您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

AzCopy 入门Get started with AzCopy

AzCopy 是一个命令行实用工具, 可用于在存储帐户中复制 blob 或文件。AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account. 本文将帮助你下载 AzCopy, 连接到你的存储帐户, 然后传输文件。This article helps you download AzCopy, connect to your storage account, and then transfer files.

备注

AzCopy V10是当前支持的 AzCopy 版本。AzCopy V10 is the currently supported version of AzCopy.

如果需要使用 AzCopy 的, 请参阅本文的使用 AzCopy 的早期版本部分。If you need to use AzCopy v8.1, see the Use the previous version of AzCopy section of this article.

下载 AzCopyDownload AzCopy

首先, 将 AzCopy V10 可执行文件下载到计算机上的任何目录中。First, download the AzCopy V10 executable file to any directory on your computer.

AzCopy V10 只是一个可执行文件, 因此没有要安装的内容。AzCopy V10 is just an executable file, so there's nothing to install.

备注

如果要将数据复制到Azure 表存储服务和从 Azure 表存储服务复制数据, 请安装AzCopy 版本 7.3If you want to copy data to and from your Azure Table storage service, then install AzCopy version 7.3.

运行 AzCopyRun AzCopy

为方便起见, 请考虑将 AzCopy 可执行文件的目录位置添加到系统路径, 以方便使用。For convenience, consider adding the directory location of the AzCopy executable to your system path for ease of use. 这样, 你就可以azcopy在系统上的任何目录中键入。That way you can type azcopy from any directory on your system.

如果选择不将 AzCopy 目录添加到路径, 则必须将目录更改为 AzCopy 可执行文件的位置, 然后在 Windows PowerShell 命令azcopy提示符.\azcopy下键入或。If you choose not to add the AzCopy directory to your path, you'll have to change directories to the location of your AzCopy executable and type azcopy or .\azcopy in Windows PowerShell command prompts.

若要查看命令列表, 请键入azcopy -h , 然后按 enter 键。To see a list of commands, type azcopy -h and then press the ENTER key.

若要了解特定命令, 只需包含命令的名称 (例如: azcopy list -h)。To learn about a specific command, just include the name of the command (For example: azcopy list -h).

内联帮助

备注

作为你的 Azure 存储帐户的所有者, 你不会自动分配访问数据的权限。As an owner of your Azure Storage account, you aren't automatically assigned permissions to access data. 你需要决定如何向存储服务提供身份验证凭据, 然后才能对 AzCopy 执行任何有意义的操作。Before you can do anything meaningful with AzCopy, you need to decide how you'll provide authorization credentials to the storage service.

选择如何提供授权凭据Choose how you'll provide authorization credentials

可以通过使用 Azure Active Directory (AD) 或使用共享访问签名 (SAS) 令牌提供授权凭据。You can provide authorization credentials by using Azure Active Directory (AD), or by using a Shared Access Signature (SAS) token.

使用此表作为指南:Use this table as a guide:

存储类型Storage type 当前支持的授权方法Currently supported method of authorization
Blob 存储Blob storage Azure AD & SASAzure AD & SAS
Blob 存储 (分层命名空间)Blob storage (hierarchial namespace) Azure AD & SASAzure AD & SAS
文件存储File storage 仅 SASSAS only

选项 1:使用 Azure Active DirectoryOption 1: Use Azure Active Directory

通过使用 Azure Active Directory, 你可以提供一次凭据, 而无需向每个命令追加 SAS 令牌。By using Azure Active Directory, you can provide credentials once instead of having to append a SAS token to each command.

备注

在当前版本中, 如果计划在存储帐户之间复制 blob, 则必须向每个源 URL 追加一个 SAS 令牌。In the current release, if you plan to copy blobs between storage accounts, you’ll have to append a SAS token to each source URL. 只能从目标 URL 中省略 SAS 令牌。You can omit the SAS token only from the destination URL. 有关示例, 请参阅在存储帐户之间复制 blobFor examples, see Copy blobs between storage accounts.

你需要的授权级别取决于你是要上载文件还是只是下载文件。The level of authorization that you need is based on whether you plan to upload files or just download them.

如果你只想下载文件, 请验证是否已将存储 Blob 数据读取器分配给你的用户标识、托管标识或服务主体。If you just want to download files, then verify that the Storage Blob Data Reader has been assigned to your user identity, managed identity, or service principal.

