受媒体服务信任的存储Trusted storage for Media Services

创建媒体服务帐户时,必须将其与存储帐户相关联。When you create a Media Services account, you must associate it with a storage account. 媒体服务可以使用系统身份验证或来托管标识身份验证访问该存储帐户。Media Services can access that storage account using system authentication or Managed Identity authentication. 媒体服务验证媒体服务帐户和存储帐户是否位于同一订阅中,并验证添加关联的用户是否具有使用 Azure 资源管理器 RBAC 访问存储帐户的权限。Media Services validates that the Media Services account and the storage account are in the same subscription and it validates that the user adding the association has access the storage account with Azure Resource Manager RBAC.

备注

受信任的存储仅在 API 中可用,并且当前在 Azure 门户中未启用。Trusted storage is only available in the API, and is not currently enabled in the Azure portal.

带有防火墙的受信任存储Trusted storage with a firewall

但是,如果你想要使用防火墙来保护存储帐户并启用受信任的存储,则首选托管标识身份验证。However, if you want to use a firewall to secure your storage account and enable trusted storage, Managed Identities authentication is the preferred option. 这使媒体服务可通过受信任的存储访问权限访问配置有防火墙或 VNet 限制的存储帐户。It allows Media Services to access the storage account that has been configured with a firewall or a VNet restriction through trusted storage access.

教程Tutorial

可以通过媒体服务受信任存储教程来了解有关启用受信任存储的详细信息。You can learn more about enabling trusted storage with the Media Services trusted storage tutorial.

备注

需要授予 AMS 托管标识存储 Blob 数据参与者访问权限,以便媒体服务能够读取和写入存储帐户。You need to grant the AMS Managed Identity Storage Blob Data Contributor access in order for Media Services to be able to read and write to the storage account. 授予通用参与者角色将不起作用,因为它不会对数据平面启用正确的权限。Granting the generic Contributor role won't work as it doesn't enable the correct permissions on the data plane.

延伸阅读Further reading

若要了解用托管标识创建受信任存储的方法,请阅读托管标识和媒体服务To understand the methods of creating trusted storage with Managed Identities, read Managed Identities and Media Services.

若要详细了解受信任的 Microsoft 服务,请参阅配置 Azure 存储防火墙和虚拟网络For more information about Trusted Microsoft Services, see Configure Azure Storage firewalls and virtual networks.

后续步骤Next steps

若要详细了解托管标识可以为你和你的 Azure 应用程序执行哪些操作,请参阅 Azure AD 托管标识To learn more about what managed identities can do for you and your Azure applications, see Azure AD Managed Identities.