使用共用存取簽章(SAS)授與 Azure 儲存體資源的有限存取權Grant limited access to Azure Storage resources using shared access signatures (SAS)

共用存取簽章(SAS)可提供您儲存體帳戶中資源的安全委派存取權,而不會危及資料的安全性。A shared access signature (SAS) provides secure delegated access to resources in your storage account without compromising the security of your data. 透過 SAS,您可以更精確地控制用戶端如何存取您的資料。With a SAS, you have granular control over how a client can access your data. 您可以控制用戶端可以存取的資源、它們對這些資源所擁有的許可權,以及 SAS 有效的時間長度,還有其他參數。You can control what resources the client may access, what permissions they have on those resources, and how long the SAS is valid, among other parameters.

共用存取簽章的類型Types of shared access signatures

Azure 儲存體支援三種類型的共用存取簽章:Azure Storage supports three types of shared access signatures:

  • 使用者委派 SAS。User delegation SAS. 使用者委派 SAS 會使用 Azure Active Directory (Azure AD)認證以及針對 SAS 指定的許可權來加以保護。A user delegation SAS is secured with Azure Active Directory (Azure AD) credentials and also by the permissions specified for the SAS. 使用者委派 SAS 僅適用于 Blob 儲存體。A user delegation SAS applies to Blob storage only.

    如需使用者委派 SAS 的詳細資訊,請參閱建立使用者委派 sas (REST API)For more information about the user delegation SAS, see Create a user delegation SAS (REST API).

  • 服務 SAS。Service SAS. 服務 SAS 會使用儲存體帳戶金鑰來保護。A service SAS is secured with the storage account key. 服務 SAS 只會將存取權委派給其中一個 Azure 儲存體服務: Blob 儲存體、佇列儲存體、資料表儲存體或 Azure 檔案儲存體中的資源。A service SAS delegates access to a resource in only one of the Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files.

    如需服務 SAS 的詳細資訊,請參閱建立服務 sas (REST API)For more information about the service SAS, see Create a service SAS (REST API).

  • 帳戶 SAS。Account SAS. 帳戶 SAS 會使用儲存體帳戶金鑰來保護。An account SAS is secured with the storage account key. 帳戶 SAS 則將存取權限委派給一或多個儲存體服務的資源。An account SAS delegates access to resources in one or more of the storage services. 透過服務或使用者委派 SAS 所提供的所有作業,也可透過帳戶 SAS 取得。All of the operations available via a service or user delegation SAS are also available via an account SAS. 此外,透過帳戶 SAS,您可以將存取權委派給套用於服務層級的作業,例如取得/設定服務屬性取得服務統計資料作業。Additionally, with the account SAS, you can delegate access to operations that apply at the level of the service, such as Get/Set Service Properties and Get Service Stats operations. 您也可以將 Blob 容器、資料表、佇列和檔案共用的讀取、寫入和刪除作業的存取權限,委派給本無權限的服務 SAS。You can also delegate access to read, write, and delete operations on blob containers, tables, queues, and file shares that are not permitted with a service SAS.

    如需帳戶 SAS 的詳細資訊,請建立帳戶 sas (REST API)For more information about the account SAS, Create an account SAS (REST API).

注意

Microsoft 建議您盡可能使用 Azure AD 認證做為安全性最佳作法,而不是使用帳戶金鑰,這樣會更容易遭到入侵。Microsoft recommends that you use Azure AD credentials when possible as a security best practice, rather than using the account key, which can be more easily compromised. 當您的應用程式設計需要共用存取簽章以存取 Blob 儲存體時,請使用 Azure AD 認證來建立使用者委派 SAS (如果可能的話)以獲得較佳的安全性。When your application design requires shared access signatures for access to Blob storage, use Azure AD credentials to create a user delegation SAS when possible for superior security.

共用存取簽章可以接受以下兩種格式其中之一:A shared access signature can take one of two forms:

  • 臨機操作 SAS: 當您建立臨機操作 SAS 時,SAS 的開始時間、到期時間和許可權都會在 SAS URI 中指定(如果省略開始時間,則會隱含)。Ad hoc SAS: When you create an ad hoc SAS, the start time, expiry time, and permissions for the SAS are all specified in the SAS URI (or implied, if start time is omitted). 任何類型的 SAS 都可以是臨機操作 SAS。Any type of SAS can be an ad hoc SAS.
  • 具有預存存取原則的服務 SAS: 預存存取原則是在資源容器上定義,可以是 blob 容器、資料表、佇列或檔案共用。Service SAS with stored access policy: A stored access policy is defined on a resource container, which can be a blob container, table, queue, or file share. 預存的存取原則可用來管理一或多個服務共用存取簽章的條件約束。The stored access policy can be used to manage constraints for one or more service shared access signatures. 當您將服務 SAS 與預存存取原則建立關聯時,SAS 會繼承 — — 針對儲存的存取原則所定義之開始時間、到期時間和許可權的條件約束。When you associate a service SAS with a stored access policy, the SAS inherits the constraints—the start time, expiry time, and permissions—defined for the stored access policy.

