使用 Azure Active Directory 進行授權Authorize with Azure Active Directory

Azure 儲存體提供與Azure Active Directory (Azure AD)的整合,以對 Blob 和佇列服務要求以身分識別為基礎的授權。Azure Storage provides integration with Azure Active Directory (Azure AD) for identity-based authorization of requests to the Blob and Queue services. 使用 Azure AD,您可以使用角色型存取控制(RBAC),將 blob 和佇列資源的存取權授與使用者、群組或應用程式。With Azure AD, you can use role-based access control (RBAC) to grant access to blob and queue resources to users, groups, or applications. 您可以授與以個別容器或佇列的層級為範圍的許可權。You can grant permissions that are scoped to the level of an individual container or queue.

若要深入瞭解 Azure 儲存體中的 Azure AD 整合,請參閱使用 Azure Active Directory 來授權 Azure blob 和佇列的存取權To learn more about Azure AD integration in Azure Storage, see Authorize access to Azure blobs and queues using Azure Active Directory.

如需在應用程式中使用 Azure AD 之優點的詳細資訊,請參閱與 Azure Active Directory 整合For more information on the advantages of using Azure AD in your application, see Integrating with Azure Active Directory.

提示

使用 Azure AD 授權存取 blob 和佇列資料,可提供更高的安全性,並透過其他授權選項輕鬆使用。Authorizing access to blob and queue data with Azure AD provides superior security and ease of use over other authorization options. 當您使用 Azure AD 來授權從您的應用程式提出要求時,您可以避免需要將帳戶存取金鑰與您的程式碼一起儲存,就像使用共用金鑰授權一樣。When you use Azure AD to authorize requests make from your applications, you avoid having to store your account access key with your code, as you do with Shared Key authorization. 雖然您可以繼續在 blob 和佇列應用程式中使用共用金鑰授權,但 Microsoft 建議您盡可能移至 Azure AD。While you can continue to use Shared Key authorization with your blob and queue applications, Microsoft recommends moving to Azure AD where possible. 如需 Azure 儲存體中 Azure AD 整合的詳細資訊,請參閱使用 Azure Active Directory 來授權 Azure blob 和佇列的存取權For more information about Azure AD integration in Azure Storage, see Authorize access to Azure blobs and queues using Azure Active Directory.

使用 OAuth 存取權杖進行驗證Use OAuth access tokens for authentication

Azure 儲存體會從與包含儲存體帳戶之訂用帳戶相關聯的 Azure AD 租使用者中,接受 OAuth 2.0 存取權杖。Azure Storage accepts OAuth 2.0 access tokens from the Azure AD tenant associated with the subscription that contains the storage account. Azure 儲存體接受下列內容的存取權杖:Azure Storage accepts access tokens for:

  • 使用者Users
  • 服務主體Service principals
  • 適用于 Azure 資源的受控服務識別Managed service identities for Azure resources
  • 使用使用者所委派許可權的應用程式Applications using permissions delegated by users

Azure 儲存體會公開名為的單一委派範圍 user_impersonation ,允許應用程式採取使用者允許的任何動作。Azure Storage exposes a single delegation scope named user_impersonation that permits applications to take any action allowed by the user.

若要要求 Azure 儲存體的權杖,請指定 https://storage.azure.com/ 資源識別碼的值。To request tokens for Azure Storage, specify the value https://storage.azure.com/ for the Resource ID.

如需針對使用者和服務主體向 Azure AD 要求存取權杖的詳細資訊,請參閱 Azure AD 的驗證案例For more information on requesting access tokens from Azure AD for users and service principals, see Authentication scenarios for Azure AD.

如需針對使用受控識別設定的資源要求存取權杖的詳細資訊,請參閱如何在 AZURE VM 上使用適用于 azure 資源的受控識別來取得存取權杖For more information about requesting access tokens for resources configured with managed identities, see How to use managed identities for Azure resources on an Azure VM to acquire an access token.

