您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用共享访问签名(SAS)授予对 Azure 存储资源的有限访问权限Grant limited access to Azure Storage resources using shared access signatures (SAS)

共享访问签名(SAS)提供对存储帐户中的资源的安全委派访问权限,而不会影响数据的安全性。A shared access signature (SAS) provides secure delegated access to resources in your storage account without compromising the security of your data. 使用 SAS,可以精细地控制客户端访问数据的方式。With a SAS, you have granular control over how a client can access your data. 你可以控制客户端可以访问的资源、这些资源对这些资源拥有的权限,以及 SAS 在其他参数中的有效时间。You can control what resources the client may access, what permissions they have on those resources, and how long the SAS is valid, among other parameters.

共享访问签名的类型Types of shared access signatures

Azure 存储支持三种类型的共享访问签名:Azure Storage supports three types of shared access signatures:

  • 用户委托 SAS。User delegation SAS. 用户委托 SAS 使用 Azure Active Directory (Azure AD)凭据以及为 SAS 指定的权限进行保护。A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. 用户委托 SAS 仅适用于 Blob 存储。A user delegation SAS applies to Blob storage only.

    有关用户委托 SAS 的详细信息,请参阅创建用户委托 sas (REST API)For more information about the user delegation SAS, see Create a user delegation SAS (REST API).

  • 服务 SAS。Service SAS. 使用存储帐户密钥保护服务 SAS。A service SAS is secured with the storage account key. 服务 SAS 仅委托 Azure 存储服务之一中的资源访问: Blob 存储、队列存储、表存储或 Azure 文件。A service SAS delegates access to a resource in only one of the Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files.

    有关服务 SAS 的详细信息,请参阅创建服务 sas (REST API)For more information about the service SAS, see Create a service SAS (REST API).

  • 帐户 SAS。Account SAS. 帐户 SAS 使用存储帐户密钥进行保护。An account SAS is secured with the storage account key. 帐户 SAS 可委派对一个或多个存储服务中的资源的访问权限。An account SAS delegates access to resources in one or more of the storage services. 通过服务或用户委托 SAS 提供的所有操作也可以通过帐户 SAS 提供。All of the operations available via a service or user delegation SAS are also available via an account SAS. 此外,使用帐户 SAS,你可以委派对服务级别应用的操作的访问权限,例如获取/设置服务属性获取服务统计操作。Additionally, with the account SAS, you can delegate access to operations that apply at the level of the service, such as Get/Set Service Properties and Get Service Stats operations. 还可以委派对 blob 容器、表、队列和文件共享执行读取、写入和删除操作的访问权限,而这是服务 SAS 所不允许的。You can also delegate access to read, write, and delete operations on blob containers, tables, queues, and file shares that are not permitted with a service SAS.

    有关帐户 SAS 的详细信息,请创建帐户 sas (REST API)For more information about the account SAS, Create an account SAS (REST API).

备注

Microsoft 建议尽可能使用 Azure AD 凭据作为最佳安全方案,而不是使用帐户密钥,这样可以更容易地受到威胁。Microsoft recommends that you use Azure AD credentials when possible as a security best practice, rather than using the account key, which can be more easily compromised. 当应用程序设计要求使用共享访问签名来访问 Blob 存储时,请使用 Azure AD 凭据创建用户委托 SAS (如果可能)以实现高级安全性。When your application design requires shared access signatures for access to Blob storage, use Azure AD credentials to create a user delegation SAS when possible for superior security.

共享访问签名可以采取以下两种形式的一种:A shared access signature can take one of two forms:

  • 即席 SAS: 当你创建一个即席 SAS 时,该 SAS 的开始时间、到期时间和权限都在 SAS URI 中指定(如果省略了开始时间,则为默示的权限)。Ad hoc SAS: When you create an ad hoc SAS, the start time, expiry time, and permissions for the SAS are all specified in the SAS URI (or implied, if start time is omitted). 任何类型的 SAS 都可以是即席 SAS。Any type of SAS can be an ad hoc SAS.
  • 具有存储访问策略的服务 SAS: 存储访问策略在资源容器(可以是 blob 容器、表、队列或文件共享)上定义。Service SAS with stored access policy: A stored access policy is defined on a resource container, which can be a blob container, table, queue, or file share. 存储访问策略可用于管理针对一个或多个服务共享访问签名的约束。The stored access policy can be used to manage constraints for one or more service shared access signatures. 将服务 SAS 与存储访问策略相关联时,该 SAS 将继承—为存储访问策略定义的开始时间、到期时间和权限—的限制。When you associate a service SAS with a stored access policy, the SAS inherits the constraints—the start time, expiry time, and permissions—defined for the stored access policy.

