使用 Azure AD 凭据运行 PowerShell 命令以访问 blob 数据Run PowerShell commands with Azure AD credentials to access blob data

Azure 存储为 PowerShell 提供扩展,使用户可使用 Azure Active Directory (Azure AD) 凭据登录并运行脚本命令。Azure Storage provides extensions for PowerShell that enable you to sign in and run scripting commands with Azure Active Directory (Azure AD) credentials. 使用 Azure AD 凭据登录 PowerShell 时,会返回 OAuth 2.0 访问令牌。When you sign in to PowerShell with Azure AD credentials, an OAuth 2.0 access token is returned. PowerShell 会自动使用该令牌针对 Blob 存储进行后续数据操作授权。That token is automatically used by PowerShell to authorize subsequent data operations against Blob storage. 对于支持的操作,无需再通过命令传递帐户密钥或 SAS 令牌。For supported operations, you no longer need to pass an account key or SAS token with the command.

可通过 Azure 基于角色的访问控制 (Azure RBAC) 向 Azure AD 安全主体分配对 blob 数据的权限。You can assign permissions to blob data to an Azure AD security principal via Azure role-based access control (Azure RBAC). 有关 Azure 存储中 Azure 角色的详细信息,请参阅通过 Azure RBAC 管理 Azure 存储数据访问权限For more information about Azure roles in Azure Storage, see Manage access rights to Azure Storage data with Azure RBAC.

支持的操作Supported operations

Azure 存储扩展支持针对 blob 数据的操作。The Azure Storage extensions are supported for operations on blob data. 可调用的操作取决于向 Azure AD 安全主体授予的权限,此安全主体用于登录 PowerShell。Which operations you may call depends on the permissions granted to the Azure AD security principal with which you sign in to PowerShell. 对 Azure 存储容器的权限通过 Azure RBAC 进行分配。Permissions to Azure Storage containers are assigned via Azure RBAC. 例如,如果为你分配了“Blob 数据读取者”角色,你可以运行从容器读取数据的脚本命令。For example, if you have been assigned the Blob Data Reader role, then you can run scripting commands that read data from a container. 如果为你分配了“Blob 数据参与者”角色,你可以运行脚本命令来读取、写入或删除容器或其中所含数据。If you have been assigned the Blob Data Contributor role, then you can run scripting commands that read, write, or delete a container or the data they contain.

若要详细了解针对容器的每个 Azure 存储操作所需的权限,请参阅使用 OAuth 令牌调用存储操作For details about the permissions required for each Azure Storage operation on a container, see Call storage operations with OAuth tokens.

重要

在使用 Azure 资源管理器 ReadOnly 锁锁定了某个存储帐户时,不允许为该存储帐户执行列出密钥操作。When a storage account is locked with an Azure Resource Manager ReadOnly lock, the List Keys operation is not permitted for that storage account. “列出密钥”是 POST 操作,并且在为该帐户配置了 ReadOnly 锁时,所有的 POST 操作都会被阻止 。List Keys is a POST operation, and all POST operations are prevented when a ReadOnly lock is configured for the account. 出于此原因,在使用 ReadOnly 锁锁定了帐户时,还没有帐户密钥的用户必须使用 Azure AD 凭据来访问 Blob 数据。For this reason, when the account is locked with a ReadOnly lock, users users who do not already possess the account keys must use Azure AD credentials to access blob data. 在 PowerShell 中,包含 -UseConnectedAccount 参数,以使用 Azure AD 凭据创建 AzureStorageContext 对象。In PowerShell, include the -UseConnectedAccount parameter to create an AzureStorageContext object with your Azure AD credentials.

