careful to protect your account key. 避免将其分发给其他用户、对其进行硬编码或将其以纯文本形式保存在其他人可以访问的任何位置。Avoid distributing it to other users, hard-coding it, or saving it anywhere in plaintext that is accessible to others. 如果认为帐户密钥可能已泄漏,请使用 Azure 门户重新生成帐户密钥。Regenerate your account key using the Azure portal if you believe it may have been compromised.

就像帐户访问密钥一样,对 SAS(共享访问签名)令牌进行保护至关重要。SAS (Shared Access Signature) tokens are critical to protect just like the account access keys. 然而,提供粒度 SAS 会授权客户端访问存储帐户中的资源,不应当将其公开共享。While providing granularity SAS grants clients access to the resources in your storage account and should not be shared publicly. 如果出于故障排除原因而需要共享,请考虑使用日志文件的修订版本或者将 SAS 令牌从日志文件中删除(如果存在),并确保屏幕截图也不包含 SAS 信息。When sharing is required for troubleshooting reasons consider using a redacted version of any log files or deleting the SAS tokens (if present) from the log files, and make sure the screenshots don't contain the SAS information either.

查看和复制连接字符串View and copy a connection string

若要从 Azure 门户查看和复制存储帐户访问密钥或连接字符串,请执行以下操作:To view and copy your storage account access keys or connection string from the Azure portal:

  1. 导航到 Azure 门户Navigate to the Azure portal.

  2. 找到自己的存储帐户。Locate your storage account.

  3. 在存储帐户概述的“设置”部分,选择“访问密钥”。In the Settings section of the storage account overview, select Access keys. 此时会显示帐户访问密钥,以及每个密钥的完整连接字符串。Your account access keys appear, as well as the complete connection string for each key.

  4. 找到“key1”下面的“密钥”值,单击“复制”按钮复制该帐户密钥。Find the Key value under key1, and click the Copy button to copy the account key.

  5. 或者,可复制整个连接字符串。Alternately, you can copy the entire connection string. 找到“密钥 1”下面的“连接字符串”值,单击“复制”按钮复制该连接字符串。Find the Connection string value under key1, and click the Copy button to copy the connection string.

    显示如何在 Azure 门户中查看访问密钥的屏幕截图

你可以使用任一密钥来访问 Azure 存储空间,但一般而言,最好使用第一个密钥,并在轮换密钥时保留使用第二个密钥。You can use either key to access Azure Storage, but in general it's a good practice to use the first key, and reserve the use of the second key for when you are rotating keys.

存储连接字符串Store a connection string

应用程序需要在运行时访问连接字符串,才能授权对 Azure 存储发出的请求。Your application needs to access the connection string at runtime to authorize requests made to Azure Storage. 可以通过几个选项来存储连接字符串:You have several options for storing your connection string:

  • 可以将连接字符串存储在环境变量中。You can store your connection string in an environment variable.
  • 在桌面或设备上运行的应用程序可以在 app.config 文件或 web.config 文件中存储连接字符串。An application running on the desktop or on a device can store the connection string in an app.config or web.config file. 将连接字符串添加到这些文件的 AppSettings 部分。Add the connection string to the AppSettings section in these files.
  • 在 Azure 云服务中运行的应用程序可以在 Azure service configuration schema (.cscfg) file(Azure 服务配置架构 (.cscfg) 文件)中存储连接字符串。An application running in an Azure cloud service can store the connection string in the Azure service configuration schema (.cscfg) file. 将连接字符串添加到服务配置文件的 ConfigurationSettings 部分。Add the connection string to the ConfigurationSettings section of the service configuration file.

在一个配置文件中存储连接字符串可以轻松地更新连接字符串,从而在存储模拟器和云中的 Azure 存储帐户之间切换。Storing your connection string in a configuration file makes it easy to update the connection string to switch between the storage emulator and an Azure storage account in the cloud. 只需编辑连接字符串,使其指向目标环境。You only need to edit the connection string to point to your target environment.

可以使用 Microsoft Azure Configuration Manager 在运行时访问连接字符串,而不考虑应用程序在何处运行。You can use the Microsoft Azure Configuration Manager to access your connection string at runtime regardless of where your application is running.

为存储模拟器配置连接字符串Configure a connection string for the storage emulator

存储模拟器支持单一固定的帐户和众所周知的用于共享密钥身份验证的身份验证密钥。The storage emulator supports a single fixed account and a well-known authentication key for Shared Key authentication. 此帐户和密钥是允许用于存储模拟器的唯一共享密钥凭据。This account and key are the only Shared Key credentials permitted for use with the storage emulator. 它们是:They are:

Account name: devstoreaccount1
Account key: Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==

备注

存储模拟器支持的身份验证密钥仅用于测试客户端身份验证代码的功能。The authentication key supported by the storage emulator is intended only for testing the functionality of your client authentication code. 它没有任何安全用途。It does not serve any security purpose. 不能在存储模拟器中使用生产存储帐户和密钥。You cannot use your production storage account and key with the storage emulator. 不应将开发帐户用于生产数据。You should not use the development account with production data.