注意

使用者委派 SAS 或帳戶 SAS 必須是臨機操作 SAS。A user delegation SAS or an account SAS must be an ad hoc SAS. 使用者委派 SAS 或帳戶 SAS 不支援儲存的存取原則。Stored access policies are not supported for the user delegation SAS or the account SAS.

共用存取簽章的運作方式How a shared access signature works

共用存取簽章是指向一或多個儲存體資源,並包括含有一組特殊的查詢參數權杖的已簽署 URI。A shared access signature is a signed URI that points to one or more storage resources and includes a token that contains a special set of query parameters. 權杖指出用戶端可以如何存取資源。The token indicates how the resources may be accessed by the client. 其中一個查詢參數(簽章)是由 SAS 參數所構成,並使用用來建立 SAS 的金鑰進行簽署。One of the query parameters, the signature, is constructed from the SAS parameters and signed with the key that was used to create the SAS. Azure 儲存體會使用此簽章來授權存取儲存體資源。This signature is used by Azure Storage to authorize access to the storage resource.

SAS 簽章SAS signature

您可以使用下列兩種方式的其中一種來簽署 SAS:You can sign a SAS in one of two ways:

  • 使用以 Azure Active Directory (Azure AD)認證建立的使用者委派金鑰With a user delegation key that was created using Azure Active Directory (Azure AD) credentials. 使用者委派 SAS 會使用使用者委派金鑰進行簽署。A user delegation SAS is signed with the user delegation key.

    若要取得使用者委派金鑰並建立 SAS,必須將包含storageAccounts/blobServices/generateUserDelegationKey動作的角色型存取控制(RBAC)角色指派給 Azure AD 的安全性主體。To get the user delegation key and create the SAS, an Azure AD security principal must be assigned a role-based access control (RBAC) role that includes the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action. 如需具有取得使用者委派金鑰許可權之 RBAC 角色的詳細資訊,請參閱建立使用者委派 SAS (REST API)For detailed information about RBAC roles with permissions to get the user delegation key, see Create a user delegation SAS (REST API).

  • 使用儲存體帳戶金鑰。With the storage account key. 服務 SAS 和帳戶 SAS 都會使用儲存體帳戶金鑰進行簽署。Both a service SAS and an account SAS are signed with the storage account key. 若要建立以帳戶金鑰簽署的 SAS,應用程式必須具有帳戶金鑰的存取權。To create a SAS that is signed with the account key, an application must have access to the account key.

SAS 權杖SAS token

SAS 權杖是您在用戶端上產生的字串,例如,使用其中一個 Azure 儲存體用戶端程式庫。The SAS token is a string that you generate on the client side, for example by using one of the Azure Storage client libraries. Azure 儲存體不會以任何方式追蹤 SAS 權杖。The SAS token is not tracked by Azure Storage in any way. 您可以在用戶端建立不限數量的 SAS 權杖。You can create an unlimited number of SAS tokens on the client side. 建立 SAS 之後,您可以將它散發給需要存取儲存體帳戶中資源的用戶端應用程式。After you create a SAS, you can distribute it to client applications that require access to resources in your storage account.

當用戶端應用程式將 SAS URI 提供給 Azure 儲存體做為要求的一部分時,服務會檢查 SAS 參數和簽章,以確認它是否適用于授權要求。When a client application provides a SAS URI to Azure Storage as part of a request, the service checks the SAS parameters and signature to verify that it is valid for authorizing the request. 如果服務確認簽章有效,則要求會獲得授權。If the service verifies that the signature is valid, then the request is authorized. 否則要求會遭到拒絕,並產生錯誤碼 403 (禁止)。Otherwise, the request is declined with error code 403 (Forbidden).

以下是服務 SAS URI 的範例,其中顯示資源 URI 和 SAS 權杖:Here's an example of a service SAS URI, showing the resource URI and the SAS token:

服務 SAS URI 的元件

何時使用共用存取簽章When to use a shared access signature

當您想要提供儲存體帳戶中資源的安全存取權給任何不具有這些資源許可權的用戶端時,請使用 SAS。Use a SAS when you want to provide secure access to resources in your storage account to any client who does not otherwise have permissions to those resources.

