创建 SAS 定义,并通过编写代码提取共享访问签名令牌Create SAS definition and fetch shared access signature tokens in code

你可以使用存储在密钥保险库中的共享访问签名 (SAS) 令牌来管理存储帐户。You can manage your storage account with shared access signature (SAS) tokens stored in your key vault. 有关详细信息,请参阅使用 SAS 授予对 Azure 存储资源的有限访问权限For more information, see Grant limited access to Azure Storage resources using SAS.

备注

建议使用 Azure 基于角色的访问控制 (Azure RBAC) 保护存储帐户,以便获得卓越的安全性,并通过共享密钥授权轻松使用。We recommend using Azure role-based access control (Azure RBAC) to secure your storage account for superior security and ease of use over Shared Key authorization.

本文展示了用于创建 SAS 定义和获取 SAS 令牌的 .NET 代码的示例。This article provides samples of .NET code that creates a SAS definition and fetches SAS tokens. 请参阅我们的 ShareLink 示例,获取完整详细信息,包括为密钥保管库托管的存储帐户生成的客户端的信息。See our ShareLink sample for full details including the generated client for Key Vault-managed storage accounts. 有关如何创建和存储 SAS 令牌的信息,请参阅使用密钥保管库和 Azure CLI 管理存储帐户密钥使用密钥保管库和 Azure PowerShell 管理存储帐户密钥For information on how to create and store SAS tokens, see Manage storage account keys with Key Vault and the Azure CLI or Manage storage account keys with Key Vault and Azure PowerShell.

代码示例Code samples

在以下示例中,将创建 SAS 模板:In the following example we'll create a SAS template:

private static string BuildSasDefinitionTemplate(bool readOnly) =>
    new StringBuilder("sv=2018-03-28")  // service version
        .Append("&spr=https")           // HTTPS only
        .Append("&ss=bf")               // blobs and files only
        .Append("&srt=o")               // applies to objects only
        .Append(readOnly ? "&sp=r" : "&sp=rw")  // read-only or read-write
        .ToString();

使用此模板,可以通过使用...创建 SAS 定义Using this template, we can create a SAS definition using the

string sasDefinitionName = BuildSasDefinitionName(Tag, readOnly, duration);
SasDefinitionAttributes sasDefinitionAttributes = new SasDefinitionAttributes
{
    Enabled = true,
};

Dictionary<string, string> tags = new Dictionary<string, string>
{
    [Tag] = "1",
};

SasDefinitionBundle createdSasDefinition = await storageClient.SetSasDefinitionAsync(
    storageAccountName,
    sasDefinitionName,
    sasTemplate,
    SasTokenType.Account,
    duration,
    sasDefinitionAttributes,
    tags,
    s_cancellationTokenSource.Token);

创建 SAS 定义后,就可以使用 SecretClient 检索 SAS 令牌,比如机密。Once the SAS definition is created, you can retrieve SAS tokens like secrets using a SecretClient. 需要在机密名称前面加上存储帐户名称,后跟短划线:You need to preface the secret name with the storage account name followed by a dash:

// Build our SAS template, get an existing SAS definition, or create a new one.
string sasTemplate = BuildSasDefinitionTemplate(readOnly);
string sasDefinitionName = await GetOrCreateSasDefinitionAsync(storageClient, storageAccountName, sasTemplate, days, readOnly);

// Now we can create a SecretClient and generate a new SAS token from the storage account and SAS definition names.
SecretClient secretClient = new SecretClient(vaultUri, credential, options);
KeyVaultSecret sasToken = await secretClient.GetSecretAsync($"{storageAccountName}-{sasDefinitionName}", cancellationToken: s_cancellationTokenSource.Token);

如果共享访问签名令牌即将过期,可以再次获取相同的机密并生成新的令牌。If your shared access signature token is about to expire, you can fetch the same secret again to generate a new one.

要了解如何使用从 Key Vault SAS 中检索的令牌访问 Azure 存储服务,请参阅使用帐户 SAS 访问 Blob 服务For guide on how to use retrieved from Key Vault SAS token to access Azure Storage services, see Use an account SAS to access Blob service

备注

如果应用从存储收到 403,则应用需要准备好刷新 SAS,使你能够处理密钥被泄露的情况,并且轮替操作需要比正常轮替期更频繁。Your app needs to be prepared to refresh the SAS if it gets a 403 from Storage so that you can handle the case where a key was compromised and you need to rotate them faster than the normal rotation period.

后续步骤Next steps