使用 Azure CLI 授权访问 Blob 或队列数据Authorize access to blob or queue data with Azure CLI

Azure 存储提供适用于 Azure CLI 的扩展,使你能够指定如何授权针对 Blob 或队列数据的操作。Azure Storage provides extensions for Azure CLI that enable you to specify how you want to authorize operations on blob or queue data. 可通过以下方式授权数据操作:You can authorize data operations in the following ways:

  • 使用 Azure Active Directory (Azure AD) 安全主体。With an Azure Active Directory (Azure AD) security principal. Azure 建议使用 Azure AD 凭据来实现优异的安全性和易用性。Azure recommends using Azure AD credentials for superior security and ease of use.
  • 使用帐户访问密钥或共享访问签名 (SAS) 令牌。With the account access key or a shared access signature (SAS) token.

指定数据操作的授权方式Specify how data operations are authorized

用于读取和写入 Blob 与队列数据的 Azure CLI 命令包括可选的 --auth-mode 参数。Azure CLI commands for reading and writing blob and queue data include the optional --auth-mode parameter. 指定此参数可以指示数据操作的授权方式:Specify this parameter to indicate how a data operation is to be authorized:

  • --auth-mode 参数设置为 login 可以使用 Azure AD 安全主体登录(建议)。Set the --auth-mode parameter to login to sign in using an Azure AD security principal (recommended).
  • --auth-mode 参数设置为传统 key 值可以尝试检索用于授权的帐户访问密钥。Set the --auth-mode parameter to the legacy key value to attempt to retrieve the account access key to use for authorization. 如果省略 --auth-mode 参数,则 Azure CLI 也会尝试检索访问密钥。If you omit the --auth-mode parameter, then the Azure CLI also attempts to retrieve the access key.

若要使用 --auth-mode 参数,请确保已安装 Azure CLI 2.0.46 或更高版本。To use the --auth-mode parameter, make sure that you have installed Azure CLI version 2.0.46 or later. 运行 az --version 以查看已安装版本。Run az --version to check your installed version.

Important

如果省略 --auth-mode 参数或将其设置为 key,则 Azure CLI 会尝试使用帐户访问密钥进行授权。If you omit the --auth-mode parameter or set it to key, then the Azure CLI attempts to use the account access key for authorization. 在这种情况下,Azure 建议在命令或 AZURE_STORAGE_KEY 环境变量中提供访问密钥。In this case, Azure recommends that you provide the access key either on the command or in the AZURE_STORAGE_KEY environment variable. 有关环境变量的详细信息,请参阅标题为为授权参数设置环境变量的部分。For more information about environment variables, see the section titled Set environment variables for authorization parameters.

如果不提供访问密钥,则 Azure CLI 会尝试调用 Azure 存储资源提供程序来检索每个操作的访问密钥。If you do not provide the access key, then the Azure CLI attempts to call the Azure Storage resource provider to retrieve it for each operation. 执行多个需要调用资源提供程序的数据操作可能会导致发生限制。Performing many data operations that require a call to the resource provider may result in throttling. 有关资源提供程序限制的详细信息,请参阅 Azure 存储资源提供程序的可伸缩性和性能目标For more information about resource provider limits, see Scalability and performance targets for the Azure Storage resource provider.

使用 Azure AD 凭据授权Authorize with Azure AD credentials

使用 Azure AD 凭据登录 Azure CLI 时,会返回 OAuth 2.0 访问令牌。When you sign in to Azure CLI with Azure AD credentials, an OAuth 2.0 access token is returned. Azure CLI 自动使用该令牌针对 Blob 或队列存储进行后续数据操作授权。That token is automatically used by Azure CLI to authorize subsequent data operations against Blob or Queue storage. 对于支持的操作,无需再通过命令传递帐户密钥或 SAS 令牌。For supported operations, you no longer need to pass an account key or SAS token with the command.

可通过基于角色的访问控制 (RBAC) 向 Azure AD 安全主体分配对 Blob 和队列数据的权限。You can assign permissions to blob and queue data to an Azure AD security principal via role-based access control (RBAC). 有关 Azure 存储中 RBAC 角色的详细信息,请参阅通过 RBAC 管理 Azure 存储数据访问权限For more information about RBAC roles in Azure Storage, see Manage access rights to Azure Storage data with RBAC.

用于调用数据操作的权限Permissions for calling data operations

Azure 存储扩展支持针对 blob 和队列数据的操作。The Azure Storage extensions are supported for operations on blob and queue data. 可调用的操作取决于向 Azure AD 安全主体授予的权限,此安全主体用于登录 Azure CLI。Which operations you may call depends on the permissions granted to the Azure AD security principal with which you sign in to Azure CLI. Azure 存储容器或队列的权限通过 RBAC 进行分配。Permissions to Azure Storage containers or queues are assigned via RBAC. 例如,如果为你分配了“Blob 数据读取者”角色,你可以运行从容器或队列读取数据的脚本命令。 For example, if you are assigned the Blob Data Reader role, then you can run scripting commands that read data from a container or queue. 如果为你分配了“Blob 数据参与者”角色,你可以运行脚本命令来读取、写入或删除容器、队列或其中所含数据。 If you are assigned the Blob Data Contributor role, then you can run scripting commands that read, write, or delete a container or queue or the data they contain.

若要详细了解针对容器或队列的每个 Azure 存储操作所需的权限,请参阅使用 OAuth 令牌调用存储操作For details about the permissions required for each Azure Storage operation on a container or queue, see Call storage operations with OAuth tokens.