存储模拟器仅支持通过 HTTP 进行连接。The storage emulator supports connection via HTTP only. 但是,若要访问生产性 Azure 存储帐户中的资源,建议使用 HTTPS 协议。However, HTTPS is the recommended protocol for accessing resources in a production Azure storage account.

使用快捷方式连接到模拟器帐户Connect to the emulator account using a shortcut

从应用程序连接到存储模拟器的最简单方式是在应用程序的配置文件内配置一个引用快捷方式 UseDevelopmentStorage=true 的连接字符串。The easiest way to connect to the storage emulator from your application is to configure a connection string in your application's configuration file that references the shortcut UseDevelopmentStorage=true. 以下是 app.config 文件中指向存储模拟器的连接字符串示例:Here's an example of a connection string to the storage emulator in an app.config file:

<appSettings>
  <add key="StorageConnectionString" value="UseDevelopmentStorage=true" />
</appSettings>

使用从众所周知的帐户名称和密钥连接到存储模拟器Connect to the emulator account using the well-known account name and key

要创建引用存储模拟器帐户名称和密钥的连接字符串,必须在连接字符串中希望从模拟器中使用的每个服务指定终结点。To create a connection string that references the emulator account name and key, you must specify the endpoints for each of the services you wish to use from the emulator in the connection string. 这是必须的,这样连接字符串将引用与生产存储帐户中的终结点不同的模拟器终结点。This is necessary so that the connection string will reference the emulator endpoints, which are different than those for a production storage account. 例如,连接字符串的值将如下所示:For example, the value of your connection string will look like this:

DefaultEndpointsProtocol=http;AccountName=devstoreaccount1;
AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;
BlobEndpoint=http://127.0.0.1:10000/devstoreaccount1;
TableEndpoint=http://127.0.0.1:10002/devstoreaccount1;
QueueEndpoint=http://127.0.0.1:10001/devstoreaccount1;

此值等同于如上所示的快捷方式 UseDevelopmentStorage=trueThis value is identical to the shortcut shown above, UseDevelopmentStorage=true.

指定 HTTP 代理Specify an HTTP proxy

还可以指定一个 HTTP 代理,以便在针对存储模拟器测试服务时进行使用。You can also specify an HTTP proxy to use when you're testing your service against the storage emulator. 针对存储服务调试操作时,这对观察 HTTP 请求和响应很有用。This can be useful for observing HTTP requests and responses while you're debugging operations against the storage services. 要指定代理,请将 DevelopmentStorageProxyUri 选项添加到连接字符串,并将它的值设置为代理 URI。To specify a proxy, add the DevelopmentStorageProxyUri option to the connection string, and set its value to the proxy URI. 例如,下面是一个指向存储模拟器并配置 HTTP 代理的连接字符串:For example, here is a connection string that points to the storage emulator and configures an HTTP proxy:

UseDevelopmentStorage=true;DevelopmentStorageProxyUri=http://myProxyUri

有关存储模拟器的详细信息,请参阅使用 Azure 存储模拟器进行开发和测试For more information about the storage emulator, see Use the Azure storage emulator for development and testing.

为 Azure 存储帐户配置连接字符串Configure a connection string for an Azure storage account

若要创建 Azure 存储帐户的连接字符串,请使用下面的格式。To create a connection string for your Azure storage account, use the following format. 指示要通过 HTTPS(建议)还是 HTTP 连接到存储帐户,将 myAccountName 替换为存储帐户的名称,将 myAccountKey 替换为帐户访问密钥:Indicate whether you want to connect to the storage account through HTTPS (recommended) or HTTP, replace myAccountName with the name of your storage account, and replace myAccountKey with your account access key:

DefaultEndpointsProtocol=[http|https];AccountName=myAccountName;AccountKey=myAccountKey

例如,连接字符串可能如下所示:For example, your connection string might look similar to:

DefaultEndpointsProtocol=https;AccountName=storagesample;AccountKey=<account-key>

尽管 Azure 存储连接字符串同时支持 HTTP 和 HTTPS,但强烈建议使用 HTTPS。Although Azure Storage supports both HTTP and HTTPS in a connection string, HTTPS is highly recommended.

提示

可以在 Azure 门户中找到存储帐户的连接字符串。You can find your storage account's connection strings in the Azure portal. 导航到存储帐户菜单边栏选项卡中的“设置” > “访问密钥”,查看主访问密钥和辅助访问密钥的连接字符串。Navigate to SETTINGS > Access keys in your storage account's menu blade to see connection strings for both primary and secondary access keys.

