使用 Azure CLI 为容器或 blob 创建用户委托 SASCreate a user delegation SAS for a container or blob with the Azure CLI

使用共享访问签名 (SAS),可以授予对存储帐户中容器和 blob 的有限访问权限。A shared access signature (SAS) enables you to grant limited access to containers and blobs in your storage account. 创建 SAS 时,需要指定其约束条件,包括允许客户端访问哪些 Azure 存储资源、它们对这些资源具有哪些权限,以及 SAS 的有效期。When you create a SAS, you specify its constraints, including which Azure Storage resources a client is allowed to access, what permissions they have on those resources, and how long the SAS is valid.

每个 SAS 均使用密钥进行签名。Every SAS is signed with a key. 可通过以下两种方式之一对 SAS 进行签名:You can sign a SAS in one of two ways:

  • 使用 Azure Active Directory (Azure AD) 凭据创建的密钥。With a key created using Azure Active Directory (Azure AD) credentials. 使用 Azure AD 凭据签名的 SAS 是用户委托 SAS。A SAS that is signed with Azure AD credentials is a user delegation SAS.
  • 使用存储帐户密钥。With the storage account key. 服务 SAS 和帐户 SAS 均使用存储帐户密钥进行签名。 Both a service SAS and an account SAS are signed with the storage account key.

用户委托 SAS 为使用存储帐户密钥签名的 SAS 提供更高的安全性。A user delegation SAS offers superior security to a SAS that is signed with the storage account key. Azure 建议尽可能使用用户委托 SAS。Azure recommends using a user delegation SAS when possible. 有关详细信息,请参阅向具有共享访问签名的数据授予有限的访问权限 (SAS)For more information, see Grant limited access to data with shared access signatures (SAS).

本文介绍如何使用 Azure CLI 通过 Azure Active Directory (Azure AD) 凭据为容器或 Blob 创建用户委托 SAS。This article shows how to use Azure Active Directory (Azure AD) credentials to create a user delegation SAS for a container or blob with the Azure CLI.

关于用户委托 SASAbout the user delegation SAS

可使用 Azure AD 凭据或帐户密钥来保护用于访问容器或 Blob 的 SAS 令牌。A SAS token for access to a container or blob may be secured by using either Azure AD credentials or an account key. 使用 Azure AD 凭据保护的 SAS 称为用户委托 SAS,因为用于签署 SAS 的 OAuth 2.0 令牌是代表用户请求的。A SAS secured with Azure AD credentials is called a user delegation SAS, because the OAuth 2.0 token used to sign the SAS is requested on behalf of the user.

作为安全最佳做法,Azure 建议尽可能地使用 Azure AD 凭据,而不要使用更容易透露的帐户密钥。Azure recommends that you use Azure AD credentials when possible as a security best practice, rather than using the account key, which can be more easily compromised. 当应用程序设计需要共享访问签名时,请使用 Azure AD 凭据创建可提供超高安全性的用户委托 SAS。When your application design requires shared access signatures, use Azure AD credentials to create a user delegation SAS for superior security. 有关用户委托 SAS 的详细信息,请参阅创建用户委托 SASFor more information about the user delegation SAS, see Create a user delegation SAS.

注意

拥有有效 SAS 的任何客户端都可以访问该 SAS 允许的存储帐户中的数据。Any client that possesses a valid SAS can access data in your storage account as permitted by that SAS. 防止 SAS 被恶意使用或意料之外的使用很重要。It's important to protect a SAS from malicious or unintended use. 请谨慎分发 SAS,并制定撤销受到安全威胁的 SAS 的计划。Use discretion in distributing a SAS, and have a plan in place for revoking a compromised SAS.

有关共享访问签名的详细信息,请参阅使用共享访问签名 (SAS) 授予对 Azure 存储资源的有限访问权限For more information about shared access signatures, see Grant limited access to Azure Storage resources using shared access signatures (SAS).

安装最新版本的 Azure CLIInstall the latest version of the Azure CLI

若要使用 Azure CLI 通过 Azure AD 凭据来保护 SAS,请首先确保你已安装最新版本的 Azure CLI。To use the Azure CLI to secure a SAS with Azure AD credentials, first make sure that you have installed the latest version of Azure CLI. 若要详细了解如何安装 Azure CLI,请参阅安装 Azure CLIFor more information about installing the Azure CLI, see Install the Azure CLI.

