教程:受媒体服务信任的存储Tutorial: Media Services trusted storage

在本教程中,学习:In this tutorial, you'll learn:

  • 如何为 Azure 媒体服务启用受信任的存储How to enable trusted storage for Azure Media Services
  • 如何对受信任的存储使用托管标识How to use Managed Identities for trusted storage
  • 如何在使用网络访问控制(如防火墙或 VPN)时授予 Azure 服务访问存储帐户的权限How to give Azure Services to access to a storage account when using network access control such as a firewall or VPN

使用 2020-05-01 API,可以通过将托管标识与媒体服务帐户关联来启用受信任的存储。With the 2020-05-01 API, you can enable trusted storage by associating a Managed Identity with a Media Services account.

备注

受信任的存储仅在 API 中可用,并且当前在 Azure 门户中未启用。Trusted storage is only available in the API, and is not currently enabled in the Azure portal.

媒体服务可以使用系统身份验证自动访问你的存储帐户。Media Services can automatically access your storage account using system authentication. 媒体服务会验证媒体服务帐户和存储帐户是否在同一订阅中。Media Services validates that the Media Services account and the storage account are in the same subscription. 它还会验证添加关联的用户是否可以使用 Azure 资源管理器 RBAC 访问存储帐户。It also validates that the user adding the association has access the storage account with Azure Resource Manager RBAC.

但是,如果你想要使用网络访问控制来保护存储帐户并启用受信任的存储,则需要托管标识身份验证。However, if you want to use network access control to secure your storage account and enable trusted storage, Managed Identities authentication is required. 这使媒体服务可通过受信任的存储访问权限访问配置有防火墙或 VNet 限制的存储帐户。It allows Media Services to access the storage account that has been configured with a firewall or a VNet restriction through trusted storage access.

概述Overview

重要

将 2020-05-01 API 用于所有对媒体服务的请求。Use the 2020-05-01 API for all requests to Media Services.

下面是为媒体服务创建受信任存储的一般步骤:These are the general steps for creating trusted storage for Media Services:

  1. 创建资源组。Create a resource group.
  2. 创建存储帐户。Create a storage account.
  3. 轮询存储帐户,直到它准备就绪。Poll the storage account until it's ready. 当存储帐户准备就绪时,请求将返回服务主体 ID。When the storage account is ready, the request will return the service principal ID.
  4. 查找“存储 Blob 数据参与者”角色的 ID。Find the ID of the Storage Blob Data Contributor role.
  5. 调用授权提供程序并添加角色分配。Call the authorization provider and add a role assignment.
  6. 更新媒体服务帐户,以便使用托管标识向存储帐户进行身份验证。Update the media services account to authenticate to the storage account using Managed Identity.
  7. 如果你不想继续使用这些资源并为其付费,请将其删除。Delete the resources if you don't want to continue to use them and be charged for them.

先决条件Prerequisites

需要有一个 Azure 订阅才能开始。You need an Azure subscription to get started. 如果没有 Azure 订阅,请创建一个试用帐户If you don't have an Azure subscription, create a trial account.

获取租户 ID 和订阅 IDGet your tenant ID and subscription ID

如果不知道如何获取租户 ID 和订阅 ID,请参阅如何查找租户 ID查找租户 IDIf you don't know how to get your tenant ID and subscription ID, see How to find your tenant ID and Find your tenant ID.

创建服务主体和机密Create a service principal and secret

如果不知道如何创建服务主体和机密,请参阅获取访问媒体服务 API 的凭据If you don't know how to create a service principal and secret, see Get credentials to access Media Services API.

使用 REST 客户端Use a REST client

此脚本旨在用于 REST 客户端,例如 Visual Studio code 扩展中提供的客户端。This script is intended for use with a REST client such as what is available in Visual Studio code extensions. 针对开发环境对其进行调整。Adapt it for your development environment.

设置初始变量Set initial variables

此脚本的这一部分用于 REST 客户端。This part of the script is for use in a REST client. 可以在你的开发环境中以其他方式使用变量。You may use variables differently within your development environment.

### AAD details
@tenantId = your tenant ID
@servicePrincipalId = the service principal ID
@servicePrincipalSecret = the service principal secret

### AAD resources
@armResource = https%3A%2F%2Fmanagement.core.chinacloudapi.cn%2F
@graphResource = https%3A%2F%2Fgraph.chinacloudapi.cn%2F
@storageResource = https%3A%2F%2Fstorage.azure.com%2F

### Service endpoints
@armEndpoint = management.chinacloudapi.cn
@graphEndpoint = graph.chinacloudapi.cn
@aadEndpoint = login.partner.microsoftonline.cn

### ARM details
@subscription = your subscription id
@resourceGroup = the resource group you'll be creating
@storageName = the name of the storage you'll be creating
@accountName = the name of the account you'll be creating
@resourceLocation = China East 2 (or the location that works best for your region)

获取 Azure 资源管理器的令牌Get a token for Azure Resource Manager

// @name getArmToken
POST https://{{aadEndpoint}}/{{tenantId}}/oauth2/token
Accept: application/json
Content-Type: application/x-www-form-urlencoded

resource={{armResource}}&client_id={{servicePrincipalId}}&client_secret={{servicePrincipalSecret}}&grant_type=client_credentials

获取 Graph API 的令牌Get a token for the Graph API

此脚本的这一部分用于 REST 客户端。This part of the script is for use in a REST client. 可以在你的开发环境中以其他方式使用变量。You may use variables differently within your development environment.