使用 OAuth 權杖呼叫儲存體作業Call storage operations with OAuth tokens

若要使用 OAuth 存取權杖呼叫 Blob 與佇列服務作業,請使用 Bearer 結構描述在 Authorization 標頭中傳遞存取權杖,並指定 2017-11-09 或更高的服務版本,如下列範例所示:To call Blob and Queue service operations using OAuth access tokens, pass the access token in the Authorization header using the Bearer scheme, and specify a service version of 2017-11-09 or higher, as shown in the following example:

Request:
GET /container/file.txt
x-ms-version: 2017-11-09
Authorization: Bearer eyJ0eXAiO...V09ccgQ
User-Agent: PostmanRuntime/7.6.0
Accept: */*
Host: sampleoautheast2.blob.core.windows.net
accept-encoding: gzip, deflate

Response:
HTTP/1.1 200
status: 200
Content-Length: 28
Content-Type: text/plain
Content-MD5: dxG7IgOBzApXPcGHxGg5SA==
Last-Modified: Wed, 30 Jan 2019 07:21:32 GMT
Accept-Ranges: bytes
ETag: "0x8D686838F9E8BA7"
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-request-id: 09f31964-e01e-00a3-8066-d4e6c2000000
x-ms-version: 2017-11-09
x-ms-creation-time: Wed, 29 Aug 2018 04:22:47 GMT
x-ms-lease-status: unlocked
x-ms-lease-state: available
x-ms-blob-type: BlockBlob
x-ms-server-encrypted: true
Date: Wed, 06 Mar 2019 21:50:50 GMT
Welcome to Azure Storage!!

持有人挑戰Bearer Challenge

持有人挑戰是 OAuth 通訊協定RFC 6750的一部分,用於授權探索。Bearer challenge is part of the OAuth protocol RFC 6750 and is used for authority discovery. 若為匿名要求或具有無效 OAuth 持有人權杖的要求,伺服器將會傳回狀態碼401(未經授權)與識別提供者和資源資訊。For anonymous requests, or requests with an invalid OAuth bearer token, the server will return status code 401 (Unauthorized) with identity provider and resource information. 請參閱連結,以瞭解如何在使用 Azure AD 驗證期間使用這些值。Refer to link for how to use these values during authentication with Azure AD.

Azure 儲存體 Blob 和佇列服務會傳回2019-12-12 和更新版本的持有人挑戰。Azure Storage Blob and Queue services return a bearer challenge for version 2019-12-12 and newer. Azure Data Lake Storage Gen2 會傳回2017-11-09 和更新版本的持有人挑戰。Azure Data Lake Storage Gen2 returns a bearer challenge for version 2017-11-09 and newer.

當用戶端要求未在匿名下載 blob 要求中包含持有人權杖時,以下是持有人挑戰回應的範例:The following is an example of a bearer challenge response when the client request does not include the bearer token in the anonymous download blob request:

Request:
GET /container/file.txt
x-ms-version: 2019-12-12
Host: sampleoautheast2.blob.core.windows.net

Response:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer authorization_uri=https://login.microsoftonline.com/<tenant_id>/oauth2/authorize resource_uri=https://storage.azure.com

<?xml version="1.0" encoding="utf-8"?>
<Error>
    <Code>NoAuthenticationInformation</Code>
    <Message>Server failed to authenticate the request. Please refer to the information in the www-authenticate header.
RequestId:ec4f02d7-1003-0006-21f9-c55bc8000000
Time:2020-01-08T08:01:46.2063459Z</Message>
</Error>
參數Parameter 描述Description
authorization_uriauthorization_uri 授權伺服器的 URI (實體端點)。The URI (physical endpoint) of the authorization server. 此值也可做為查閱索引鍵,以從探索端點取得伺服器的詳細資訊。This value is also used as a lookup key to get more information about the server from a discovery endpoint. 用戶端必須確認授權伺服器受到信任。The client must validate that the authorization server is trusted. 當資源受到 Azure AD 的保護時,確認 URL 開頭為 https://login.microsoftonline.com 或 Azure AD 支援的其他主機名稱就已足夠。When the resource is protected by Azure AD, it is sufficient to verify that the URL begins with https://login.microsoftonline.com or other hostname that Azure AD supports. 租用戶特定資源應該一律會傳回租用戶特定授權 URI。A tenant-specific resource should always return a tenant-specific authorization URI.
resource_idresource_id 傳回資源的唯一識別碼。Returns the unique identifier of the resource. 用戶端應用程式可在要求資源的存取權杖時,使用此識別碼做為資源參數的值。The client application can use this identifier as the value of the resource parameter when it requests an access token for the resource. 用戶端應用程式必須確認此值,否則惡意服務可能會引發權限提高攻擊。It is important for the client application to verify this value, otherwise a malicious service might be able to induce an elevation-of-privileges attack. 防止攻擊的建議策略是確認 resource_id 符合所存取之 Web API URL 的基底。The recommended strategy for preventing an attack is to verify that the resource_id matches the base of the web API URL that being accessed. https://storage.azure.com是用來 Azure 儲存體資源識別碼的一般用途。https://storage.azure.com is the generally used Azure Storage resource ID.