使用 Azure AD 凭据调用 PowerShell 命令Call PowerShell commands using Azure AD credentials

备注

本文已经过更新,以便使用 Azure Az PowerShell 模块。This article has been updated to use the Azure Az PowerShell module. 若要与 Azure 交互,建议使用的 PowerShell 模块是 Az PowerShell 模块。The Az PowerShell module is the recommended PowerShell module for interacting with Azure. 若要开始使用 Az PowerShell 模块,请参阅安装 Azure PowerShellTo get started with the Az PowerShell module, see Install Azure PowerShell. 若要了解如何迁移到 Az PowerShell 模块,请参阅 将 Azure PowerShell 从 AzureRM 迁移到 AzTo learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

若要使用 Azure PowerShell 登录并使用 Azure AD 凭据针对 Azure 存储运行后续操作,请创建一个存储上下文用于引用存储帐户,并包含 -UseConnectedAccount 参数。To use Azure PowerShell to sign in and run subsequent operations against Azure Storage using Azure AD credentials, create a storage context to reference the storage account, and include the -UseConnectedAccount parameter.

以下示例演示如何在 Azure PowerShell 中使用 Azure AD 凭据,在新的存储帐户中创建一个容器。The following example shows how to create a container in a new storage account from Azure PowerShell using your Azure AD credentials. 请务必将尖括号中的占位符值替换为你自己的值:Remember to replace placeholder values in angle brackets with your own values:

  1. 使用 Connect-AzAccount 命令登录到 Azure 帐户。Sign in to your Azure account with the Connect-AzAccount command:

    Connect-AzAccount -Environment AzureChinaCloud
    

    若要详细了解如何使用 PowerShell 登录 Azure,请参阅使用 Azure PowerShell 登录For more information about signing into Azure with PowerShell, see Sign in with Azure PowerShell.

  2. 调用 New-AzResourceGroup 创建 Azure 资源组。Create an Azure resource group by calling New-AzResourceGroup.

    $resourceGroup = "sample-resource-group-ps"
    $location = "chinaeast2"
    New-AzResourceGroup -Name $resourceGroup -Location $location
    
  3. 调用 New-AzStorageAccount 创建存储帐户。Create a storage account by calling New-AzStorageAccount.

    $storageAccount = New-AzStorageAccount -ResourceGroupName $resourceGroup `
      -Name "<storage-account>" `
      -SkuName Standard_LRS `
      -Location $location `
    
  4. 调用 New-AzStorageContext 获取用于指定新存储帐户的存储帐户上下文。Get the storage account context that specifies the new storage account by calling New-AzStorageContext. 对存储帐户执行操作时,可以引用上下文而不是重复传入凭据。When acting on a storage account, you can reference the context instead of repeatedly passing in the credentials. 包含 -UseConnectedAccount 参数,以使用 Azure AD 凭据调用任何后续数据操作:Include the -UseConnectedAccount parameter to call any subsequent data operations using your Azure AD credentials:

    $ctx = New-AzStorageContext -StorageAccountName "<storage-account>" -UseConnectedAccount
    
  5. 创建容器之前,请向自己分配存储 Blob 数据参与者角色。Before you create the container, assign the Storage Blob Data Contributor role to yourself. 即使你是帐户所有者,也需要显式权限才能针对存储帐户执行数据操作。Even though you are the account owner, you need explicit permissions to perform data operations against the storage account. 有关分配 Azure 角色的详细信息,请参阅使用 Azure 门户分配用于访问 blob 和队列数据的 Azure 角色For more information about assigning Azure roles, see Use the Azure portal to assign an Azure role for access to blob and queue data.

    重要

    传播 Azure 角色分配可能需要花费几分钟时间。Azure role assignments may take a few minutes to propagate.

  6. 调用 New-AzStorageContainer 创建容器。Create a container by calling New-AzStorageContainer. 由于此调用使用在前面步骤中创建的上下文,因此将使用你的 Azure AD 凭据创建容器。Because this call uses the context created in the previous steps, the container is created using your Azure AD credentials.

    $containerName = "sample-container"
    New-AzStorageContainer -Name $containerName -Context $ctx
    

后续步骤Next steps