// @name getGraphToken
POST https://{{aadEndpoint}}/{{tenantId}}/oauth2/token
Accept: application/json
Content-Type: application/x-www-form-urlencoded

resource={{graphResource}}&client_id={{servicePrincipalId}}&client_secret={{servicePrincipalSecret}}&grant_type=client_credentials

获取服务主体详细信息Get the service principal details

// @name getServicePrincipals
GET https://{{graphEndpoint}}/{{tenantId}}/servicePrincipals?$filter=appId%20eq%20'{{servicePrincipalId}}'&api-version=1.6
x-ms-client-request-id: cae3e4f7-17a0-476a-a05a-0dab934ba959
Authorization:  Bearer {{getGraphToken.response.body.access_token}}

存储服务主体 IDStore the service principal ID

@servicePrincipalObjectId = {{getServicePrincipals.response.body.value[0].objectId}}

创建资源组Create a resource group

// @name createResourceGroup
PUT https://{{armEndpoint}}/subscriptions/{{subscription}}/resourceGroups/{{resourceGroup}}
    ?api-version=2016-09-01
Authorization: Bearer {{getArmToken.response.body.access_token}}
Content-Type: application/json; charset=utf-8

{
    "location": "{{resourceLocation}}"
}

创建存储帐户Create storage account

// @name createStorageAccount
PUT https://{{armEndpoint}}/subscriptions/{{subscription}}/resourceGroups/{{resourceGroup}}/providers/Microsoft.Storage/storageAccounts/{{storageName}}
    ?api-version=2019-06-01
Authorization: Bearer {{getArmToken.response.body.access_token}}
Content-Type: application/json; charset=utf-8

{
    "sku": {
    "name": "Standard_GRS"
    },
    "kind": "StorageV2",
    "location": "{{resourceLocation}}",
    "properties": {
    }
}

获取存储帐户状态Get the storage account status

存储帐户将需要一段时间才能准备就绪,因此该请求会轮询其状态。The storage account will take a while to be ready so this request polls for its status. 重复此请求,直到存储帐户准备就绪。Repeat this request until the storage account is ready.

// @name getStorageAccountStatus
GET {{createStorageAccount.response.headers.Location}}
Authorization: Bearer {{getArmToken.response.body.access_token}}

获取存储帐户详细信息Get the storage account details

存储帐户准备就绪后,获取存储帐户的属性。When the storage account is ready, get the properties of the storage account.

// @name getStorageAccount
GET https://{{armEndpoint}}/subscriptions/{{subscription}}/resourceGroups/{{resourceGroup}}/providers/Microsoft.Storage/storageAccounts/{{storageName}}
    ?api-version=2019-06-01
Authorization: Bearer {{getArmToken.response.body.access_token}}

获取 ARM 的令牌Get a token for ARM

// @name getStorageToken
POST https://{{aadEndpoint}}/{{tenantId}}/oauth2/token
Accept: application/json
Content-Type: application/x-www-form-urlencoded

resource={{storageResource}}&client_id={{servicePrincipalId}}&client_secret={{servicePrincipalSecret}}&grant_type=client_credentials

使用系统分配的托管标识创建媒体服务帐户Create a Media Services account with a system-assigned managed identity

// @name createMediaServicesAccount
PUT https://{{armEndpoint}}/subscriptions/{{subscription}}/resourceGroups/{{resourceGroup}}/providers/Microsoft.Media/mediaservices/{{accountName}}?api-version=2020-05-01
Authorization: Bearer {{getArmToken.response.body.access_token}}
Content-Type: application/json; charset=utf-8

{
  "identity": {
      "type": "SystemAssigned"
  },
  "properties": {
    "storageAccounts": [
      {
        "id": "{{getStorageAccountStatus.response.body.id}}"
      }
    ],
    "encryption": {
      "type": "SystemKey"
    }
  },
  "location": "{{resourceLocation}}"
}

获取存储 Blob 数据角色定义Get the storage Storage Blob Data role definition

// @name getStorageBlobDataContributorRoleDefinition
GET https://management.chinacloudapi.cn/subscriptions/{{subscription}}/resourceGroups/{{resourceGroup}}/providers/Microsoft.Storage/storageAccounts/{{storageName}}/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName%20eq%20%27Storage%20Blob%20Data%20Contributor%27&api-version=2015-07-01
Authorization: Bearer {{getArmToken.response.body.access_token}}

设置存储角色分配Set the storage role assignment

角色分配指出,媒体服务帐户的服务主体具有存储角色“存储 Blob 数据参与者”。The role assignment says that the service principal for the Media Services account has the storage role Storage Blob Data Contributor. 这可能需要一些时间,因此请务必等待,否则媒体服务帐户将无法正确设置。This may take a while and it's important to wait or the Media Services account won't be set up correctly.