备注

用户委托 SAS 或帐户 SAS 必须是一个临时 SAS。A user delegation SAS or an account SAS must be an ad hoc SAS. 用户委托 SAS 或帐户 SAS 不支持存储访问策略。Stored access policies are not supported for the user delegation SAS or the account SAS.

共享访问签名的工作方式How a shared access signature works

共享访问签名是一种签名的 URI,它指向一个或多个存储资源并且包括包含一组特殊查询参数的令牌。A shared access signature is a signed URI that points to one or more storage resources and includes a token that contains a special set of query parameters. 该令牌指示客户端可以如何访问资源。The token indicates how the resources may be accessed by the client. 其中一个查询参数(即签名)由 SAS 参数构造,并用用于创建 SAS 的密钥进行签名。One of the query parameters, the signature, is constructed from the SAS parameters and signed with the key that was used to create the SAS. Azure 存储使用该签名授予对存储资源的访问权限。This signature is used by Azure Storage to authorize access to the storage resource.

SAS 签名SAS signature

可以通过以下两种方式之一对 SAS 进行签名:You can sign a SAS in one of two ways:

  • 使用 Azure Active Directory (Azure AD)凭据创建的用户委托密钥With a user delegation key that was created using Azure Active Directory (Azure AD) credentials. 用户委托 SAS 使用用户委托密钥进行签名。A user delegation SAS is signed with the user delegation key.

    若要获取用户委托密钥并创建 SAS,必须为 Azure AD 安全主体分配一个基于角色的访问控制(RBAC)角色,其中包括 storageAccounts/ /blobServices/generateUserDelegationKey操作。To get the user delegation key and create the SAS, an Azure AD security principal must be assigned a role-based access control (RBAC) role that includes the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action. 有关具有获取用户委托密钥权限的 RBAC 角色的详细信息,请参阅创建用户委托 SAS (REST API)For detailed information about RBAC roles with permissions to get the user delegation key, see Create a user delegation SAS (REST API).

  • 替换为存储帐户密钥。With the storage account key. 服务 SAS 和帐户 SAS 均使用存储帐户密钥进行签名。Both a service SAS and an account SAS are signed with the storage account key. 若要创建使用帐户密钥签名的 SAS,应用程序必须具有帐户密钥的访问权限。To create a SAS that is signed with the account key, an application must have access to the account key.

SAS 令牌SAS token

SAS 令牌是在客户端生成的字符串,例如,使用 Azure 存储客户端库之一。The SAS token is a string that you generate on the client side, for example by using one of the Azure Storage client libraries. Azure 存储不会以任何方式跟踪 SAS 令牌。The SAS token is not tracked by Azure Storage in any way. 可在客户端侧创建无限数量的 SAS 令牌。You can create an unlimited number of SAS tokens on the client side. 创建 SAS 后,可以将其分发到需要访问存储帐户中的资源的客户端应用程序。After you create a SAS, you can distribute it to client applications that require access to resources in your storage account.

当客户端应用程序将 SAS URI 作为请求的一部分提供给 Azure 存储时,服务将检查 SAS 参数和签名,以验证它是否对授权请求有效。When a client application provides a SAS URI to Azure Storage as part of a request, the service checks the SAS parameters and signature to verify that it is valid for authorizing the request. 如果服务验证签名有效,则对请求进行授权。If the service verifies that the signature is valid, then the request is authorized. 否则,将拒绝请求,错误代码为 403(已禁止)。Otherwise, the request is declined with error code 403 (Forbidden).

下面是服务 SAS URI 的一个示例,显示资源 URI 和 SAS 令牌:Here's an example of a service SAS URI, showing the resource URI and the SAS token:

服务 SAS URI 的组件

何时使用共享访问签名When to use a shared access signature

如果你想要将存储帐户中资源的安全访问权限提供给不以其他方式访问这些资源的客户端,则可以使用 SAS。Use a SAS when you want to provide secure access to resources in your storage account to any client who does not otherwise have permissions to those resources.