用户标识、托管标识和服务主体都是一种安全主体, 因此我们将在本文的其余部分中使用术语 "安全主体"。User identities, managed identities, and service principals are each a type of security principal, so we'll use the term security principal for the remainder of this article.

如果要上传文件, 请验证是否已将其中一个角色分配给了安全主体:If you want to upload files, then verify that one of these roles has been assigned to your security principal:

可以将这些角色分配到以下任何作用域中的安全主体:These roles can be assigned to your security principal in any of these scopes:

  • 容器 (文件系统)Container (file system)
  • 存储帐户Storage account
  • 资源组Resource group
  • 订阅Subscription

若要了解如何验证和分配角色, 请参阅在 Azure 门户中使用 RBAC 授予对 Azure blob 和队列数据的访问权限To learn how to verify and assign roles, see Grant access to Azure blob and queue data with RBAC in the Azure portal.

备注

请记住, RBAC 角色分配可能需要长达五分钟才能传播。Keep in mind that RBAC role assignments can take up to five minutes to propagate.

如果将安全主体添加到目标容器或目录的访问控制列表 (ACL), 则无需将这些角色中的一个分配给安全主体。You don't need to have one of these roles assigned to your security principal if your security principal is added to the access control list (ACL) of the target container or directory. 在 ACL 中, 安全主体需要对目标目录具有写入权限, 并且对容器和每个父目录具有 execute 权限。In the ACL, your security principal needs write permission on the target directory, and execute permission on container and each parent directory.

若要了解详细信息, 请参阅Azure Data Lake Storage Gen2 中的访问控制To learn more, see Access control in Azure Data Lake Storage Gen2.

对用户标识进行身份验证Authenticate a user identity

验证用户标识是否已获得所需的授权级别后, 打开命令提示符, 键入以下命令, 然后按 ENTER 键。After you've verified that your user identity has been given the necessary authorization level, open a command prompt, type the following command, and then press the ENTER key.

azcopy login

如果你属于多个组织, 请包括存储帐户所属组织的租户 ID。If you belong to more than one organization, include the tenant ID of the organization to which the storage account belongs.

azcopy login --tenant-id=<tenant-id>

<tenant-id>将占位符替换为存储帐户所属组织的租户 ID。Replace the <tenant-id> placeholder with the tenant ID of the organization to which the storage account belongs. 若要查找租户 ID, 请在 Azure 门户中选择 " Azure Active Directory > 属性 > 目录 ID "。To find the tenant ID, select Azure Active Directory > Properties > Directory ID in the Azure portal.

此命令返回身份验证代码和网站的 URL。This command returns an authentication code and the URL of a website. 打开网站,提供代码,然后选择“下一步”按钮。Open the website, provide the code, and then choose the Next button.

创建容器

此时会出现登录窗口。A sign-in window will appear. 在该窗口中,使用 Azure 帐户凭据登录到 Azure 帐户。In that window, sign into your Azure account by using your Azure account credentials. 成功登录后,可以关闭浏览器窗口,开始使用 AzCopy。After you've successfully signed in, you can close the browser window and begin using AzCopy.

对服务主体进行身份验证Authenticate a service principal

如果你计划在运行无需用户交互的脚本中使用 AzCopy, 尤其是在本地运行时, 这是一个很好的选择。This is a great option if you plan to use AzCopy inside of a script that runs without user interaction, particularly when running on-premises. 如果计划在 Azure 中运行的 Vm 上运行 AzCopy, 托管服务标识将更易于管理。If you plan to run AzCopy on VMs that run in Azure, a managed service identity is easier to administer. 若要了解详细信息, 请参阅本文的对托管标识进行身份验证部分。To learn more, see the Authenticate a managed identity section of this article.

运行脚本之前, 必须至少以交互方式登录一次, 以便可以向 AzCopy 提供服务主体的凭据。Before you run a script, you have to sign-in interactively at least one time so that you can provide AzCopy with the credentials of your service principal. 这些凭据存储在受保护的加密文件中, 因此您的脚本无需提供敏感信息。Those credentials are stored in a secured and encrypted file so that your script doesn't have to provide that sensitive information.