PUT https://management.chinacloudapi.cn/subscriptions/{{subscription}}/resourceGroups/{{resourceGroup}}/providers/Microsoft.Storage/storageAccounts/{{storageName}}/providers/Microsoft.Authorization/roleAssignments/{{$guid}}?api-version=2020-04-01-preview
Authorization: Bearer {{getArmToken.response.body.access_token}}
Content-Type: application/json; charset=utf-8

{
  "properties": {
    "roleDefinitionId": "/subscriptions/{{subscription}}/resourceGroups/{{resourceGroup}}/providers/Microsoft.Storage/storageAccounts/{{storageName}}/providers/Microsoft.Authorization/roleDefinitions/{{getStorageBlobDataContributorRoleDefinition.response.body.value[0].name}}",
    "principalId": "{{createMediaServicesAccount.response.body.identity.principalId}}"
  }
}

为托管标识提供对存储帐户的旁路访问权限Give Managed Identity bypass access to the storage account

此操作会将访问权限从系统管理的标识更改为托管标识。This action changes the access from system-managed identity to the Managed Identity. 这样,存储帐户就可以通过防火墙访问存储帐户,因为无论 IP 访问规则 (ACL) 如何,Azure 服务都可以访问存储帐户。In this way, the storage account can access the storage account through a firewall as Azure services can access the storage account regardless of IP access rules (ACLs).

请再次等待,直到在存储帐户中分配了角色,否则将无法正确设置媒体服务帐户。Again, wait until the role has been assigned in the storage account, or the Media Services account will be set up incorrectly.

// @name setStorageAccountFirewall
PUT https://{{armEndpoint}}/subscriptions/{{subscription}}/resourceGroups/{{resourceGroup}}/providers/Microsoft.Storage/storageAccounts/{{storageName}}
    ?api-version=2019-06-01
Authorization: Bearer {{getArmToken.response.body.access_token}}
Content-Type: application/json; charset=utf-8

{
    "sku": {
    "name": "Standard_GRS"
    },
    "kind": "StorageV2",
    "location": "{{resourceLocation}}",
    "properties": {
      "minimumTlsVersion": "TLS1_2",
      "networkAcls": {
        "bypass": "AzureServices",
        "virtualNetworkRules": [],
        "ipRules": [],
        "defaultAction": "Deny"
      }
    }
}

更新媒体服务帐户以使用托管标识Update the Media Services account to use the Managed Identity

由于存储角色分配可能需要几分钟才能传播,因此可能需要重试几次此请求。This request may need to be retried a few times as the storage role assignment can take a few minutes to propagate.

// @name updateMediaServicesAccountWithManagedStorageAuth
PUT https://{{armEndpoint}}/subscriptions/{{subscription}}/resourceGroups/{{resourceGroup}}/providers/Microsoft.Media/mediaservices/{{accountName}}?api-version=2020-05-01
Authorization: Bearer {{getArmToken.response.body.access_token}}
Content-Type: application/json; charset=utf-8

{
  "identity": {
      "type": "SystemAssigned"
  },
  "properties": {
    "storageAccounts": [
      {
        "id": "{{getStorageAccountStatus.response.body.id}}"
      }
    ],
    "storageAuthentication": "ManagedIdentity",
    "encryption": {
      "type": "SystemKey"
    }
  },
  "location": "{{resourceLocation}}"
}

测试访问权限Test access

通过在存储帐户中创建资产来测试访问权限。Test access by creating an asset in the storage account.

// @name createAsset
PUT https://{{armEndpoint}}/subscriptions/{{subscription}}/resourceGroups/{{resourceGroup}}/providers/Microsoft.Media/mediaservices/{{accountName}}/assets/testasset{{index}}withoutmi?api-version=2018-07-01
Authorization: Bearer {{getArmToken.response.body.access_token}}
Content-Type: application/json; charset=utf-8

{
}

删除资源Delete resources

如果你不想保留已创建的资源并继续为其付费,请将其删除。If you don't want to keep the resources that you created and continue to be charged for them, delete them.

### Clean up the Storage account
DELETE https://{{armEndpoint}}/subscriptions/{{subscription}}/resourceGroups/{{resourceGroup}}/providers/Microsoft.Storage/storageAccounts/{{storageName}}
    ?api-version=2019-06-01
Authorization: Bearer {{getArmToken.response.body.access_token}}

### Clean up the Media Services account
DELETE https://{{armEndpoint}}/subscriptions/{{subscription}}/resourceGroups/{{resourceGroup}}/providers/Microsoft.Media/mediaservices/{{accountName}}?api-version=2020-05-01
Authorization: Bearer {{getArmToken.response.body.access_token}}

### Clean up the Media Services account
GET https://{{armEndpoint}}/subscriptions/{{subscription}}/resourceGroups/{{resourceGroup}}/providers/Microsoft.Media/mediaservices/{{accountName}}?api-version=2020-05-01
Authorization: Bearer {{getArmToken.response.body.access_token}}

后续步骤Next steps

如何创建资产How to create an Asset