为容器或 blob 创建服务 SASCreate a service SAS for a container or blob

使用共享访问签名 (SAS),可以授予对存储帐户中容器和 blob 的有限访问权限。A shared access signature (SAS) enables you to grant limited access to containers and blobs in your storage account. 创建 SAS 时,需要指定其约束条件,包括允许客户端访问哪些 Azure 存储资源、它们对这些资源具有哪些权限,以及 SAS 的有效期。When you create a SAS, you specify its constraints, including which Azure Storage resources a client is allowed to access, what permissions they have on those resources, and how long the SAS is valid.

每个 SAS 均使用密钥进行签名。Every SAS is signed with a key. 可通过以下两种方式之一对 SAS 进行签名:You can sign a SAS in one of two ways:

  • 使用 Azure Active Directory (Azure AD) 凭据创建的密钥。With a key created using Azure Active Directory (Azure AD) credentials. 使用 Azure AD 凭据签名的 SAS 是用户委托 SAS。A SAS that is signed with Azure AD credentials is a user delegation SAS.
  • 使用存储帐户密钥。With the storage account key. 服务 SAS 和帐户 SAS 均使用存储帐户密钥进行签名。 Both a service SAS and an account SAS are signed with the storage account key.

用户委托 SAS 为使用存储帐户密钥签名的 SAS 提供更高的安全性。A user delegation SAS offers superior security to a SAS that is signed with the storage account key. Azure 建议尽可能使用用户委托 SAS。Azure recommends using a user delegation SAS when possible. 有关详细信息,请参阅向具有共享访问签名的数据授予有限的访问权限 (SAS)For more information, see Grant limited access to data with shared access signatures (SAS).

本文介绍如何使用存储帐户密钥通过用于 Blob 存储的 Azure 存储客户端库为容器或 blob 创建服务 SAS。This article shows how to use the storage account key to create a service SAS for a container or blob with the Azure Storage client library for Blob Storage.

为 blob 容器创建服务 SASCreate a service SAS for a blob container

下面的代码示例为容器创建 SAS。The following code example creates a SAS for a container. 如果提供现有存储访问策略的名称,则该策略与 SAS 关联。If the name of an existing stored access policy is provided, that policy is associated with the SAS. 如果未提供存储访问策略,则代码会在容器上创建一个临时 SAS。If no stored access policy is provided, then the code creates an ad hoc SAS on the container.

服务 SAS 将使用帐户访问密钥进行签名。A service SAS is signed with the account access key. 使用 StorageSharedKeyCredential 类创建用于为 SAS 签名的凭据。Use the StorageSharedKeyCredential class to create the credential that is used to sign the SAS. 接下来,新建 BlobSasBuilder 对象,并调用 ToSasQueryParameters 以获取 SAS 令牌字符串。Next, create a new BlobSasBuilder object and call the ToSasQueryParameters to get the SAS token string.

private static string GetContainerSasUri(BlobContainerClient container, 
    StorageSharedKeyCredential sharedKeyCredential, string storedPolicyName = null)
{
    // Create a SAS token that's valid for one hour.
    BlobSasBuilder sasBuilder = new BlobSasBuilder()
    {
        BlobContainerName = container.Name,
        Resource = "c",
    };

    if (storedPolicyName == null)
    {
        sasBuilder.StartsOn = DateTimeOffset.UtcNow;
        sasBuilder.ExpiresOn = DateTimeOffset.UtcNow.AddHours(1);
        sasBuilder.SetPermissions(BlobContainerSasPermissions.Read);
    }
    else
    {
        sasBuilder.Identifier = storedPolicyName;
    }

    // Use the key to get the SAS token.
    string sasToken = sasBuilder.ToSasQueryParameters(sharedKeyCredential).ToString();

    Console.WriteLine("SAS token for blob container is: {0}", sasToken);
    Console.WriteLine();

    return $"{container.Uri}?{sasToken}";
}

为 blob 创建服务 SASCreate a service SAS for a blob

下面的代码示例在 blob 上创建 SAS。The following code example creates a SAS on a blob. 如果提供现有存储访问策略的名称,则该策略与 SAS 关联。If the name of an existing stored access policy is provided, that policy is associated with the SAS. 如果未提供存储访问策略,则代码会在 Blob 上创建一个临时 SAS。If no stored access policy is provided, then the code creates an ad hoc SAS on the blob.

服务 SAS 将使用帐户访问密钥进行签名。A service SAS is signed with the account access key. 使用 StorageSharedKeyCredential 类创建用于为 SAS 签名的凭据。Use the StorageSharedKeyCredential class to create the credential that is used to sign the SAS. 接下来,新建 BlobSasBuilder 对象,并调用 ToSasQueryParameters 以获取 SAS 令牌字符串。Next, create a new BlobSasBuilder object and call the ToSasQueryParameters to get the SAS token string.

private static string GetBlobSasUri(BlobContainerClient container,
    string blobName, StorageSharedKeyCredential key, string storedPolicyName = null)
{
    // Create a SAS token that's valid for one hour.
    BlobSasBuilder sasBuilder = new BlobSasBuilder()
    {
        BlobContainerName = container.Name,
        BlobName = blobName,
        Resource = "b",
    };

    if (storedPolicyName == null)
    {
        sasBuilder.StartsOn = DateTimeOffset.UtcNow;
        sasBuilder.ExpiresOn = DateTimeOffset.UtcNow.AddHours(1);
        sasBuilder.SetPermissions(BlobContainerSasPermissions.Read);
    }
    else
    {
        sasBuilder.Identifier = storedPolicyName;
    }

    // Use the key to get the SAS token.
    string sasToken = sasBuilder.ToSasQueryParameters(key).ToString();

    Console.WriteLine("SAS for blob is: {0}", sasToken);
    Console.WriteLine();

    return $"{container.GetBlockBlobClient(blobName).Uri}?{sasToken}";
}

使用 .NET 进行开发的资源Resources for development with .NET

下面的链接为使用适用于 .NET 的 Azure 存储客户端库的开发人员提供了有用的资源。The links below provide useful resources for developers using the Azure Storage client library for .NET.

Azure 存储通用 APIAzure Storage common APIs

Blob 存储 APIBlob storage APIs

.NET 工具.NET tools

使用 JavaScript 进行开发的资源Resources for development with JavaScript

下面的链接为使用适用于 JavaScript 的 Azure 存储客户端库的开发人员提供了有用的资源。The links below provide useful resources for developers using the Azure Storage client library for JavaScript

Blob 存储 APIBlob storage APIs

JavaScript 工具JavaScript tools

后续步骤Next steps