轮转存储访问密钥后更新“媒体服务 v3”Update Media Services v3 after rolling storage access keys

媒体服务徽标 v3media services logo v3


在创建新的 Azure 媒体服务 (AMS) 帐户时,系统将要求你选择一个 Azure 存储帐户。You're asked to select an Azure Storage account when you create a new Azure Media Services (AMS) account. 可将多个存储帐户添加到媒体服务帐户。You can add more than one storage account to your Media Services account. 本文介绍如何轮换存储密钥。This article shows how to rotate storage keys. 此外,介绍如何将存储帐户添加到媒体帐户。It also shows how to add storage accounts to a media account.

若要完成本文所述的操作,应使用 Azure 资源管理器 APIPowershellTo complete the actions described in this article, you should be using Azure Resource Manager APIs and PowerShell. 有关详细信息,请参阅如何使用 PowerShell 和 Resource Manager 管理 Azure 资源For more information, see How to manage Azure resources with PowerShell and Resource Manager.

备注

本文已经过更新,以便使用 Azure Az PowerShell 模块。This article has been updated to use the Azure Az PowerShell module. 若要与 Azure 交互,建议使用的 PowerShell 模块是 Az PowerShell 模块。The Az PowerShell module is the recommended PowerShell module for interacting with Azure. 若要开始使用 Az PowerShell 模块,请参阅安装 Azure PowerShellTo get started with the Az PowerShell module, see Install Azure PowerShell. 若要了解如何迁移到 Az PowerShell 模块,请参阅 将 Azure PowerShell 从 AzureRM 迁移到 AzTo learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

生成存储访问密钥Storage access key generation

在创建新的存储帐户时,Azure 将生成两个 512 位的存储访问密钥,用于对存储帐户的访问进行身份验证。When a new storage account is created, Azure generates two 512-bit storage access keys, that are used to authenticate access to your storage account. 为提高存储连接的安全性,请定期重新生成并轮换你的存储访问密钥。To keep your storage connections more secure, periodically regenerate and rotate your storage access key. Azure 将提供两个访问密钥(主密钥和辅助密钥),以便在重写其中一个访问密钥时,你能够使用另一个访问密钥维持存储帐户的连接。Two access keys (primary and secondary) are provided to enable you to maintain connections to the storage account using one access key while you regenerate the other access key. 此过程也称为“轮转访问密钥”。This procedure is also called "rolling access keys".

媒体服务依赖于为它提供的存储密钥。Media Services depends on a storage key provided to it. 具体而言,用于流式传输或下载资产的定位符依赖于指定的存储访问密钥。Specifically, the locators that are used to stream or download your assets depend on the specified storage access key. 创建 AMS 帐户时,默认依赖主存储访问密钥。When an AMS account is created, it takes a dependency on the primary storage access key by default. 但是,作为用户,你可以更新 AMS 拥有的存储密钥。However, as a user you can update the storage key that AMS has. 你需要执行以下步骤,让媒体服务知道要使用哪一个密钥:You must let Media Services know which key to use by following these steps:

备注

如果有多个存储帐户,请对每个存储帐户执行此过程。If you have multiple storage accounts, you would perform this procedure with each storage account. 存储密钥的轮换顺序不是固定的。The order in which you rotate storage keys is not fixed. 可以先轮换辅助密钥,再轮换主密钥,反之亦然。You can rotate the secondary key first and then the primary key or vice versa.

在对生产帐户执行这些步骤之前,请确保对预生产帐户测试这些步骤。Before executing the steps on a production account, make sure to test them on a pre-production account.

轮换存储密钥的步骤Steps to rotate storage keys

  1. 通过 PowerShell cmdlet 或 Azure 门户更改存储帐户主密钥。Change the storage account Primary key through the PowerShell cmdlet or Azure portal.

  2. 使用适当的参数调用 Sync-AzMediaServiceStorageKeys cmdlet,强制媒体帐户选取存储帐户密钥Call the Sync-AzMediaServiceStorageKeys cmdlet with appropriate parameters to force the media account to pick up storage account keys

    以下示例演示如何将密钥同步到存储帐户。The following example shows how to sync keys to storage accounts.

    Sync-AzMediaServiceStorageKeys -ResourceGroupName $resourceGroupName -AccountName $mediaAccountName -StorageAccountId $storageAccountId

  3. 等待大约一小时。Wait an hour or so. 验证流式处理方案是否正常工作。Verify the streaming scenarios are working.

  4. 通过 PowerShell cmdlet 或 Azure 门户更改存储帐户辅助密钥。Change the storage account secondary key through the PowerShell cmdlet or Azure portal.

  5. 使用适当的参数调用 Sync-AzMediaServiceStorageKeys PowerShell,强制媒体帐户选取新存储帐户密钥。Call Sync-AzMediaServiceStorageKeys PowerShell with appropriate parameters to force the media account to pick up new storage account keys.

  6. 等待大约一小时。Wait an hour or so. 验证流式处理方案是否正常工作。Verify the streaming scenarios are working.

PowerShell cmdlet 示例A PowerShell cmdlet example

以下示例演示如何获取存储帐户并将它与 AMS 帐户同步。The following example demonstrates how to get the storage account and sync it with the AMS account.

$regionName = "China East 2"
$resourceGroupName = "SkyMedia-ChinaEast2-App"
$mediaAccountName = "sky"
$storageAccountName = "skystorage"
$storageAccountId = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Storage/storageAccounts/$storageAccountName"

Sync-AzMediaServiceStorageKeys -ResourceGroupName $resourceGroupName -AccountName $mediaAccountName -StorageAccountId $storageAccountId

将存储帐户添加到 AMS 帐户的步骤Steps to add storage accounts to your AMS account

下文介绍了如何将存储帐户添加到 AMS 帐户:将多个存储帐户附加到媒体服务帐户The following article shows how to add storage accounts to your AMS account: Attach multiple storage accounts to a Media Services account.