使用 RBAC 管理存取權限Manage access rights with RBAC

Azure AD 會透過 RBAC 來處理對受保護資源的存取權授權。Azure AD handles the authorization of access to secured resources through RBAC. 使用 RBAC,您可以將角色指派給使用者、群組或服務主體。Using RBAC, you can assign roles to users, groups, or service principals. 每個角色都包含一組資源的許可權。Each role encompasses a set of permissions for a resource. 一旦將角色指派給使用者、群組或服務主體,他們就可以存取該資源。Once the role is assigned to the user, group, or service principal, they have access to that resource. 您可以使用 Azure 入口網站、Azure 命令列工具和 Azure 管理 Api 來指派存取權限。You can assign access rights using the Azure portal, Azure command-line tools, and Azure Management APIs. 如需 RBAC 的詳細資訊,請參閱開始使用以角色為基礎的存取控制For more information on RBAC, see Get started with Role-Based Access Control.

針對 Azure 儲存體,您可以將存取權授與儲存體帳戶中容器或佇列中的資料。For Azure Storage, you can grant access to data in a container or queue in the storage account. Azure 儲存體提供下列可與 Azure AD 搭配使用的內建 RBAC 角色:Azure Storage offers these built-in RBAC roles for use with Azure AD:

如需如何針對 Azure 儲存體定義內建角色的詳細資訊,請參閱瞭解 Azure 資源的角色定義For more information about how built-in roles are defined for Azure Storage, see Understand role definitions for Azure resources.

您也可以定義要與 Blob 儲存體和 Azure 佇列搭配使用的自訂角色。You can also define custom roles for use with Blob storage and Azure Queues. 如需詳細資訊,請參閱建立 Azure 角色型存取控制的自訂角色For more information, see Create custom roles for Azure Role-Based Access Control.

呼叫 blob 和佇列資料作業的許可權Permissions for calling blob and queue data operations

下表描述 Azure AD 的使用者、群組或服務主體呼叫特定 Azure 儲存體作業所需的許可權。The following tables describe the permissions necessary for an Azure AD user, group, or service principal to call specific Azure Storage operations. 若要讓用戶端呼叫特定作業,請確定用戶端指派的 RBAC 角色為該作業提供足夠的許可權。To enable a client to call a particular operation, ensure that the client's assigned RBAC role offers sufficient permissions for that operation.