使用共享访问签名创建连接字符串Create a connection string using a shared access signature

如果拥有的共享访问签名 (SAS) URL 能够授予对存储帐户中资源的访问权限,则可以在连接字符串中使用 SAS。If you possess a shared access signature (SAS) URL that grants you access to resources in a storage account, you can use the SAS in a connection string. 由于 SAS 包含验证请求所需的信息,因此带 SAS 的连接字符串将提供协议、服务终结点以及访问资源所需的凭据。Because the SAS contains the information required to authenticate the request, a connection string with a SAS provides the protocol, the service endpoint, and the necessary credentials to access the resource.

若要创建包含共享访问签名的连接字符串,请按以下格式指定该字符串:To create a connection string that includes a shared access signature, specify the string in the following format:

BlobEndpoint=myBlobEndpoint;
QueueEndpoint=myQueueEndpoint;
TableEndpoint=myTableEndpoint;
FileEndpoint=myFileEndpoint;
SharedAccessSignature=sasToken

尽管连接字符串必须至少包含一个服务终结点,但每个服务终结点都是可选的。Each service endpoint is optional, although the connection string must contain at least one.

备注

建议最好配合使用 HTTPS 与 SAS。Using HTTPS with a SAS is recommended as a best practice.

如果在配置文件的连接字符串中指定 SAS,可能需要为 URL 中的特殊字符编码。If you are specifying a SAS in a connection string in a configuration file, you may need to encode special characters in the URL.

服务 SAS 示例Service SAS example

下面是包含 Blob 存储服务 SAS 的连接字符串示例:Here's an example of a connection string that includes a service SAS for Blob storage:

BlobEndpoint=https://storagesample.blob.core.windows.net;
SharedAccessSignature=sv=2015-04-05&sr=b&si=tutorial-policy-635959936145100803&sig=9aCzs76n0E7y5BpEi2GvsSv433BZa22leDOZXX%2BXXIU%3D

下面是具有特殊字符编码的同一个连接字符串的示例:And here's an example of the same connection string with encoding of special characters:

BlobEndpoint=https://storagesample.blob.core.windows.net;
SharedAccessSignature=sv=2015-04-05&amp;sr=b&amp;si=tutorial-policy-635959936145100803&amp;sig=9aCzs76n0E7y5BpEi2GvsSv433BZa22leDOZXX%2BXXIU%3D

帐户 SAS 示例Account SAS example

下面是包含 Blob 和文件存储帐户 SAS 的连接字符串示例。Here's an example of a connection string that includes an account SAS for Blob and File storage. 请注意,其中指定了两个服务的终结点:Note that endpoints for both services are specified:

BlobEndpoint=https://storagesample.blob.core.windows.net;
FileEndpoint=https://storagesample.file.core.windows.net;
SharedAccessSignature=sv=2015-07-08&sig=iCvQmdZngZNW%2F4vw43j6%2BVz6fndHF5LI639QJba4r8o%3D&spr=https&st=2016-04-12T03%3A24%3A31Z&se=2016-04-13T03%3A29%3A31Z&srt=s&ss=bf&sp=rwl

下面是具有 URL 编码的同一个连接字符串的示例:And here's an example of the same connection string with URL encoding:

BlobEndpoint=https://storagesample.blob.core.windows.net;
FileEndpoint=https://storagesample.file.core.windows.net;
SharedAccessSignature=sv=2015-07-08&amp;sig=iCvQmdZngZNW%2F4vw43j6%2BVz6fndHF5LI639QJba4r8o%3D&amp;spr=https&amp;st=2016-04-12T03%3A24%3A31Z&amp;se=2016-04-13T03%3A29%3A31Z&amp;srt=s&amp;ss=bf&amp;sp=rwl

创建显式存储终结点的连接字符串Create a connection string for an explicit storage endpoint

可以在连接字符串中显式指定服务终结点,而不使用默认终结点。You can specify explicit service endpoints in your connection string instead of using the default endpoints. 若要创建指定显式终结点的连接字符串,请使用以下格式为每个服务指定完整的服务终结点,包括协议规范(HTTPS(建议)或 HTTP):To create a connection string that specifies an explicit endpoint, specify the complete service endpoint for each service, including the protocol specification (HTTPS (recommended) or HTTP), in the following format:

DefaultEndpointsProtocol=[http|https];
BlobEndpoint=myBlobEndpoint;
FileEndpoint=myFileEndpoint;
QueueEndpoint=myQueueEndpoint;
TableEndpoint=myTableEndpoint;
AccountName=myAccountName;
AccountKey=myAccountKey

如果已将 Blob 存储终结点映射到自定义域,则可能需要指定显式终结点。One scenario where you might wish to specify an explicit endpoint is when you've mapped your Blob storage endpoint to a custom domain. 在这种情况下,可以在连接字符串中指定 Blob 存储的自定义终结点。In that case, you can specify your custom endpoint for Blob storage in your connection string. 可以选择指定其他服务的默认终结点,如果应用程序使用它们。You can optionally specify the default endpoints for the other services if your application uses them.