證明 SAS 非常有用的一個常見案例,就是使用者在您的儲存體帳戶中讀取和寫入自己的資料。A common scenario where a SAS is useful is a service where users read and write their own data to your storage account. 在儲存體帳戶儲存使用者資料的案例中,典型的設計模式有兩種:In a scenario where a storage account stores user data, there are two typical design patterns:

  1. 用戶端通過前端 Proxy 服務 (執行驗證) 來上傳與下載資料。Clients upload and download data via a front-end proxy service, which performs authentication. 此前端 Proxy 服務有個好處,那就是允許商務規則的驗證,但在大量資料或大量交易的情況下,建立可調整以符合需求的服務可能十分昂貴或困難。This front-end proxy service has the advantage of allowing validation of business rules, but for large amounts of data or high-volume transactions, creating a service that can scale to match demand may be expensive or difficult.

    案例圖表︰前端 Proxy 服務

  2. 輕量型服務可視需要驗證用戶端,然後產生 SAS。A lightweight service authenticates the client as needed and then generates a SAS. 一旦用戶端應用程式收到 SAS,他們就可以直接使用 SAS 所定義的許可權以及 SAS 允許的間隔來存取儲存體帳戶資源。Once the client application receives the SAS, they can access storage account resources directly with the permissions defined by the SAS and for the interval allowed by the SAS. SAS 可減輕透過前端 Proxy 服務路由所有資料的需求。The SAS mitigates the need for routing all data through the front-end proxy service.

    案例圖表︰SAS 提供者服務

許多實際服務可能會混合運用這兩種方法。Many real-world services may use a hybrid of these two approaches. 例如,某些資料可能會透過前端 Proxy 處理和驗證,其他資料則會直接使用 SAS 來儲存和/或讀取。For example, some data might be processed and validated via the front-end proxy, while other data is saved and/or read directly using SAS.

此外,在某些情況下,需要使用 SAS 來授權複製作業中來源物件的存取權:Additionally, a SAS is required to authorize access to the source object in a copy operation in certain scenarios:

  • 當您將 Blob 複製到另一個位於不同儲存體帳戶的 Blob 時,必須使用 SAS 來授權存取來源 Blob。When you copy a blob to another blob that resides in a different storage account, you must use a SAS to authorize access to the source blob. 您也可以選擇性地使用 SAS 來授權存取目的地 Blob。You can optionally use a SAS to authorize access to the destination blob as well.
  • 當您將檔案複製到另一個位於不同儲存體帳戶的檔案時,必須使用 SAS 來授權存取來源檔案。When you copy a file to another file that resides in a different storage account, you must use a SAS to authorize access to the source file. 您也可以選擇性地使用 SAS 來授權存取目的檔案。You can optionally use a SAS to authorize access to the destination file as well.
  • 當您將 Blob 複製到檔案,或將檔案複製到 Blob 時,必須使用 SAS 來授權存取來源物件,即使來源和目的地物件位於相同的儲存體帳戶內也一樣。When you copy a blob to a file, or a file to a blob, you must use a SAS to authorize access to the source object, even if the source and destination objects reside within the same storage account.

使用 SAS 時的最佳做法Best practices when using SAS

當您在應用程式中使用共用存取簽章時,您必須留意兩個潛在風險:When you use shared access signatures in your applications, you need to be aware of two potential risks:

  • 如果 SAS 洩漏出去,則取得該 SAS 的任何人都可以使用它,這有可能會洩露您的儲存體帳戶。If a SAS is leaked, it can be used by anyone who obtains it, which can potentially compromise your storage account.
  • 如果提供給用戶端應用程式的 SAS 已過期,且此應用程式無法從您的服務擷取新的 SAS,那麼該應用程式的功能可能會受到影響。If a SAS provided to a client application expires and the application is unable to retrieve a new SAS from your service, then the application's functionality may be hindered.