若要使用 Azure CLI 创建用户委托 SAS,请确保已安装 2.0.78 或更高版本。To create a user delegation SAS using the Azure CLI, make sure that you have installed version 2.0.78 or later. 若要检查已安装的版本,请使用 az --version 命令。To check your installed version, use the az --version command.

使用 Azure AD 凭据登录Sign in with Azure AD credentials

使用你的 Azure AD 凭据登录到 Azure CLI。Sign in to the Azure CLI with your Azure AD credentials. 有关详细信息,请参阅使用 Azure CLI 登录For more information, see Sign in with the Azure CLI.

通过 Azure RBAC 分配权限Assign permissions with Azure RBAC

若要通过 Azure PowerShell 创建用户委托 SAS,必须为用来登录到 Azure CLI 的 Azure AD 帐户分配一个包含 Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey 操作的角色。To create a user delegation SAS from Azure PowerShell, the Azure AD account used to sign into Azure CLI must be assigned a role that includes the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action. 此权限允许 Azure AD 帐户请求用户委托密钥。This permission enables that Azure AD account to request the user delegation key. 用户委托密钥用来对用户委托 SAS 进行签名。The user delegation key is used to sign the user delegation SAS. 提供 Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey 操作的角色必须在存储帐户、资源组或订阅级别进行分配。The role providing the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action must be assigned at the level of the storage account, the resource group, or the subscription.

如果你没有足够的权限将 Azure 角色分配给 Azure AD 安全主体,则可能需要请求帐户所有者或管理员来分配必要的权限。If you do not have sufficient permissions to assign Azure roles to an Azure AD security principal, you may need to ask the account owner or administrator to assign the necessary permissions.

下面的示例将分配 存储 Blob 数据参与者 角色,该角色包含 Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey 操作。The following example assigns the Storage Blob Data Contributor role, which includes the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action. 该角色的作用域为存储帐户级别。The role is scoped at the level of the storage account.

请务必将尖括号中的占位符值替换为你自己的值:Remember to replace placeholder values in angle brackets with your own values:

az role assignment create \
    --role "Storage Blob Data Contributor" \
    --assignee <email> \
    --scope "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>"

有关包含 Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey 操作的内置角色的详细信息,请参阅 Azure 内置角色For more information about the built-in roles that include the Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey action, see Azure built-in roles.

使用 Azure AD 凭据来保护 SASUse Azure AD credentials to secure a SAS

当你通过 Azure CLI 创建用户委托 SAS 时,系统会为你隐式创建用于对 SAS 进行签名的用户委托密钥。When you create a user delegation SAS with the Azure CLI, the user delegation key that is used to sign the SAS is created for you implicitly. 为 SAS 指定的开始时间和到期时间也用作用户委托密钥的开始时间和到期时间。The start time and expiry time that you specify for the SAS are also used as the start time and expiry time for the user delegation key.

由于用户委托密钥的最大时间间隔是从开始日期算起的 7 天内有效,因此,你应为 SAS 指定一个从开始时间算起 7 天内的到期时间。Because the maximum interval over which the user delegation key is valid is 7 days from the start date, you should specify an expiry time for the SAS that is within 7 days of the start time. 此 SA 在用户委托密钥过期后无效,因此,到期时间超过 7 天的 SAS 的有效期仍然只有 7 天。The SAS is invalid after the user delegation key expires, so a SAS with an expiry time of greater than 7 days will still only be valid for 7 days.

创建用户委托 SAS 时,--auth-mode login--as-user parameters 是必需的。When creating a user delegation SAS, the --auth-mode login and --as-user parameters are required. --auth-mode 参数指定 login,以便使用你的 Azure AD 凭据为向 Azure 存储发出的请求授权。Specify login for the --auth-mode parameter so that requests made to Azure Storage are authorized with your Azure AD credentials. 指定 --as-user 参数,表示返回的 SAS 应当是一个用户委托 SAS。Specify the --as-user parameter to indicate that the SAS returned should be a user delegation SAS.

为容器创建用户委托 SASCreate a user delegation SAS for a container

若要通过 Azure CLI 为容器创建用户委托 SAS,请调用 az storage container generate-sas 命令。To create a user delegation SAS for a container with the Azure CLI, call the az storage container generate-sas command.