SAS 通常适用于用户需要在存储帐户中读取和写入其数据的服务情形。A common scenario where a SAS is useful is a service where users read and write their own data to your storage account. 在存储帐户存储用户数据的情形中,有两种典型的设计模式:In a scenario where a storage account stores user data, there are two typical design patterns:

  1. 客户端通过执行身份验证的前端代理服务上传和下载数据。Clients upload and download data via a front-end proxy service, which performs authentication. 此前端代理服务的优势在于允许验证业务规则,但对于大量数据或大量事务,创建可扩展以匹配需求的服务可能成本高昂或十分困难。This front-end proxy service has the advantage of allowing validation of business rules, but for large amounts of data or high-volume transactions, creating a service that can scale to match demand may be expensive or difficult.

    方案示意图:前端代理服务

  2. 轻型服务按需对客户端进行身份验证,并生成 SAS。A lightweight service authenticates the client as needed and then generates a SAS. 当客户端应用程序收到 SAS 后,它们可以直接使用 SAS 定义的权限和 SAS 允许的间隔访问存储帐户资源。Once the client application receives the SAS, they can access storage account resources directly with the permissions defined by the SAS and for the interval allowed by the SAS. SAS 减少了通过前端代理服务路由所有数据的需要。The SAS mitigates the need for routing all data through the front-end proxy service.

    方案示意图:SAS 提供程序服务

许多实际服务可能会混合使用这两种方法。Many real-world services may use a hybrid of these two approaches. 例如,可能通过前端代理对某些数据进行处理和验证,同时使用 SAS 直接保存和/或读取其他数据。For example, some data might be processed and validated via the front-end proxy, while other data is saved and/or read directly using SAS.

此外,在某些情况下,需要使用 SAS 在复制操作中对源对象的访问权限:Additionally, a SAS is required to authorize access to the source object in a copy operation in certain scenarios:

  • 将一个 Blob 复制到驻留在不同存储帐户中的另一个 Blob 时,必须使用 SAS 授予对源 Blob 的访问权限。When you copy a blob to another blob that resides in a different storage account, you must use a SAS to authorize access to the source blob. 还可以选择使用 SAS 授予对目标 blob 的访问权限。You can optionally use a SAS to authorize access to the destination blob as well.
  • 将一个文件复制到驻留在不同存储帐户中的另一个文件时,必须使用 SAS 授予对源文件的访问权限。When you copy a file to another file that resides in a different storage account, you must use a SAS to authorize access to the source file. 还可以选择使用 SAS 授予对目标文件的访问权限。You can optionally use a SAS to authorize access to the destination file as well.
  • 将一个 Blob 复制到一个文件,或将一个文件复制到一个 Blob 时,必须使用 SAS 授予对源对象的访问权限,即使源对象和目标对象驻留在同一存储帐户中也是如此。When you copy a blob to a file, or a file to a blob, you must use a SAS to authorize access to the source object, even if the source and destination objects reside within the same storage account.

使用 SAS 的最佳实践Best practices when using SAS

在应用程序中使用共享访问签名时,需要知道以下两个可能的风险:When you use shared access signatures in your applications, you need to be aware of two potential risks:

  • 如果 SAS 泄露,则获取它的任何人都可以使用它,这可能会损害存储帐户。If a SAS is leaked, it can be used by anyone who obtains it, which can potentially compromise your storage account.
  • 如果提供给客户端应用程序的 SAS 到期并且应用程序无法从服务检索新 SAS,则可能会影响该应用程序的功能。If a SAS provided to a client application expires and the application is unable to retrieve a new SAS from your service, then the application's functionality may be hindered.