下列關於使用共用存取簽章的建議,將可協助您平衡這些風險:The following recommendations for using shared access signatures can help mitigate these risks:

  • 永遠使用 HTTPS 來建立或散佈 SAS。Always use HTTPS to create or distribute a SAS. 若透過 HTTP 來傳遞 SAS 並遭到攔截,執行攔截式攻擊的攻擊者即可讀取並使用 SAS (就如同預期使用者執行般),這有可能會洩露敏感資料或允許惡意使用者損毀資料。If a SAS is passed over HTTP and intercepted, an attacker performing a man-in-the-middle attack is able to read the SAS and then use it just as the intended user could have, potentially compromising sensitive data or allowing for data corruption by the malicious user.
  • 可能的話,請使用使用者委派 SAS。Use a user delegation SAS when possible. 使用者委派 SAS 為服務 SAS 或帳戶 SAS 提供了絕佳的安全性。A user delegation SAS provides superior security to a service SAS or an account SAS. 使用者委派 SAS 會受到 Azure AD 認證的保護,因此您不需要將帳戶金鑰與您的程式碼一起儲存。A user delegation SAS is secured with Azure AD credentials, so that you do not need to store your account key with your code.
  • 備妥適用于 SAS 的撤銷計畫。Have a revocation plan in place for a SAS. 請確定您已準備好回應 SAS 是否遭到入侵。Make sure you are prepared to respond if a SAS is compromised.
  • 定義服務 SAS 的預存存取原則。Define a stored access policy for a service SAS. 儲存的存取原則可讓您選擇撤銷服務 SAS 的許可權,而不需要重新產生儲存體帳戶金鑰。Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. 將到期日設在未來 (或無限) 的日期,並確定定期更新到期日以將到期日再往未來的日期移動。Set the expiration on these very far in the future (or infinite) and make sure it's regularly updated to move it farther into the future.
  • 在臨機操作的 SAS 服務 SAS 或帳戶 SAS 上使用短期的到期時間。Use near-term expiration times on an ad hoc SAS service SAS or account SAS. 如此一來,即使 SAS 遭到入侵,亦僅會造成短期影響。In this way, even if a SAS is compromised, it's valid only for a short time. 如果您無法參考預存存取原則,此做法格外重要。This practice is especially important if you cannot reference a stored access policy. 短期到期時間亦可協助限制可寫入 Blob 的資料量,方法是限制可對其上傳的可用時間。Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.
  • 讓用戶端視需要自動更新 SAS。Have clients automatically renew the SAS if necessary. 用戶端應在到期日之前就更新 SAS,以便如果提供 SAS 的服務無法使用的話,還有時間可以進行重試。Clients should renew the SAS well before the expiration, in order to allow time for retries if the service providing the SAS is unavailable. 如果您打算將 SAS 用於少量的即時短期操作 (預計可在到期期限內完成的操作),則此建議可能沒有必要,因為沒有更新 SAS 的打算。If your SAS is meant to be used for a small number of immediate, short-lived operations that are expected to be completed within the expiration period, then this may be unnecessary as the SAS is not expected to be renewed. 不過,如果您有定期透過 SAS 做出要求的用戶端,則到期的可能性便有可能發生。However, if you have client that is routinely making requests via SAS, then the possibility of expiration comes into play. 主要考量是要平衡下列兩個需求:短期的 SAS (如先前所述),與確保用戶端提早要求更新以避免成功更新之前因 SAS 過期而中斷。The key consideration is to balance the need for the SAS to be short-lived (as previously stated) with the need to ensure that the client is requesting renewal early enough (to avoid disruption due to the SAS expiring prior to successful renewal).
  • 請小心使用 SAS 開始時間。Be careful with SAS start time. 如果您將 SAS 的開始時間設為 [現在]****,則由於時鐘誤差 (根據不同機器會有不同的目前時間),前幾分鐘可能偶爾會被視為失敗。If you set the start time for a SAS to now, then due to clock skew (differences in current time according to different machines), failures may be observed intermittently for the first few minutes. 一般而言,請將開始時間設為至少 15 分鐘之前的時間。In general, set the start time to be at least 15 minutes in the past. 或是不進行任何設定,這會針對所有案例立即生效。Or, don't set it at all, which will make it valid immediately in all cases. 同樣的道理通常亦適用於過期時間,請記住,您可針對任何要求保留前後多達 15 分鐘的時鐘誤差。The same generally applies to expiry time as well--remember that you may observe up to 15 minutes of clock skew in either direction on any request. 若是用戶端使用 2012-02-12 之前的 REST 版本,則不參考預存存取原則之 SAS 的最大持續期限是 1 個小時,且任何指定比 1 個小時還要長的原則都會失敗。For clients using a REST version prior to 2012-02-12, the maximum duration for a SAS that does not reference a stored access policy is 1 hour, and any policies specifying longer term than that will fail.