Blob 服務作業的許可權Permissions for Blob service operations

Blob 服務作業Blob service operation RBAC 動作RBAC action
列出容器List Containers Microsoft. Storage/storageAccounts/blobServices/容器/讀取(範圍限於儲存體帳戶)Microsoft.Storage/storageAccounts/blobServices/containers/read (scoped to the storage account)
設定 Blob 服務屬性Set Blob Service Properties Microsoft.Storage/storageAccounts/blobServices/writeMicrosoft.Storage/storageAccounts/blobServices/write
取得 Blob 服務屬性Get Blob Service Properties Microsoft.Storage/storageAccounts/blobServices/readMicrosoft.Storage/storageAccounts/blobServices/read
預檢 Blob 要求Preflight Blob Request 匿名Anonymous
取得 Blob 服務統計資料Get Blob Service Stats Microsoft.Storage/storageAccounts/blobServices/readMicrosoft.Storage/storageAccounts/blobServices/read
取得使用者委派金鑰Get User Delegation Key Microsoft. Storage/storageAccounts/blobServices/generateUserDelegationKeyMicrosoft.Storage/storageAccounts/blobServices/generateUserDelegationKey
建立容器Create Container Microsoft.Storage/storageAccounts/blobServices/containers/writeMicrosoft.Storage/storageAccounts/blobServices/containers/write
取得容器屬性Get Container Properties Microsoft.Storage/storageAccounts/blobServices/containers/readMicrosoft.Storage/storageAccounts/blobServices/containers/read
取得容器中繼資料Get Container Metadata Microsoft.Storage/storageAccounts/blobServices/containers/readMicrosoft.Storage/storageAccounts/blobServices/containers/read
設定容器中繼資料Set Container Metadata Microsoft.Storage/storageAccounts/blobServices/containers/writeMicrosoft.Storage/storageAccounts/blobServices/containers/write
取得容器 ACLGet Container ACL 無法透過 OAuth 使用Not available via OAuth
Set Container ACL (設定容器 ACL)Set Container ACL 無法透過 OAuth 使用Not available via OAuth
刪除容器Delete Container Microsoft.Storage/storageAccounts/blobServices/containers/deleteMicrosoft.Storage/storageAccounts/blobServices/containers/delete
租用容器Lease Container Microsoft.Storage/storageAccounts/blobServices/containers/writeMicrosoft.Storage/storageAccounts/blobServices/containers/write
列出 BlobList Blobs Microsoft. Storage/storageAccounts/blobServices/容器/blob/讀取(範圍限定于容器)Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read (scoped to container)
放置 BlobPut Blob 針對 create 或 replace: Microsoft. Storage/storageAccounts/blobServices/container/blob/writeFor create or replace: Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
若要建立新的 blob: Microsoft 儲存體/storageAccounts/blobServices/容器/blob/新增/動作To create new blob: Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
取得 BlobGet Blob Microsoft.Storage/storageAccounts/blobServices/containers/blobs/readMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/read
取得 Blob 屬性Get Blob Properties Microsoft.Storage/storageAccounts/blobServices/containers/blobs/readMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/read
設定 Blob 屬性Set Blob Properties Microsoft.Storage/storageAccounts/blobServices/containers/blobs/writeMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/write
取得 Blob 中繼資料Get Blob Metadata Microsoft.Storage/storageAccounts/blobServices/containers/blobs/readMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/read
設定 Blob 中繼資料Set Blob Metadata Microsoft.Storage/storageAccounts/blobServices/containers/blobs/writeMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/write
租用 BlobLease Blob Microsoft.Storage/storageAccounts/blobServices/containers/blobs/writeMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/write
快照 BlobSnapshot Blob Microsoft. Storage/storageAccounts/blobServices/container/blob/write 或Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write or
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/actionMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
複製 BlobCopy Blob 目的地 blob: Microsoft. Storage/storageAccounts/blobServices/container/blob/write 或 storageAccounts/blobServices/container/blob/add/action (將新的 blob 寫入目的地時)For destination blob: Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write or Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action (when writing a new blob to the destination)
針對相同儲存體帳戶中的來源 blob: Microsoft. Storage/storageAccounts/blobServices/container/blob/readFor source blob in the same storage account: Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
針對不同儲存體帳戶中的來源 blob:以匿名方式提供,或包含有效的 SAS 權杖For source blob in a different storage account: Available as anonymous, or include valid SAS token
中止複製 BlobAbort Copy Blob Microsoft.Storage/storageAccounts/blobServices/containers/blobs/writeMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/write
刪除 BlobDelete Blob Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/delete
放置區塊Put Block Microsoft.Storage/storageAccounts/blobServices/containers/blobs/writeMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/write
放置區塊清單Put Block List Microsoft.Storage/storageAccounts/blobServices/containers/blobs/writeMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/write
取得區塊清單Get Block List Microsoft.Storage/storageAccounts/blobServices/containers/blobs/readMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/read
放置頁面Put Page Microsoft.Storage/storageAccounts/blobServices/containers/blobs/writeMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/write
取得頁面範圍 (機器翻譯)Get Page Ranges Microsoft.Storage/storageAccounts/blobServices/containers/blobs/readMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/read
累加複製 Blob (機器翻譯)Incremental Copy Blob 目的地 blob: Microsoft. Storage/storageAccounts/blobServices/container/blob/writeFor destination blob: Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
來源 blob: Microsoft 儲存體/storageAccounts/blobServices/容器/blob/讀取For source blob: Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
針對新的 blob: [Microsoft]/[storageAccounts/blobServices/容器/blob/新增/動作]For new blob: Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action
附加區塊Append Block Microsoft. Storage/storageAccounts/blobServices/container/blob/write 或 Microsoft. Storage/storageAccounts/blobServices/container/blob/add/actionMicrosoft.Storage/storageAccounts/blobServices/containers/blobs/write or Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action