下面这些针对使用共享访问签名的建议可帮助降低这些风险:The following recommendations for using shared access signatures can help mitigate these risks:

  • 始终使用 HTTPS 创建或分发 SAS。Always use HTTPS to create or distribute a SAS. 如果某一 SAS 通过 HTTP 传递并且被截取,则执行中间人攻击的攻击者能够读取 SAS、然后使用它,就像目标用户本可执行的操作一样,这可能会暴露敏感数据或者使恶意用户能够损坏数据。If a SAS is passed over HTTP and intercepted, an attacker performing a man-in-the-middle attack is able to read the SAS and then use it just as the intended user could have, potentially compromising sensitive data or allowing for data corruption by the malicious user.
  • 尽可能使用用户委托 SAS。Use a user delegation SAS when possible. 用户委托 SAS 为服务 SAS 或帐户 SAS 提供了高级安全。A user delegation SAS provides superior security to a service SAS or an account SAS. 使用 Azure AD 凭据保护用户委托 SAS,以便不需要将帐户密钥与代码一起存储。A user delegation SAS is secured with Azure AD credentials, so that you do not need to store your account key with your code.
  • 为 SAS 准备好吊销计划。Have a revocation plan in place for a SAS. 请确保已准备好在 SAS 受到威胁时做出响应。Make sure you are prepared to respond if a SAS is compromised.
  • 定义服务 SAS 的存储访问策略。Define a stored access policy for a service SAS. 存储访问策略为你提供了撤消服务 SAS 权限的选项,无需重新生成存储帐户密钥。Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. 将针对 SAS 的到期时间设置为很久之后的某一时间(或者无限远),并且确保定期对其进行更新以便将到期时间移到将来的更远时间。Set the expiration on these very far in the future (or infinite) and make sure it's regularly updated to move it farther into the future.
  • 在即席 SAS 服务 SAS 或帐户 SAS 上使用近期的到期时间。Use near-term expiration times on an ad hoc SAS service SAS or account SAS. 这样,即使某一 SAS 泄露,它也只会在短期内有效。In this way, even if a SAS is compromised, it's valid only for a short time. 如果无法参照某一存储访问策略,该行为尤其重要。This practice is especially important if you cannot reference a stored access policy. 临时到期时间还通过限制可用于上传到它的时间来限制可以写入 Blob 的数据量。Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.
  • 如果需要,让客户端自动续订 SAS。Have clients automatically renew the SAS if necessary. 客户端应在到期时间之前很久就续订 SAS,这样,即使提供 SAS 的服务不可用,客户端也有时间重试。Clients should renew the SAS well before the expiration, in order to allow time for retries if the service providing the SAS is unavailable. 如果 SAS 旨在用于少量即时的短期操作,这些操作应在到期时间内完成,则上述做法可能是不必要的,因为不应续订 SAS。If your SAS is meant to be used for a small number of immediate, short-lived operations that are expected to be completed within the expiration period, then this may be unnecessary as the SAS is not expected to be renewed. 但是,如果客户端定期通过 SAS 发出请求,则有效期可能就会起作用。However, if you have client that is routinely making requests via SAS, then the possibility of expiration comes into play. 需要考虑的主要方面就是在以下两者间进行权衡:对短期 SAS 的需求(如前文所述)以及确保客户端尽早请求续订(以免在成功续订前因 SAS 到期而中断)。The key consideration is to balance the need for the SAS to be short-lived (as previously stated) with the need to ensure that the client is requesting renewal early enough (to avoid disruption due to the SAS expiring prior to successful renewal).
  • 要注意 SAS 开始时间。Be careful with SAS start time. 如果将 SAS 的开始时间设置为现在,则由于时钟偏移(根据不同计算机,当前时间中的差异),在前几分钟会暂时观察到失败。If you set the start time for a SAS to now, then due to clock skew (differences in current time according to different machines), failures may be observed intermittently for the first few minutes. 通常,将开始时间至少设置为 15 分钟前。In general, set the start time to be at least 15 minutes in the past. 或者根本不设置,这会使它在所有情况下都立即生效。Or, don't set it at all, which will make it valid immediately in all cases. 同样此原则也适用于到期时间 - 请记住,对于任何请求,在任一方向你可能会观察到最多 15 分钟的时钟偏移。The same generally applies to expiry time as well--remember that you may observe up to 15 minutes of clock skew in either direction on any request. 对于使用 2012-02-12 之前的 REST 版本的客户端,未参照某一存储访问策略的 SAS 的最大持续时间是 1 小时,指定超过 1 小时持续时间的任何策略都会失败。For clients using a REST version prior to 2012-02-12, the maximum duration for a SAS that does not reference a stored access policy is 1 hour, and any policies specifying longer term than that will fail.