你可以使用客户端机密或使用与服务主体的应用注册关联的证书的密码登录到你的帐户。You can sign into your account by using a client secret or by using the password of a certificate that is associated with your service principal's app registration.

若要详细了解如何创建服务主体, 请参阅如何:使用门户创建可访问资源的 Azure AD 应用程序和服务主体To learn more about creating service principal, see How to: Use the portal to create an Azure AD application and service principal that can access resources.

若要了解有关服务主体的详细信息, 请参阅Azure Active Directory 中的应用程序和服务主体对象To learn more about service principals in general, see Application and service principal objects in Azure Active Directory

使用客户端机密Using a client secret

首先将AZCOPY_SPA_CLIENT_SECRET环境变量设置为服务主体的应用注册的客户端机密。Start by setting the AZCOPY_SPA_CLIENT_SECRET environment variable to the client secret of your service principal's app registration.

备注

请确保在命令提示符下设置此值, 而不是在操作系统的环境变量设置中设置。Make sure to set this value from your command prompt, and not in the environment variable settings of your operating system. 这样, 该值仅对当前会话可用。That way, the value is available only to the current session.

此示例演示如何在 PowerShell 中执行此操作。This example shows how you could do this in PowerShell.

$env:AZCOPY_SPA_CLIENT_SECRET="$(Read-Host -prompt "Enter key")"

备注

请考虑使用本示例中所示的提示。Consider using a prompt as shown in this example. 这样, 你的密码就不会出现在控制台的命令历史记录中。That way, your password won't appear in your console's command history.

接下来, 键入以下命令, 然后按 ENTER 键。Next, type the following command, and then press the ENTER key.

azcopy login --service-principal --application-id <application-id>

<application-id>将占位符替换为服务主体应用注册的应用程序 ID。Replace the <application-id> placeholder with the application ID of your service principal's app registration.

使用证书Using a certificate

如果你想要使用自己的凭据进行授权, 则可以将证书上传到应用注册, 然后使用该证书登录。If you prefer to use your own credentials for authorization, you can upload a certificate to your app registration, and then use that certificate to login.

除了将证书上传到应用注册, 还需要将证书副本保存到运行 AzCopy 的计算机或 VM。In addition to uploading your certificate to your app registration, you'll also need to have a copy of the certificate saved to the machine or VM where AzCopy will be running. 此证书副本应在中。PFX 或。PEM 格式, 必须包含私钥。This copy of the certificate should be in .PFX or .PEM format, and must include the private key. 私钥应受密码保护。The private key should be password-protected. 如果使用的是 Windows, 且证书仅存在于证书存储中, 请确保将该证书导出到 PFX 文件 (包括私钥)。If you're using Windows, and your certificate exists only in a certificate store, make sure to export that certificate to a PFX file (including the private key). 有关指南, 请参阅get-pfxcertificateFor guidance, see Export-PfxCertificate

接下来, 将AZCOPY_SPA_CERT_PASSWORD环境变量设置为证书密码。Next, set the AZCOPY_SPA_CERT_PASSWORD environment variable to the certificate password.

备注

请确保在命令提示符下设置此值, 而不是在操作系统的环境变量设置中设置。Make sure to set this value from your command prompt, and not in the environment variable settings of your operating system. 这样, 该值仅对当前会话可用。That way, the value is available only to the current session.

此示例演示如何在 PowerShell 中执行此任务。This example shows how you could do this task in PowerShell.

$env:AZCOPY_SPA_CERT_PASSWORD="$(Read-Host -prompt "Enter key")"

接下来, 键入以下命令, 然后按 ENTER 键。Next, type the following command, and then press the ENTER key.

azcopy login --service-principal --certificate-path <path-to-certificate-file>

<path-to-certificate-file>将占位符替换为证书文件的相对或完全限定路径。Replace the <path-to-certificate-file> placeholder with the relative or fully-qualified path to the certificate file. AzCopy 保存此证书的路径, 但它并不保存证书的副本, 因此请确保将该证书保留下来。AzCopy saves the path to this certificate but it doesn't save a copy of the certificate, so make sure to keep that certificate in place.

备注

请考虑使用本示例中所示的提示。Consider using a prompt as shown in this example. 这样, 你的密码就不会出现在控制台的命令历史记录中。That way, your password won't appear in your console's command history.

