使用 Azure 逻辑应用在 Azure Blob 存储中创建和管理 BlobCreate and manage blobs in Azure Blob Storage by using Azure Logic Apps

本文介绍如何使用 Azure Blob 存储连接器通过逻辑应用在 Azure 存储帐户中访问和管理作为 Blob 存储的文件。This article shows how you can access and manage files stored as blobs in your Azure storage account from inside a logic app with the Azure Blob Storage connector. 可以通过这种方式创建逻辑应用,以便自动完成进行文件管理所需的任务和工作流。That way, you can create logic apps that automate tasks and workflows for managing your files. 例如,可以生成用于在存储帐户中创建、获取、更新和删除文件的逻辑应用。For example, you can build logic apps that create, get, update, and delete files in your storage account.

假定你有一个在 Azure 网站上进行更新的工具。Suppose that you have a tool that gets updated on an Azure website. 它充当逻辑应用的触发器。which acts as the trigger for your logic app. 当此事件发生时,可以让逻辑应用更新 Blob 存储容器中的某些文件,这是逻辑应用中的一项操作。When this event happens, you can have your logic app update some file in your blob storage container, which is an action in your logic app.

如果不熟悉逻辑应用,请查看什么是 Azure 逻辑应用快速入门:创建第一个逻辑应用If you're new to logic apps, review What is Azure Logic Apps and Quickstart: Create your first logic app. 如需特定于连接器的技术信息,请参阅 Azure Blob 存储连接器参考For connector-specific technical information, see the Azure Blob Storage connector reference.

重要

如果逻辑应用和防火墙后的存储帐户位于同一区域,则逻辑应用无法直接访问这些存储帐户。Logic apps can't directly access storage accounts that are behind firewalls if they're both in the same region. 解决方法是将逻辑应用和存储帐户放在不同的区域。As a workaround, you can have your logic apps and storage account in different regions. 有关如何使 Azure 逻辑应用能够访问防火墙后的存储帐户的详细信息,请参阅本主题稍后的访问防火墙后的存储帐户部分。For more information about enabling access from Azure Logic Apps to storage accounts behind firewalls, see the Access storage accounts behind firewalls section later in this topic.

限制Limits

  • 默认情况下,Azure Blob 存储操作可以读取或写入 50 MB 或更小的文件。 By default, Azure Blob Storage actions can read or write files that are 50 MB or smaller. 若要处理大于 50 MB 但不超过 1024 MB 的文件,Azure Blob 存储操作支持消息分块To handle files larger than 50 MB but up to 1024 MB, Azure Blob Storage actions support message chunking. “获取 Blob 内容”操作隐式使用分块。 The Get blob content action implicitly uses chunking.

  • Azure Blob 存储触发器不支持分块。Azure Blob Storage triggers don't support chunking. 请求文件内容时,触发器仅选择 50 MB 或更小的文件。When requesting file content, triggers select only files that are 50 MB or smaller. 若要获取大于 50 MB 的文件,请遵循以下模式:To get files larger than 50 MB, follow this pattern:

    • 使用返回文件属性的 Azure Blob 存储触发器,例如“添加或修改 Blob 时(仅属性)”。 Use an Azure Blob Storage trigger that returns file properties, such as When a blob is added or modified (properties only).

    • 在触发器后面添加 Azure Blob 存储“获取 Blob 内容”操作,该操作读取完整文件并隐式使用分块。 Follow the trigger with the Azure Blob Storage Get blob content action, which reads the complete file and implicitly uses chunking.

先决条件Prerequisites

添加 Blob 存储触发器Add blob storage trigger

在 Azure 逻辑应用中,每个逻辑应用都必须从触发器开始,该触发器在发生特定事件或特定条件得到满足的情况下触发。In Azure Logic Apps, every logic app must start with a trigger, which fires when a specific event happens or when a specific condition is met. 每当触发器触发时,逻辑应用引擎就会创建一个逻辑应用实例并开始运行应用的工作流。Each time the trigger fires, the Logic Apps engine creates a logic app instance and starts running your app's workflow.