  • 对要访问的资源要具体。Be specific with the resource to be accessed. 一个安全性最佳实践是向用户提供所需最小权限。A security best practice is to provide a user with the minimum required privileges. 如果某一用户仅需要对单个实体的读取访问权限,则向该用户授予对该单个实体的读取访问权限,而不要授予针对所有实体的读取/写入/删除访问权限。If a user only needs read access to a single entity, then grant them read access to that single entity, and not read/write/delete access to all entities. 如果 SAS 泄露,这也有助于降低损失,因为攻击者手中掌握的 SAS 的权限较为有限。This also helps lessen the damage if a SAS is compromised because the SAS has less power in the hands of an attacker.
  • 了解你的帐户将按任何使用情况计费,包括通过 SAS。Understand that your account will be billed for any usage, including via a SAS. 如果提供对 blob 的写入访问权限,用户可以选择上传 200 GB blob。If you provide write access to a blob, a user may choose to upload a 200 GB blob. 如果还向用户提供了对 Blob 的读访问权限,他们可能会选择下载 Blob 10 次,对你产生 2 TB 的传出费用。If you've given them read access as well, they may choose to download it 10 times, incurring 2 TB in egress costs for you. 此外,提供受限权限,帮助降低恶意用户的潜在操作威胁。Again, provide limited permissions to help mitigate the potential actions of malicious users. 使用短期 SAS 以便减少这一威胁(但要注意结束时间上的时钟偏移)。Use short-lived SAS to reduce this threat (but be mindful of clock skew on the end time).
  • 验证使用 SAS 写入的数据。Validate data written using a SAS. 在某一客户端应用程序将数据写入存储帐户时,请记住对于这些数据可能存在问题。When a client application writes data to your storage account, keep in mind that there can be problems with that data. 如果应用程序要求在数据可供使用前对数据进行验证或授权,应该在写入数据后、但在应用程序使用这些数据前执行此验证。If your application requires that data be validated or authorized before it is ready to use, you should perform this validation after the data is written and before it is used by your application. 这一实践还有助于防止损坏的数据或恶意数据写入帐户,这些数据可能是正常要求 SAS 的用户写入的,也可能是利用泄露的 SAS 的用户写入的。This practice also protects against corrupt or malicious data being written to your account, either by a user who properly acquired the SAS, or by a user exploiting a leaked SAS.
  • 知道何时不使用 SAS。Know when not to use a SAS. 有时与存储帐户的特定操作相关的风险超过使用 SAS 的好处。Sometimes the risks associated with a particular operation against your storage account outweigh the benefits of using a SAS. 对于此类操作,应创建一个中间层服务,该服务在执行业务规则验证、身份验证和审核后写入存储帐户。For such operations, create a middle-tier service that writes to your storage account after performing business rule validation, authentication, and auditing. 此外,有时候以其他方式管理访问会更简单。Also, sometimes it's simpler to manage access in other ways. 例如,如果想要使某一容器中的所有 Blob 都可以公开读取,则可以使该容器成为公共的,而不是为每个客户端都提供 SAS 来进行访问。For example, if you want to make all blobs in a container publicly readable, you can make the container Public, rather than providing a SAS to every client for access.
  • 使用 Azure Monitor 和 Azure 存储日志来监视你的应用程序。Use Azure Monitor and Azure Storage logs to monitor your application. 你可以使用 Azure Monitor 和存储分析日志记录来观察由于 SAS 提供程序服务中断或无意中删除存储访问策略而导致的授权失败的任何高峰。You can use Azure Monitor and storage analytics logging to observe any spike in authorization failures due to an outage in your SAS provider service or to the inadvertent removal of a stored access policy. 有关详细信息,请参阅中的 Azure 存储指标 Azure MonitorAzure 存储分析日志记录For more information, see Azure Storage metrics in Azure Monitor and Azure Storage Analytics logging.

SAS 入门Get started with SAS

若要开始使用共享访问签名,请参阅以下文章,了解每种 SAS 类型。To get started with shared access signatures, see the following articles for each SAS type.

用户委托 SASUser delegation SAS

服务 SASService SAS

帐户 SASAccount SAS

后续步骤Next steps