对托管标识进行身份验证Authenticate a managed identity

如果计划在运行无需用户交互的脚本中使用 AzCopy, 并且该脚本从 Azure 虚拟机 (VM) 运行, 则这是一个不错的选择。This is a great option if you plan to use AzCopy inside of a script that runs without user interaction, and the script runs from an Azure Virtual Machine (VM). 使用此选项时, 不需要在 VM 上存储任何凭据。When using this option, you won't have to store any credentials on the VM.

你可以使用已在 VM 上启用的系统范围的托管标识登录到你的帐户, 也可以使用已分配给 VM 的用户分配的托管标识的客户端 ID、对象 ID 或资源 ID 登录到你的帐户。You can sign into your account by using the a system-wide managed identity that you've enabled on your VM, or by using the client ID, Object ID, or Resource ID of a user-assigned managed identity that you've assigned to your VM.

若要了解有关如何启用系统范围的托管标识或创建用户分配的托管标识的详细信息, 请参阅使用 Azure 门户在虚拟机上配置 Azure 资源的托管标识To learn more about how to enable a system-wide managed identity or create a user-assigned managed identity, see Configure managed identities for Azure resources on a VM using the Azure portal.

使用系统范围的托管标识Using a system-wide managed identity

首先, 请确保已在 VM 上启用了系统范围的托管标识。First, make sure that you've enabled a system-wide managed identity on your VM. 请参阅系统分配的托管标识See System-assigned managed identity.

然后, 在命令控制台中, 键入以下命令, 然后按 ENTER 键。Then, in your command console, type the following command, and then press the ENTER key.

azcopy login --identity
使用用户分配的托管标识Using a user-assigned managed identity

首先, 请确保已在 VM 上启用用户分配的托管标识。First, make sure that you've enabled a user-assigned managed identity on your VM. 请参阅用户分配的托管标识See User-assigned managed identity.

然后, 在命令控制台中, 键入以下任意命令, 然后按 ENTER 键。Then, in your command console, type any of the following commands, and then press the ENTER key.

azcopy login --identity --identity-client-id "<client-id>"

<client-id>将占位符替换为用户分配的托管标识的客户端 ID。Replace the <client-id> placeholder with the client ID of the user-assigned managed identity.

azcopy login --identity --identity-object-id "<object-id>"

<object-id>将占位符替换为用户分配的托管标识的对象 ID。Replace the <object-id> placeholder with the object ID of the user-assigned managed identity.

azcopy login --identity --identity-resource-id "<resource-id>"

<resource-id>将占位符替换为用户分配的托管标识的资源 ID。Replace the <resource-id> placeholder with the resource ID of the user-assigned managed identity.

选项 2:使用 SAS 令牌Option 2: Use a SAS token

可以将 SAS 令牌追加到在 AzCopy 命令中使用的每个源或目标 URL。You can append a SAS token to each source or destination URL that use in your AzCopy commands.

此示例命令将数据从本地目录递归复制到 blob 容器。This example command recursively copies data from a local directory to a blob container. 将一个虚构的 SAS 令牌追加到容器 URL 的末尾。A fictitious SAS token is appended to the end of the of the container URL.

azcopy copy "C:\local\path" "https://account.blob.core.windows.net/mycontainer1/?sv=2018-03-28&ss=bjqt&srt=sco&sp=rwddgcup&se=2019-05-01T05:01:17Z&st=2019-04-30T21:01:17Z&spr=https&sig=MGCXiyEzbtttkr3ewJIh2AR8KrghSy1DGM9ovN734bQF4%3D" --recursive=true

若要了解有关 SAS 令牌以及如何获取 SAS 令牌的详细信息, 请参阅使用共享访问签名 (SAS)To learn more about SAS tokens and how to obtain one, see Using shared access signatures (SAS).

传输文件Transfer files

验证身份或获取 SAS 令牌后, 可以开始传输文件。After you've authenticated your identity or obtained a SAS token, you can begin transferring files.

若要查找示例命令, 请参阅这些文章中的任何一篇。To find example commands, see any of these articles.

在脚本中使用 AzCopyUse AzCopy in a script

随着时间的推移, AzCopy下载链接将指向新版本的 AzCopy。Over time, the AzCopy download link will point to new versions of AzCopy. 如果脚本下载 AzCopy, 则在较新版本的 AzCopy 修改脚本所依赖的功能时, 脚本可能会停止工作。If your script downloads AzCopy, the script might stop working if a newer version of AzCopy modifies features that your script depends upon.