  • 請小心使用 SAS 日期時間格式。Be careful with SAS datetime format. 如果您設定 SAS 的開始時間和(或)到期,針對某些公用程式(例如,針對命令列公用程式 AzCopy),您需要 datetime 格式為 ' +% Y-% m-% dT% H:%M:% SZ ',特別包括秒數,以讓它使用 SAS 權杖來工作。If you set the start time and/or expiry for a SAS, for some utilities (for example for the command-line utility AzCopy) you need the datetime format to be '+%Y-%m-%dT%H:%M:%SZ', specifically including the seconds in order for it to work using the SAS token.
  • 請具體指出要存取的資源。Be specific with the resource to be accessed. 安全性最佳做法是提供使用者最低需求權限。A security best practice is to provide a user with the minimum required privileges. 如果使用者只需要單一實體的讀取存取權,則授與他們該單一實體的讀取存取權,而非授與他們所有實體的讀取/寫入/刪除存取權。If a user only needs read access to a single entity, then grant them read access to that single entity, and not read/write/delete access to all entities. 這有助於減輕洩露 SAS 遭受的損害,因為當 SAS 落入攻擊者手中時,即無法發揮固有功能。This also helps lessen the damage if a SAS is compromised because the SAS has less power in the hands of an attacker.
  • 瞭解您的帳戶會因為任何使用量而計費,包括透過 SAS。Understand that your account will be billed for any usage, including via a SAS. 如果您提供 blob 的寫入權限,使用者可以選擇上傳 200 GB 的 blob。If you provide write access to a blob, a user may choose to upload a 200 GB blob. 若您也同時提供使用者讀取存取權,則他們可能會選擇下載 10 次,而您便會產生 2TB 的出口成本。If you've given them read access as well, they may choose to download it 10 times, incurring 2 TB in egress costs for you. 再次強調,提供有限的權限有助於減少惡意使用者採取的潛在動作。Again, provide limited permissions to help mitigate the potential actions of malicious users. 使用短期 SAS 以降低此威脅 (但請注意結束時間的時鐘誤差)。Use short-lived SAS to reduce this threat (but be mindful of clock skew on the end time).
  • 驗證使用 SAS 所寫入的資料。Validate data written using a SAS. 當用戶端應用程式將資料寫入您的儲存體帳戶時,請留意該資料可能會造成問題。When a client application writes data to your storage account, keep in mind that there can be problems with that data. 如果您的應用程式要求在開始使用資料之前先驗證或授權資料,則您應在寫入資料之後但應用程式尚未開始使用資料之前執行此驗證。If your application requires that data be validated or authorized before it is ready to use, you should perform this validation after the data is written and before it is used by your application. 此做法也可防止正確取得 SAS 的使用者或是利用洩漏 SAS 的使用者,損毀資料或將惡意資料寫入您的帳戶。This practice also protects against corrupt or malicious data being written to your account, either by a user who properly acquired the SAS, or by a user exploiting a leaked SAS.
  • 知道不使用 SAS 的時機。Know when not to use a SAS. 有時候,與您儲存體帳戶的特定作業相關聯的風險,會超過使用 SAS 的優點。Sometimes the risks associated with a particular operation against your storage account outweigh the benefits of using a SAS. 針對此類作業,請建立一個中介層服務,在執行商務規則驗證、驗證及稽核之後才寫入您的儲存體帳戶。For such operations, create a middle-tier service that writes to your storage account after performing business rule validation, authentication, and auditing. 另外,有時候以其他方式管理存取權可能比較簡單。Also, sometimes it's simpler to manage access in other ways. 例如,如果您想要讓容器中的所有 Blob 都可供公開讀取,則您可以將此容器設定為 [公用],而不是將 SAS 提供給每個用戶端進行存取。For example, if you want to make all blobs in a container publicly readable, you can make the container Public, rather than providing a SAS to every client for access.
  • 使用 Azure 監視器和 Azure 儲存體記錄來監視您的應用程式。Use Azure Monitor and Azure Storage logs to monitor your application. 您可以使用 Azure 監視器和儲存體分析記錄,觀察因 SAS 提供者服務中斷或意外移除預存存取原則,而導致授權失敗的任何尖峰。You can use Azure Monitor and storage analytics logging to observe any spike in authorization failures due to an outage in your SAS provider service or to the inadvertent removal of a stored access policy. 如需詳細資訊,請參閱 Azure 監視器和Azure 儲存體分析記錄中的 Azure 儲存體計量For more information, see Azure Storage metrics in Azure Monitor and Azure Storage Analytics logging.

開始使用 SASGet started with SAS

若要開始使用共用存取簽章,請參閱下列適用于每個 SAS 類型的文章。To get started with shared access signatures, see the following articles for each SAS type.

使用者委派 SASUser delegation SAS

服務 SASService SAS

帳戶 SASAccount SAS

後續步驟Next steps