佇列服務作業的許可權Permissions for Queue service operations

佇列服務作業Queue service operation RBAC 動作RBAC action
列出佇列List Queues Microsoft. Storage/storageAccounts/queueServices/佇列/讀取(限定範圍的儲存體帳戶)Microsoft.Storage/storageAccounts/queueServices/queues/read (scoped storage account)
設定佇列服務屬性Set Queue Service Properties Microsoft.Storage/storageAccounts/queueServices/readMicrosoft.Storage/storageAccounts/queueServices/read
取得佇列服務屬性Get Queue Service Properties Microsoft.Storage/storageAccounts/queueServices/readMicrosoft.Storage/storageAccounts/queueServices/read
預檢佇列要求Preflight Queue Request 匿名Anonymous
取得佇列服務統計資料Get Queue Service Stats Microsoft.Storage/storageAccounts/queueServices/readMicrosoft.Storage/storageAccounts/queueServices/read
建立佇列Create Queue Microsoft.Storage/storageAccounts/queueServices/queues/writeMicrosoft.Storage/storageAccounts/queueServices/queues/write
刪除佇列Delete Queue Microsoft.Storage/storageAccounts/queueServices/queues/deleteMicrosoft.Storage/storageAccounts/queueServices/queues/delete
取得佇列中繼資料Get Queue Metadata Microsoft.Storage/storageAccounts/queueServices/queues/readMicrosoft.Storage/storageAccounts/queueServices/queues/read
設定佇列中繼資料Set Queue Metadata Microsoft.Storage/storageAccounts/queueServices/queues/writeMicrosoft.Storage/storageAccounts/queueServices/queues/write
取得佇列 ACLGet Queue ACL 無法透過 OAuth 使用Not available via OAuth
設定佇列 ACLSet Queue ACL 無法透過 OAuth 使用Not available via OAuth
放置訊息Put Message 儲存/storageAccounts/queueServices/佇列/訊息/新增/動作或 Microsoft. Storage/storageAccounts/queueServices/佇列/訊息/寫入Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action or Microsoft.Storage/storageAccounts/queueServices/queues/messages/write
取得訊息Get Messages Microsoft. Storage/storageAccounts/queueServices/佇列/訊息/進程/動作或(Microsoft. Storage/storageAccounts/queueServices/佇列/messages/delete 和 Microsoft. Storage/storageAccounts/queueServices/佇列/訊息/讀取)Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action or (Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete and Microsoft.Storage/storageAccounts/queueServices/queues/messages/read)
查看訊息Peek Messages Microsoft.Storage/storageAccounts/queueServices/queues/messages/readMicrosoft.Storage/storageAccounts/queueServices/queues/messages/read
刪除訊息Delete Message StorageAccounts/queueServices/佇列/訊息/進程/動作或 Microsoft. Storage/storageAccounts/queueServices/佇列/訊息/刪除Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action or Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete
清除訊息Clear Messages Microsoft.Storage/storageAccounts/queueServices/queues/messages/deleteMicrosoft.Storage/storageAccounts/queueServices/queues/messages/delete
更新訊息Update Message Microsoft.Storage/storageAccounts/queueServices/queues/messages/writeMicrosoft.Storage/storageAccounts/queueServices/queues/messages/write

另請參閱See also