容器上的用户委托 SAS 支持的权限包括添加、创建、删除、列出、读取和写入。Supported permissions for a user delegation SAS on a container include Add, Create, Delete, List, Read, and Write. 权限可以单独指定,也可以通过组合方式指定。Permissions can be specified singly or combined. 有关这些权限的详细信息,请参阅创建用户委托 SASFor more information about these permissions, see Create a user delegation SAS.

以下示例返回容器的用户委托 SAS 令牌。The following example returns a user delegation SAS token for a container. 请记得将括号中的占位符值替换为你自己的值:Remember to replace the placeholder values in brackets with your own values:

az storage container generate-sas \
    --account-name <storage-account> \
    --name <container> \
    --permissions acdlrw \
    --expiry <date-time> \
    --auth-mode login \
    --as-user

返回的用户委托 SAS 令牌将类似于:The user delegation SAS token returned will be similar to:

se=2019-07-27&sp=r&sv=2018-11-09&sr=c&skoid=<skoid>&sktid=<sktid>&skt=2019-07-26T18%3A01%3A22Z&ske=2019-07-27T00%3A00%3A00Z&sks=b&skv=2018-11-09&sig=<signature>

为 blob 创建用户委托 SASCreate a user delegation SAS for a blob

若要通过 Azure CLI 为 blob 创建用户委托 SAS,请调用 az storage blob generate-sas 命令。To create a user delegation SAS for a blob with the Azure CLI, call the az storage blob generate-sas command.

Blob 上的用户委托 SAS 支持的权限包括添加、创建、删除、读取和写入。Supported permissions for a user delegation SAS on a blob include Add, Create, Delete, Read, and Write. 权限可以单独指定,也可以通过组合方式指定。Permissions can be specified singly or combined. 有关这些权限的详细信息,请参阅创建用户委托 SASFor more information about these permissions, see Create a user delegation SAS.

以下语法返回 blob 的用户委托 SAS。The following syntax returns a user delegation SAS for a blob. 此示例指定了 --full-uri 参数,该参数返回追加有 SAS 令牌的 blob URI。The example specifies the --full-uri parameter, which returns the blob URI with the SAS token appended. 请记得将括号中的占位符值替换为你自己的值:Remember to replace the placeholder values in brackets with your own values:

az storage blob generate-sas \
    --account-name <storage-account> \
    --container-name <container> \
    --name <blob> \
    --permissions acdrw \
    --expiry <date-time> \
    --auth-mode login \
    --as-user
    --full-uri

返回的用户委托 SAS URI 将类似于:The user delegation SAS URI returned will be similar to:

https://storagesamples.blob.core.chinacloudapi.cn/sample-container/blob1.txt?se=2019-08-03&sp=rw&sv=2018-11-09&sr=b&skoid=<skoid>&sktid=<sktid>&skt=2019-08-02T2
2%3A32%3A01Z&ske=2019-08-03T00%3A00%3A00Z&sks=b&skv=2018-11-09&sig=<signature>

备注

用户委托 SAS 不支持使用存储访问策略来定义权限。A user delegation SAS does not support defining permissions with a stored access policy.

撤销用户委托 SASRevoke a user delegation SAS

若要通过 Azure CLI 撤销用户委托 SAS,请调用 az storage account revoke-delegation-keys 命令。To revoke a user delegation SAS from the Azure CLI, call the az storage account revoke-delegation-keys command. 此命令撤销与指定的存储帐户关联的所有用户委托密钥。This command revokes all of the user delegation keys associated with the specified storage account. 与这些密钥关联的所有共享访问签名都会失效。Any shared access signatures associated with those keys are invalidated.

请务必将尖括号中的占位符值替换为你自己的值:Remember to replace placeholder values in angle brackets with your own values:

az storage account revoke-delegation-keys \
    --name <storage-account> \
    --resource-group <resource-group>

重要

用户委托密钥和 Azure 角色分配都是由 Azure 存储缓存的,因此,在启动撤销过程后,可能需要过一段时间现有用户委托 SAS 才会变得无效。Both the user delegation key and Azure role assignments are cached by Azure Storage, so there may be a delay between when you initiate the process of revocation and when an existing user delegation SAS becomes invalid.

后续步骤Next steps