选择如何在 Azure 门户中授予对 blob 数据的访问权限Choose how to authorize access to blob data in the Azure portal

使用 Azure 门户访问 Blob 数据时,门户会在后台对 Azure 存储发出请求。When you access blob data using the Azure portal, the portal makes requests to Azure Storage under the covers. 可以使用 Azure AD 帐户或存储帐户访问密钥对 Azure 存储请求进行授权。A request to Azure Storage can be authorized using either your Azure AD account or the storage account access key. 门户会指示使用的是哪种方法,如果你有相应的权限,则门户还允许在这两种方法之间切换。The portal indicates which method you are using, and enables you to switch between the two if you have the appropriate permissions.

还可以指定如何在 Azure 门户中授权单个 blob 上传操作。You can also specify how to authorize an individual blob upload operation in the Azure portal. 门户默认使用已用于授权 blob 上传操作的任何方法,但你可以选择在上传 blob 时更改此设置。By default the portal uses whichever method you are already using to authorize a blob upload operation, but you have the option to change this setting when you upload a blob.

访问 Blob 数据所需的权限Permissions needed to access blob data

视你要如何在 Azure 门户中授权访问 Blob 数据而定,你将需要特定权限。Depending on how you want to authorize access to blob data in the Azure portal, you'll need specific permissions. 在大多数情况下,这些权限是通过 Azure 基于角色的访问控制 (Azure RBAC) 提供的。In most cases, these permissions are provided via Azure role-based access control (Azure RBAC). 有关 Azure RBAC 的详细信息,请参阅什么是 Azure 基于角色的访问控制 (Azure RBAC)?For more information about Azure RBAC, see What is Azure role-based access control (Azure RBAC)?.

使用帐户访问密钥Use the account access key

若要使用帐户访问密钥访问 blob 数据,你必须已分配到一个 Azure 角色,此角色包含 Azure RBAC 操作 Microsoft.Storage/storageAccounts/listkeys/actionTo access blob data with the account access key, you must have an Azure role assigned to you that includes the Azure RBAC action Microsoft.Storage/storageAccounts/listkeys/action. 此 Azure 角色可以是内置角色,也可以是自定义角色。This Azure role may be a built-in or a custom role. 支持 Microsoft.Storage/storageAccounts/listkeys/action 的内置角色包括:Built-in roles that support Microsoft.Storage/storageAccounts/listkeys/action include:

尝试在 Azure 门户中访问 Blob 数据时,门户首先会检查你是否拥有一个包含 Microsoft.Storage/storageAccounts/listkeys/action 的角色。When you attempt to access blob data in the Azure portal, the portal first checks whether you have been assigned a role with Microsoft.Storage/storageAccounts/listkeys/action. 如果你被分配了包含此操作的角色,则门户将使用帐户密钥来访问 blob 数据。If you have been assigned a role with this action, then the portal uses the account key for accessing blob data. 如果你不拥有包含此操作的角色,则门户会尝试使用你的 Azure AD 帐户访问数据。If you have not been assigned a role with this action, then the portal attempts to access data using your Azure AD account.

重要

在使用 Azure 资源管理器 ReadOnly 锁锁定了某个存储帐户时,不允许为该存储帐户执行列出密钥操作。When a storage account is locked with an Azure Resource Manager ReadOnly lock, the List Keys operation is not permitted for that storage account. 列出密钥是 POST 操作,并且在为该帐户配置了 ReadOnly 锁时,所有 POST 操作都会被阻止 。List Keys is a POST operation, and all POST operations are prevented when a ReadOnly lock is configured for the account. 因此,当帐户被 ReadOnly 锁锁定时,用户必须使用 Azure AD 凭据访问门户中的 blob 数据。For this reason, when the account is locked with a ReadOnly lock, users must use Azure AD credentials to access blob data in the portal. 若要了解如此使用 Azure AD 访问门户中的 blob 数据,请参阅使用 Azure AD 帐户For information about accessing blob data in the portal with Azure AD, see Use your Azure AD account.

备注

经典订阅管理员角色“服务管理员”和“共同管理员”具有 Azure 资源管理器所有者角色的等效权限。The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager Owner role. “所有者”角色包含所有操作,其中包括 Microsoft.Storage/storageAccounts/listkeys/action,因此,拥有其中一种管理角色的用户也可以使用帐户密钥访问 Blob 数据。The Owner role includes all actions, including the Microsoft.Storage/storageAccounts/listkeys/action, so a user with one of these administrative roles can also access blob data with the account key. 有关详细信息,请参阅经典订阅管理员角色、Azure 角色和 Azure AD 管理员角色For more information, see Classic subscription administrator roles, Azure roles, and Azure AD administrator roles.

使用 Azure AD 帐户Use your Azure AD account

若要使用 Azure AD 帐户从 Azure 门户访问 Blob 数据,必须符合以下条件:To access blob data from the Azure portal using your Azure AD account, both of the following statements must be true for you:

  • 至少拥有 Azure 资源管理器读取者角色,该角色的权限范围为存储帐户或更高级别。You have been assigned the Azure Resource Manager Reader role, at a minimum, scoped to the level of the storage account or higher. “读取者”角色授予限制性最高的权限,但也接受可授予存储帐户管理资源访问权限的其他 Azure 资源管理器角色。The Reader role grants the most restricted permissions, but another Azure Resource Manager role that grants access to storage account management resources is also acceptable.
  • 拥有一个可提供 blob 数据访问权限的内置角色或自定义角色。You have been assigned either a built-in or custom role that provides access to blob data.