此示例演示在存储容器中添加或更新 Blob 的属性时,如何使用“添加或修改 Blob 时(仅属性)”触发器来启动逻辑应用工作流。 This example shows how you can start a logic app workflow with the When a blob is added or modified (properties only) trigger when a blob's properties gets added or updated in your storage container.

  1. Azure 门户或 Visual Studio 中创建一个空白的逻辑应用,这会打开逻辑应用设计器。In the Azure portal or Visual Studio, create a blank logic app, which opens Logic App Designer. 此示例使用 Azure 门户。This example uses the Azure portal.

  2. 在搜索框中,输入“azure blob”作为筛选器。In the search box, enter "azure blob" as your filter. 在触发器列表中,选择所需的触发器。From the triggers list, select the trigger you want.

    此示例使用以下触发器:“添加或修改 Blob 时(仅属性)” This example uses this trigger: When a blob is added or modified (properties only)

    选择 Azure Blob 存储触发器

  3. 如果系统提示输入连接详细信息,请立即创建 Blob 存储连接If you're prompted for connection details, create your blob storage connection now. 或者,如果连接已存在,请提供触发器所需的信息。Or, if your connection already exists, provide the necessary information for the trigger.

    对于此示例,请选择要监视的容器和文件夹。For this example, select the container and folder you want to monitor.

    1. 在“容器”框中,选择文件夹图标。 In the Container box, select the folder icon.

    2. 在文件夹列表中选择右尖括号 ( > ),然后以浏览方式查找并选择所需的文件夹。In the folder list, choose the right-angle bracket ( > ), and then browse until you find and select the folder you want.

      选择要与触发器配合使用的存储文件夹

    3. 选择你希望触发器以多大时间间隔和频率来检查文件夹中的更改。Select the interval and frequency for how often you want the trigger to check the folder for changes.

  4. 完成后,请在设计器工具栏上选择“保存” 。When you're done, on the designer toolbar, choose Save.

  5. 现在请继续向逻辑应用添加一个或多个操作,以便完成需对触发器结果执行的任务。Now continue adding one or more actions to your logic app for the tasks you want to perform with the trigger results.

添加 Blob 存储操作Add blob storage action

在 Azure 逻辑应用中,操作是指工作流中紧跟在某个触发器或另一操作后面执行的一个步骤。In Azure Logic Apps, an action is a step in your workflow that follows a trigger or another action. 就此示例来说,逻辑应用一开始使用定期触发器For this example, the logic app starts with the Recurrence trigger.

  1. Azure 门户或 Visual Studio 的逻辑应用设计器中打开逻辑应用。In the Azure portal or Visual Studio, open your logic app in Logic App Designer. 此示例使用 Azure 门户。This example uses the Azure portal.

  2. 在逻辑应用设计器的触发器或操作下,选择“新建步骤”。 In the Logic App Designer, under the trigger or action, choose New step.

    向逻辑应用工作流添加新步骤

    若要在现有步骤之间添加操作,请将鼠标移到连接箭头上方。To add an action between existing steps, move your mouse over the connecting arrow. 依次选择出现的加号 ( + ) 和“添加操作” 。Choose the plus sign (+) that appears, and select Add an action.

  3. 在搜索框中,输入“azure blob”作为筛选器。In the search box, enter "azure blob" as your filter. 从操作列表中选择所需的操作。From the actions list, select the action you want.

    此示例使用以下操作:“获取 Blob 内容” This example uses this action: Get blob content

    选择 Azure Blob 存储操作

  4. 如果系统提示输入连接详细信息,请立即创建 Azure Blob 存储连接If you're prompted for connection details, create your Azure Blob Storage connection now. 或者,如果连接已存在,请提供操作所需的信息。Or, if your connection already exists, provide the necessary information for the action.

    对于此示例,请选择所需的文件。For this example, select the file you want.

    1. 从“Blob”框中选择文件夹图标。 From the Blob box, select the folder icon.