下面是用于指定 Blob 服务的显式终结点的连接字符串的示例:Here is an example of a connection string that specifies an explicit endpoint for the Blob service:

# Blob endpoint only
DefaultEndpointsProtocol=https;
BlobEndpoint=http://www.mydomain.com;
AccountName=storagesample;
AccountKey=<account-key>

此示例指定所有服务的显式终结点,包括 Blob 服务的自定义域:This example specifies explicit endpoints for all services, including a custom domain for the Blob service:

# All service endpoints
DefaultEndpointsProtocol=https;
BlobEndpoint=http://www.mydomain.com;
FileEndpoint=https://myaccount.file.core.windows.net;
QueueEndpoint=https://myaccount.queue.core.windows.net;
TableEndpoint=https://myaccount.table.core.windows.net;
AccountName=storagesample;
AccountKey=<account-key>

连接字符串中的终结点值用于构造存储服务的请求 URI,并决定返回到代码的所有 URI 的形式。The endpoint values in a connection string are used to construct the request URIs to the storage services, and dictate the form of any URIs that are returned to your code.

如果已将存储终结点映射到自定义域并从连接字符串中省略该终结点,将无法使用该连接字符串通过代码访问该服务中的数据。If you've mapped a storage endpoint to a custom domain and omit that endpoint from a connection string, then you will not be able to use that connection string to access data in that service from your code.

重要

连接字符串中的服务终结点值必须是格式正确的 URI,包括 https://(推荐)或 http://Service endpoint values in your connection strings must be well-formed URIs, including https:// (recommended) or http://. 因为 Azure 存储尚不支持自定义域的 HTTPS,因此必须为指向自定义域的所有终结点 URI 指定 http://Because Azure Storage does not yet support HTTPS for custom domains, you must specify http:// for any endpoint URI that points to a custom domain.

创建含终结点后缀的连接字符串Create a connection string with an endpoint suffix

若要针对具有不同终结点后缀的区域或实例内的存储服务创建连接字符串,例如针对 Azure 中国世纪互联或 Azure 政府,请使用以下连接字符串格式。To create a connection string for a storage service in regions or instances with different endpoint suffixes, such as for Azure China 21Vianet or Azure Government, use the following connection string format. 指出是通过 HTTPS(推荐)还是 HTTP 连接到存储帐户,将 myAccountName 替换为存储帐户的名称,将 myAccountKey 替换为帐户访问密钥,并将 mySuffix 替换为 URI 后缀:Indicate whether you want to connect to the storage account through HTTPS (recommended) or HTTP, replace myAccountName with the name of your storage account, replace myAccountKey with your account access key, and replace mySuffix with the URI suffix:

DefaultEndpointsProtocol=[http|https];
AccountName=myAccountName;
AccountKey=myAccountKey;
EndpointSuffix=mySuffix;

下面是 Azure 中国世纪互联的存储服务的示例连接字符串:Here's an example connection string for storage services in Azure China 21Vianet:

DefaultEndpointsProtocol=https;
AccountName=storagesample;
AccountKey=<account-key>;
EndpointSuffix=core.chinacloudapi.cn;

分析连接字符串Parsing a connection string

适用于 .NET 的 Microsoft Azure Configuration Manager 库 提供用于分析配置文件中连接字符串的类。The Microsoft Azure Configuration Manager Library for .NET provides a class for parsing a connection string from a configuration file. CloudConfigurationManager类分析配置设置。The CloudConfigurationManager class parses configuration settings. 它分析桌面、移动设备、Azure 虚拟机或 Azure 云服务中运行的客户端应用程序的设置。It parses settings for client applications that run on the desktop, on a mobile device, in an Azure virtual machine, or in an Azure cloud service.

若要引用 CloudConfigurationManager 包,请添加以下 using 指令:To reference the CloudConfigurationManager package, add the following using directives:

using Microsoft.Azure; //Namespace for CloudConfigurationManager
using Microsoft.Azure.Storage;

下面的示例演示了如何检索配置文件中的连接字符串:Here's an example that shows how to retrieve a connection string from a configuration file:

// Parse the connection string and return a reference to the storage account.
CloudStorageAccount storageAccount = CloudStorageAccount.Parse(
    CloudConfigurationManager.GetSetting("StorageConnectionString"));

可以选择使用 Azure Configuration Manager。Using the Azure Configuration Manager is optional. 还可以使用 API,例如 .NET Framework 的ConfigurationManager 类You can also use an API such as the .NET Framework's ConfigurationManager Class.

后续步骤Next steps