使用 .NET 为容器或 blob 创建服务 SASCreate a service SAS for a container or blob with .NET

使用共享访问签名 (SAS),可以授予对存储帐户中容器和 blob 的有限访问权限。A shared access signature (SAS) enables you to grant limited access to containers and blobs in your storage account. 创建 SAS 时,需要指定其约束条件,包括允许客户端访问哪些 Azure 存储资源、它们对这些资源具有哪些权限,以及 SAS 的有效期。When you create a SAS, you specify its constraints, including which Azure Storage resources a client is allowed to access, what permissions they have on those resources, and how long the SAS is valid.

每个 SAS 均使用密钥进行签名。Every SAS is signed with a key. 可通过以下两种方式之一对 SAS 进行签名:You can sign a SAS in one of two ways:

  • 使用 Azure Active Directory (Azure AD) 凭据创建的密钥。With a key created using Azure Active Directory (Azure AD) credentials. 使用 Azure AD 凭据签名的 SAS 是用户委托 SAS。A SAS that is signed with Azure AD credentials is a user delegation SAS.
  • 使用存储帐户密钥。With the storage account key. 服务 SAS 和帐户 SAS 均使用存储帐户密钥进行签名。 Both a service SAS and an account SAS are signed with the storage account key.

用户委托 SAS 为使用存储帐户密钥签名的 SAS 提供更高的安全性。A user delegation SAS offers superior security to a SAS that is signed with the storage account key. Microsoft 建议尽可能使用用户委托 SAS。Microsoft recommends using a user delegation SAS when possible. 有关详细信息,请参阅向具有共享访问签名的数据授予有限的访问权限 (SAS)For more information, see Grant limited access to data with shared access signatures (SAS).

本文介绍如何使用存储帐户密钥通过用于 .NET 的 Azure 存储客户端库为容器或 blob 创建服务 SAS。This article shows how to use the storage account key to create a service SAS for a container or blob with the Azure Storage client library for .NET.

为 blob 容器创建服务 SASCreate a service SAS for a blob container

下面的代码示例为容器创建 SAS。The following code example creates a SAS for a container. 如果提供现有存储访问策略的名称,则该策略与 SAS 关联。If the name of an existing stored access policy is provided, that policy is associated with the SAS. 如果未提供存储访问策略,则代码会在容器上创建一个临时 SAS。If no stored access policy is provided, then the code creates an ad hoc SAS on the container.

创建新的 BlobSasBuilderCreate a new BlobSasBuilder. 然后,调用 ToSasQueryParameters 来获取 SAS 令牌字符串。Then, call the ToSasQueryParameters to get the SAS token string.

private static string GetContainerSasUri(BlobContainerClient container, 
    StorageSharedKeyCredential key, string storedPolicyName = null)
{
    // Create a SAS token that's valid for one hour.
    BlobSasBuilder sasBuilder = new BlobSasBuilder()
    {
        BlobContainerName = container.Name,
        Resource = "c",
    };

    if (storedPolicyName == null)
    {
        sasBuilder.StartsOn = DateTimeOffset.UtcNow;
        sasBuilder.ExpiresOn = DateTimeOffset.UtcNow.AddHours(1);
        sasBuilder.SetPermissions(BlobContainerSasPermissions.Read);
    }
    else
    {
        sasBuilder.Identifier = storedPolicyName;
    }

    // Use the key to get the SAS token.
    string sasToken = sasBuilder.ToSasQueryParameters(key).ToString();

    Console.WriteLine("SAS for blob container is: {0}", sasToken);
    Console.WriteLine();

    return container.Uri + sasToken;
}

为 blob 创建服务 SASCreate a service SAS for a blob

下面的代码示例在 blob 上创建 SAS。The following code example creates a SAS on a blob. 如果提供现有存储访问策略的名称,则该策略与 SAS 关联。If the name of an existing stored access policy is provided, that policy is associated with the SAS. 如果未提供存储访问策略,则代码会在 Blob 上创建一个临时 SAS。If no stored access policy is provided, then the code creates an ad hoc SAS on the blob.

创建新的 BlobSasBuilderCreate a new BlobSasBuilder. 然后,调用 ToSasQueryParameters 来获取 SAS 令牌字符串。Then, call the ToSasQueryParameters to get the SAS token string.

private static string GetBlobSasUri(BlobContainerClient container,
    string blobName, StorageSharedKeyCredential key, string storedPolicyName = null)
{
    // Create a SAS token that's valid for one hour.
    BlobSasBuilder sasBuilder = new BlobSasBuilder()
    {
        BlobContainerName = container.Name,
        BlobName = blobName,
        Resource = "b",
    };

    if (storedPolicyName == null)
    {
        sasBuilder.StartsOn = DateTimeOffset.UtcNow;
        sasBuilder.ExpiresOn = DateTimeOffset.UtcNow.AddHours(1);
        sasBuilder.SetPermissions(BlobContainerSasPermissions.Read);
    }
    else
    {
        sasBuilder.Identifier = storedPolicyName;
    }

    // Use the key to get the SAS token.
    string sasToken = sasBuilder.ToSasQueryParameters(key).ToString();

    Console.WriteLine("SAS for blob is: {0}", sasToken);
    Console.WriteLine();

    return container.GetBlockBlobClient(blobName).Uri + sasToken;
}

使用 .NET 进行开发的资源Resources for development with .NET

下面的链接为使用适用于 .NET 的 Azure 存储客户端库的开发人员提供了有用的资源。The links below provide useful resources for developers using the Azure Storage client library for .NET.

Azure 存储通用 APIAzure Storage common APIs

Blob 存储 APIBlob storage APIs

.NET 工具.NET tools

后续步骤Next steps