      选择要与操作配合使用的存储文件夹

    2. 根据 Blob 的 ID 编号查找并选择所需的文件。 Find and select the file you want based on the blob's ID number. 可以在上述 Blob 存储触发器返回的 Blob 元数据中找到此 ID 编号。 You can find this ID number in the blob's metadata that is returned by the previously described blob storage trigger.

  5. 完成后,请在设计器工具栏上选择“保存” 。When you're done, on the designer toolbar, choose Save. 若要测试逻辑应用,请确保所选文件夹包含一个 Blob。To test your logic app, make sure that the selected folder contains a blob.

此示例仅获取 Blob 的内容。This example only gets the contents for a blob. 若要查看这些内容,请使用另一连接器添加另一操作,以便创建包含此 Blob 的文件。To view the contents, add another action that creates a file with the blob by using another connector. 例如,添加一个 OneDrive 操作,以便根据 Blob 内容创建文件。For example, add a OneDrive action that creates a file based on the blob contents.

连接到存储帐户Connect to storage account

要使逻辑应用能够访问某个服务,必须在逻辑应用与该服务之间创建连接。Before your logic app can access any service, you must create a connection between your logic app and that service. 如果以前未创建此连接,则在向逻辑应用添加该服务的触发器或操作时,系统会提示输入连接信息。If you didn't previously create this connection, you're prompted for connection information when you add a trigger or action for that service to your logic app. 可以使用逻辑应用设计器轻松地直接从逻辑应用创建此连接。The Logic Apps Designer provides an easy way for you to create this connection directly from your logic app.

  1. 当系统提示创建连接时,请提供以下信息:When you're prompted to created the connection, provide this information:

    属性Property 必须Required ValueValue 说明Description
    连接名称Connection Name Yes <connection-name><connection-name> 将要为连接创建的名称The name to create for your connection
    存储帐户Storage Account Yes <storage-account><storage-account> 从列表中选择存储帐户。Select your storage account from the list.

    例如:For example:

    创建 Azure Blob 存储帐户连接

  2. 准备就绪后,选择“创建”。 When you're ready, select Create

  3. 创建连接后,继续添加 Blob 存储触发器添加 Blob 存储操作After you create your connection, continue with Add blob storage trigger or Add blob storage action.

连接器参考Connector reference

有关此连接器的更多技术详细信息,例如触发器、操作和限制(如此连接器的 Swagger 文件所述),请参阅连接器的参考页For more technical details about this connector, such as triggers, actions, and limits as described by the connector's Swagger file, see the connector's reference page.

访问防火墙后的存储帐户Access storage accounts behind firewalls

使用防火墙和防火墙规则限制访问可以提高 Azure 存储帐户的网络安全性。You can add network security to an Azure storage account by restricting access with a firewall and firewall rules. 但是,此设置会给需要访问存储帐户的 Azure 和其他 Microsoft 服务带来挑战。However, this setup creates a challenge for Azure and other Microsoft services that need access to the storage account. 数据中心内的本地通信会抽取内部 IP 地址,因此无法设置实施 IP 限制的防火墙规则。Local communication in the datacenter abstracts the internal IP addresses, so you can't set up firewall rules with IP restrictions. 有关详细信息,请参阅配置 Azure 存储防火墙和虚拟网络For more information, see Configure Azure Storage firewalls and virtual networks.

下面是使用 Azure Blob 存储连接器或其他解决方案从 Azure 逻辑应用访问防火墙后的存储帐户的各种选项:Here are various options for accessing storage accounts behind firewalls from Azure Logic Apps by using either the Azure Blob Storage connector or other solutions:

访问同一区域中的存储帐户时出现问题Problems accessing storage accounts in the same region

如果逻辑应用和防火墙后的存储帐户位于同一区域,则逻辑应用无法直接访问这些存储帐户。Logic apps can't directly access storage accounts behind firewalls when they're both in the same region. 解决方法是将逻辑应用与存储帐户放在不同的区域,并为你所在区域中的托管连接器授予对出站 IP 地址的访问权限As a workaround, put your logic apps in a region that differs from your storage account and give access to the outbound IP addresses for the managed connectors in your region.