示例:授权操作使用 Azure AD 凭据创建容器Example: Authorize an operation to create a container with Azure AD credentials

以下示例演示如何在 Azure CLI 中使用 Azure AD 凭据创建容器。The following example shows how to create a container from Azure CLI using your Azure AD credentials. 若要创建容器,需要登录到 Azure CLI,并需要一个资源组和存储帐户。To create the container, you'll need to log in to the Azure CLI, and you'll need a resource group and a storage account. 若要了解如何创建这些资源,请参阅快速入门:使用 Azure CLI 创建、下载和列出 BlobTo learn how to create these resources, see Quickstart: Create, download, and list blobs with Azure CLI.

  1. 创建容器之前,请向自己分配存储 Blob 数据参与者角色。Before you create the container, assign the Storage Blob Data Contributor role to yourself. 即使你是帐户所有者,也需要显式权限才能针对存储帐户执行数据操作。Even though you are the account owner, you need explicit permissions to perform data operations against the storage account. 有关如何分配 RBAC 角色的详细信息,请参阅在 Azure 门户中使用 RBAC 授予对 Azure Blob 和队列数据的访问权限For more information about assigning RBAC roles, see Grant access to Azure blob and queue data with RBAC in the Azure portal.

    Important

    传播 RBAC 角色分配可能需要花费几分钟时间。RBAC role assignments may take a few minutes to propagate.

  2. 在将 --auth-mode 参数设置为 login 的情况下,调用 az storage container create 命令以使用 Azure AD 凭据创建容器。Call the az storage container create command with the --auth-mode parameter set to login to create the container using your Azure AD credentials. 请务必将尖括号中的占位符值替换为你自己的值:Remember to replace placeholder values in angle brackets with your own values:

    az storage container create \
        --account-name <storage-account> \
        --name sample-container \
        --auth-mode login
    

使用帐户访问密钥授权Authorize with the account access key

如果你拥有帐户密钥,则可以调用任何 Azure 存储数据操作。If you possess the account key, you can call any Azure Storage data operation. 一般情况下,使用帐户密钥的安全性较低。In general, using the account key is less secure. 如果帐户密钥已透露,帐户中的所有数据也可能会透露。If the account key is compromised, all data in your account may be compromised.

以下示例演示如何使用帐户访问密钥创建容器。The following example shows how to create a container using the account access key. 指定帐户密钥,并提供值为 key--auth-mode 参数:Specify the account key, and provide the --auth-mode parameter with the key value:

az storage container create \
    --account-name <storage-account> \
    --name sample-container \
    --account-key <key>
    --auth-mode key

使用 SAS 令牌授权Authorize with a SAS token

如果你拥有 SAS 令牌,则可以调用 SAS 允许的数据操作。If you possess a SAS token, you can call data operations that are permitted by the SAS. 以下示例演示如何使用 SAS 令牌创建容器:The following example shows how to create a container using a SAS token:

az storage container create \
    --account-name <storage-account> \
    --name sample-container \
    --sas-token <token>

为授权参数设置环境变量Set environment variables for authorization parameters

可以在环境变量中指定授权参数,以免每次调用 Azure 存储数据操作时都要包含这些参数。You can specify authorization parameters in environment variables to avoid including them on every call to an Azure Storage data operation. 下表描述了可用的环境变量。The following table describes the available environment variables.

环境变量Environment variable 说明Description
AZURE_STORAGE_ACCOUNTAZURE_STORAGE_ACCOUNT 存储帐户名称。The storage account name. 此变量应与存储帐户密钥或 SAS 令牌结合使用。This variable should be used in conjunction with either the storage account key or a SAS token. 如果该密钥和令牌都不存在,则 Azure CLI 会尝试使用经过身份验证的 Azure AD 帐户检索存储帐户访问密钥。If neither are present, the Azure CLI attempts to retrieve the storage account access key by using the authenticated Azure AD account. 如果一次性执行大量的命令,可能会达到 Azure 存储资源提供程序的限制。If a large number of commands are executed at one time, the Azure Storage resource provider throttling limit may be reached. 有关资源提供程序限制的详细信息,请参阅 Azure 存储资源提供程序的可伸缩性和性能目标For more information about resource provider limits, see Scalability and performance targets for the Azure Storage resource provider.
AZURE_STORAGE_KEYAZURE_STORAGE_KEY 存储帐户密钥。The storage account key. 此变量必须与存储帐户名称结合使用。This variable must be used in conjunction with the storage account name.
AZURE_STORAGE_CONNECTION_STRINGAZURE_STORAGE_CONNECTION_STRING 一个包含存储帐户密钥或 SAS 令牌的连接字符串。A connection string that includes the storage account key or a SAS token. 此变量必须与存储帐户名称结合使用。This variable must be used in conjunction with the storage account name.
AZURE_STORAGE_SAS_TOKENAZURE_STORAGE_SAS_TOKEN 共享访问签名 (SAS) 令牌。A shared access signature (SAS) token. 此变量必须与存储帐户名称结合使用。This variable must be used in conjunction with the storage account name.
AZURE_STORAGE_AUTH_MODEAZURE_STORAGE_AUTH_MODE 用于运行命令的授权模式。The authorization mode with which to run the command. 允许的值为 login(建议)或 keyPermitted values are login (recommended) or key. 如果指定 login,Azure CLI 将使用 Azure AD 凭据来授权数据操作。If you specify login, the Azure CLI uses your Azure AD credentials to authorize the data operation. 如果指定传统 key 模式,Azure CLI 会尝试查询帐户访问密钥,并使用该密钥为命令授权。If you specify the legacy key mode, the Azure CLI attempts to query for the account access key and to authorize the command with the key.

后续步骤Next steps