使用 SAS 令牌部署专用 Resource Manager 模板Deploy private Resource Manager template with SAS token

如果模板位于存储帐户中,可以限制对该模板的访问,以免将其公开暴露。When your template is located in a storage account, you can restrict access to the template to avoid exposing it publicly. 访问受保护模板的方法是:为模板创建一个共享访问签名 (SAS) 令牌,在部署时提供该令牌。You access a secured template by creating a shared access signature (SAS) token for the template, and providing that token during deployment. 本文介绍如何使用 Azure PowerShell 或 Azure CLI 通过 SAS 令牌来部署模板。This article explains how to use Azure PowerShell or Azure CLI to deploy a template with a SAS token.

使用受保护的容器创建存储帐户Create storage account with secured container

以下脚本创建一个存储帐户和容器,其中的公共访问权限已禁用。The following script creates a storage account and container with public access turned off.

Connect-AzAccount -Environment AzureChinaCloud

New-AzResourceGroup `
  -Name ExampleGroup `
  -Location "China North"
New-AzStorageAccount `
  -ResourceGroupName ExampleGroup `
  -Name {your-unique-name} `
  -Type Standard_LRS `
  -Location "China North"
Set-AzCurrentStorageAccount `
  -ResourceGroupName ExampleGroup `
  -Name {your-unique-name}
New-AzStorageContainer `
  -Name templates `
  -Permission Off

将模板上传到存储帐户Upload template to storage account

现在可以将模板上传到存储帐户了。Now, you're ready to upload your template to the storage account. 提供要使用的模板的路径。Provide the path to the template you want to use.

Set-AzStorageBlobContent `
  -Container templates `
  -File c:\Templates\azuredeploy.json

在部署期间提供 SAS 令牌Provide SAS token during deployment

要在存储帐户中部署专用模板,请生成 SAS 令牌,并将其包括在模板的 URI 中。To deploy a private template in a storage account, generate a SAS token and include it in the URI for the template. 设置到期时间以允许足够的时间来完成部署。Set the expiry time to allow enough time to complete the deployment.

重要

只有帐户所有者才能访问包含该模板的 Blob。The blob containing the template is accessible to only the account owner. 但是,如果为 blob 创建 SAS 令牌,则拥有该 URI 的任何人都可以访问 blob。However, when you create a SAS token for the blob, the blob is accessible to anyone with that URI. 如果其他用户截获了该 URI,则此用户可以访问该模板。If another user intercepts the URI, that user is able to access the template. 使用 SAS 令牌是限制对模板的访问的好办法,但不应直接在模板中包括密码等敏感数据。A SAS token is a good way of limiting access to your templates, but you should not include sensitive data like passwords directly in the template.

# get the URI with the SAS token
$templateuri = New-AzStorageBlobSASToken `
  -Container templates `
  -Blob azuredeploy.json `
  -Permission r `
  -ExpiryTime (Get-Date).AddHours(2.0) -FullUri

# provide URI with SAS token during deployment
New-AzResourceGroupDeployment `
  -ResourceGroupName ExampleGroup `
  -TemplateUri $templateuri

有关将 SAS 令牌与链接模板配合使用的示例,请参阅将已链接的模版与 Azure 资源管理器配合使用For an example of using a SAS token with linked templates, see Using linked templates with Azure Resource Manager.

后续步骤Next steps