备注

此解决方案不适用于 Azure 表存储连接器和 Azure 队列存储连接器。This solution doesn't apply to the Azure Table Storage connector and Azure Queue Storage connector. 若要访问表存储或队列存储,请改用内置的 HTTP 触发器和操作。Instead, to access your Table Storage or Queue Storage, use the built-in HTTP trigger and actions.

使用托管标识访问用作受信任服务的存储帐户Access storage accounts as a trusted service with managed identities

若要授予 Microsoft 受信任服务通过防火墙访问某个存储帐户的权限,可在该存储帐户中为这些服务设置一个例外。To give Microsoft trusted services access to a storage account through a firewall, you can set up an exception on that storage account for those services. 此解决方案允许支持使用托管标识进行身份验证的 Azure 服务访问防火墙后用作受信任服务的存储帐户。This solution permits Azure services that support managed identities for authentication to access storage accounts behind firewalls as trusted services. 具体而言,要使全球多租户 Azure 中的逻辑应用能够访问这些存储帐户,首先请在该逻辑应用中启用托管标识支持Specifically, for a logic app in global multi-tenant Azure to access these storage accounts, you first enable managed identity support on the logic app. 然后,在逻辑应用中使用 HTTP 操作或触发器,并将其身份验证类型设置为使用该逻辑应用的托管标识Then, you use the HTTP action or trigger in your logic app and set their authentication type to use your logic app's managed identity. 对于此方案,只能使用 HTTP 操作或触发器。 For this scenario, you can use only the HTTP action or trigger.

若要设置例外和托管标识支持,请执行以下常规步骤:To set up the exception and managed identity support, follow these general steps:

  1. 在存储帐户的“设置”下,选择“防火墙和虚拟网络”。 On your storage account, under Settings, select Firewalls and virtual networks. 在“允许从以下位置访问”下,选择“选定的网络”选项,以显示相关设置。 Under Allow access from, select the Selected networks option so that the related settings appear.

  2. 在“例外”下,选择“允许受信任的 Microsoft 服务访问此存储帐户”,然后选择“保存”。 Under Exceptions, select Allow trusted Microsoft services to access this storage account, and then select Save.

    选择允许 Azure 受信任服务的例外

  3. 在逻辑应用的设置中,启用对托管标识的支持In your logic app's settings, enable support for the managed identity.

  4. 在逻辑应用的工作流中,添加并设置 HTTP 操作或触发器以访问存储帐户或实体。In your logic app's workflow, add and set up the HTTP action or trigger to access the storage account or entity.

    重要

    若要对 Azure 存储帐户执行传出 HTTP 操作或触发器调用,请确保请求标头包含要对存储帐户运行的操作的 x-ms-version 属性和 API 版本。For outgoing HTTP action or trigger calls to Azure Storage accounts, make sure that the request header includes the x-ms-version property and the API version for the operation that you want to run on the storage account. 有关详细信息,请参阅使用托管标识对访问进行身份验证Azure 存储服务的版本控制For more information, see Authenticate access with managed identity and Versioning for Azure Storage services.

  5. 在该操作中,选择用于身份验证的托管标识On that action, select the managed identity to use for authentication.

通过 Azure API 管理访问存储帐户Access storage accounts through Azure API Management

如果使用 API 管理的专用层,则可支持存储 API,方法是使用 API 管理并允许其 IP 地址通过防火墙。If you use a dedicated tier for API Management, you can front the Storage API by using API Management and permitting the latter's IP addresses through the firewall. 简单而言,将 API 管理使用的 Azure 虚拟网络添加到存储帐户的防火墙设置,Basically, add the Azure virtual network that's used by API Management to the storage account's firewall setting. 然后使用 API 管理操作或 HTTP 操作调用 Azure 存储 API 即可。You can then use either the API Management action or the HTTP action to call the Azure Storage APIs. 但是,如果选择此选项,则需自行处理身份验证过程。However, if you choose this option, you have to handle the authentication process yourself.

后续步骤Next steps