必须提供“读取者”角色分配或其他 Azure 资源管理器角色分配,使用户能够在 Azure 门户中查看和导航存储帐户管理资源。The Reader role assignment or another Azure Resource Manager role assignment is necessary so that the user can view and navigate storage account management resources in the Azure portal. 授予 blob 数据访问权限的 Azure 角色不会授予存储帐户管理资源访问权限。The Azure roles that grant access to blob data do not grant access to storage account management resources. 若要在门户中访问 Blob 数据,用户需要拥有在存储帐户资源中导航的权限。To access blob data in the portal, the user needs permissions to navigate storage account resources. 有关此要求的详细信息,请参阅分配“读取者”角色以访问门户For more information about this requirement, see Assign the Reader role for portal access.

支持访问 Blob 数据的内置角色包括:The built-in roles that support access to your blob data include:

自定义角色能够支持内置角色所提供的相同权限的不同组合。Custom roles can support different combinations of the same permissions provided by the built-in roles. 若要详细了解如何创建 Azure 自定义角色,请参阅 Azure 自定义角色了解 Azure 资源的角色定义For more information about creating Azure custom roles, see Azure custom roles and Understand role definitions for Azure resources.

若要在门户中查看 Blob 数据,请导航到存储帐户的“概述”,然后单击“Blob”对应的链接。 To view blob data in the portal, navigate to the Overview for your storage account, and click on the links for Blobs. 或者,可以在菜单中导航到“Blob 服务”部分。Alternatively you can navigate to the Blob service section in the menu.

显示如何在 Azure 门户中导航到 Blob 数据的屏幕截图

确定当前的身份验证方法Determine the current authentication method

导航到容器时,Azure 门户会指示当前是使用帐户访问密钥还是 Azure AD 帐户进行身份验证。When you navigate to a container, the Azure portal indicates whether you are currently using the account access key or your Azure AD account to authenticate.

使用帐户访问密钥进行身份验证Authenticate with the account access key

如果使用帐户访问密钥进行身份验证,则会在门户中看到“访问密钥”已指定为身份验证方法:If you are authenticating using the account access key, you'll see Access Key specified as the authentication method in the portal:

显示用户当前正在使用帐户密钥访问容器的屏幕截图

若要改用 Azure AD 帐户,请单击图中突出显示的链接。To switch to using Azure AD account, click the link highlighted in the image. 如果你通过分配给你的 Azure 角色获得了相应的权限,则可以继续访问。If you have the appropriate permissions via the Azure roles that are assigned to you, you'll be able to proceed. 但是,如果你缺少相应的权限,则会看到如下所示的错误消息:However, if you lack the right permissions, you'll see an error message like the following one:

Azure AD 帐户不支持访问时显示的错误

请注意,如果你的 Azure AD 帐户缺少 Blob 查看权限,则列表中不会显示任何 Blob。Notice that no blobs appear in the list if your Azure AD account lacks permissions to view them. 单击“切换为访问密钥”链接,以再次使用访问密钥进行身份验证。Click on the Switch to access key link to use the access key for authentication again.

使用 Azure AD 帐户进行身份验证Authenticate with your Azure AD account

如果使用 Azure AD 帐户进行身份验证,则会在门户中看到“Azure AD 用户帐户”已指定为身份验证方法:If you are authenticating using your Azure AD account, you'll see Azure AD User Account specified as the authentication method in the portal:

显示用户当前正在使用 Azure AD 帐户访问容器的屏幕截图

若要改用帐户访问密钥,请单击图中突出显示的链接。To switch to using the account access key, click the link highlighted in the image. 如果你有权访问帐户密钥,则可以继续访问。If you have access to the account key, then you'll be able to proceed. 但是,如果你缺少帐户密钥的访问权限,则会看到如下所示的错误消息:However, if you lack access to the account key, you'll see an error message like the following one:

无权访问帐户密钥时显示的错误

请注意,如果你无权访问帐户密钥,则列表中不会显示任何 Blob。Notice that no blobs appear in the list if you do not have access to the account keys. 单击“切换为 Azure AD 用户帐户”链接,以再次使用 Azure AD 帐户进行身份验证。Click on the Switch to Azure AD User Account link to use your Azure AD account for authentication again.

指定如何授权 blob 上传操作Specify how to authorize a blob upload operation

从 Azure 门户上传 blob 时,可以指定是使用帐户访问密钥还是使用 Azure AD 凭据对该操作进行身份验证和授权。When you upload a blob from the Azure portal, you can specify whether to authenticate and authorize that operation with the account access key or with your Azure AD credentials. 门户默认使用当前身份验证方法,如确定当前身份验证方法中所示。By default, the portal uses the current authentication method, as shown in Determine the current authentication method.

要指定如何授权 blob 上传操作,请按照以下步骤操作:To specify how to authorize a blob upload operation, follow these steps:

  1. 在 Azure 门户中,导航到要在其中上传 blob 的容器。In the Azure portal, navigate to the container where you wish to upload a blob.

  2. 选择“上传”按钮。Select the Upload button.

  3. 展开“高级”部分,显示 blob 的高级属性。Expand the Advanced section to display the advanced properties for the blob.

  4. 在“身份验证类型”字段中,指示是使用 Azure AD 帐户还是帐户访问密钥授权上传操作,如下图所示:In the Authentication Type field, indicate whether you want to authorize the upload operation by using your Azure AD account or with the account access key, as shown in the following image:

    显示如何在上传 blob 时更改授权方法的屏幕截图

后续步骤Next steps