若要避免这些问题, 请获取 AzCopy 当前版本的静态 (无变化) 链接。To avoid these issues, obtain a static (un-changing) link to the current version of AzCopy. 这样一来, 你的脚本每次运行时都将下载相同的 AzCopy 版本。That way, your script downloads the same exact version of AzCopy each time that it runs.

若要获取该链接, 请运行以下命令:To obtain the link, run this command:

操作系统Operating system CommandCommand
LinuxLinux curl -v https://aka.ms/downloadazcopy-v10-linux
WindowsWindows (curl https://aka.ms/downloadazcopy-v10-windows -MaximumRedirection 0 -ErrorAction silentlycontinue).RawContent

备注

对于 Linux, --strip-components=1 tar在命令中删除包含版本名称的顶层文件夹, 然后将二进制文件直接提取到当前文件夹中。For Linux, --strip-components=1 on the tar command removes the top-level folder that contains the version name, and instead extracts the binary directly into the current folder. 这样, 只需要azcopy wget更新 URL, 就可以使用新版本的更新脚本。This allows the script to be updated with a new version of azcopy by only updating the wget URL.

该 URL 显示在此命令的输出中。The URL appears in the output of this command. 然后, 你的脚本可以通过使用该 URL 来下载 AzCopy。Your script can then download AzCopy by using that URL.

操作系统Operating system CommandCommand
LinuxLinux wget -O azcopyv10.tar https://azcopyvnext.azureedge.net/release20190301/azcopy_linux_amd64_10.0.8.tar.gz tar -xf azcopyv10.tar --strip-components=1 ./azcopy
WindowsWindows Invoke-WebRequest https://azcopyvnext.azureedge.net/release20190517/azcopy_windows_amd64_10.1.2.zip -OutFile azcopyv10.zip <<Unzip here>>

转义 SAS 令牌中的特殊字符Escape special characters in SAS tokens

在具有.cmd扩展名的批处理文件中, 必须对 SAS 令牌中显示%的字符进行转义。In batch files that have the .cmd extension, you'll have to escape the % characters that appear in SAS tokens. 为此, 可以在 SAS 令牌字符串%中的现有%字符旁边添加一个添加字符。You can do that by adding an addition % character next to existing % characters in the SAS token string.

在存储资源管理器中使用 AzCopyUse AzCopy in Storage Explorer

如果要利用 AzCopy 的性能优势, 但更喜欢使用存储资源管理器而不是命令行来与文件交互, 请在存储资源管理器中启用 AzCopy。If you want to leverage the performance advantages of AzCopy, but you prefer to use Storage Explorer rather than the command line to interact with your files, then enable AzCopy in Storage Explorer.

在存储资源管理器中, 选择 "预览->"以改进 Blob 上传和下载In Storage Explorer, choose Preview->Use AzCopy for Improved Blob Upload and Download.

在 Azure 存储资源管理器中启用 AzCopy 作为传输引擎

备注

如果在存储帐户上启用了分层命名空间, 则不需要启用此设置。You don't have to enable this setting if you've enabled a hierarchical namespace on your storage account. 这是因为存储资源管理器会在具有分层命名空间的存储帐户上自动使用 AzCopy。That's because Storage Explorer automatically uses AzCopy on storage accounts that have a hierarchical namespace.

存储资源管理器使用帐户密钥来执行操作, 因此登录到存储资源管理器后, 无需提供其他授权凭据。Storage Explorer uses your account key to perform operations, so after you sign into Storage Explorer, you won't need to provide additional authorization credentials.

使用以前版本的 AzCopyUse the previous version of AzCopy

如果需要使用早期版本的 AzCopy (AzCopy), 请参阅以下链接之一:If you need to use the previous version of AzCopy (AzCopy v8.1), see either of the following links:

配置、优化 AzCopy 并对其进行故障排除Configure, optimize, and troubleshoot AzCopy

请参阅配置、优化 AzCopy 并对其进行故障排除See Configure, optimize, and troubleshoot AzCopy

后续步骤Next steps

如果你有疑问、问题或一般性反馈, 请在 GitHub 页上提交。If you have questions, issues, or general feedback, submit them on GitHub page.