将 Azure 资源管理器锁应用于存储帐户Apply an Azure Resource Manager lock to a storage account

我们建议使用 Azure 资源管理器锁锁定所有存储帐户,以防意外或恶意删除存储帐户。We recommend locking all of your storage accounts with an Azure Resource Manager lock to prevent accidental or malicious deletion of the storage account. 有两种类型的 Azure 资源管理器资源锁:There are two types of Azure Resource Manager resource locks:

  • CannotDelete 锁可防止用户删除存储帐户,但允许读取和修改其配置。A CannotDelete lock prevents users from deleting a storage account, but permits reading and modifying its configuration.
  • ReadOnly 锁可防止用户删除存储帐户或修改其配置,但允许读取配置。A ReadOnly lock prevents users from deleting a storage account or modifying its configuration, but permits reading the configuration.

有关 Azure 资源管理器锁的详细信息,请参阅锁定资源以防止更改For more information about Azure Resource Manager locks, see Lock resources to prevent changes.

注意

锁定存储帐户不会阻止对其中容器或 blob 执行的删除或覆盖操作。Locking a storage account does not protect containers or blobs within that account from being deleted or overwritten. 有关如何保护 blob 数据的详细信息,请参阅数据保护概述For more information about how to protect blob data, see Data protection overview.

配置 Azure 资源管理器锁Configure an Azure Resource Manager lock

若要通过 Azure 门户配置存储帐户的锁,请执行以下步骤:To configure a lock on a storage account with the Azure portal, follow these steps:

  1. 导航到 Azure 门户中的存储帐户。Navigate to your storage account in the Azure portal.

  2. 在“设置”部分下,选择“锁”。Under the Settings section, select Locks.

  3. 选择“添加”。Select Add.

  4. 提供资源锁的名称,然后指定锁的类型。Provide a name for the resource lock, and specify the type of lock. 如果需要,请添加有关锁的说明。Add a note about the lock if desired.

    显示如何使用 CannotDelete 锁锁定存储帐户的屏幕截图

当 ReadOnly 锁有效时授权数据操作Authorizing data operations when a ReadOnly lock is in effect

将 ReadOnly 锁应用于存储帐户时,将阻止该存储帐户的列出密钥操作。When a ReadOnly lock is applied to a storage account, the List Keys operation is blocked for that storage account. “列出密钥”操作是 HTTPS POST 操作,并且在为该帐户配置了 ReadOnly 锁时,所有 POST 操作都会被阻止。The List Keys operation is an HTTPS POST operation, and all POST operations are prevented when a ReadOnly lock is configured for the account. “列出密钥”操作返回帐户访问密钥,然后可以使用这些密钥来读取和写入存储帐户中的任何数据。The List Keys operation returns the account access keys, which can then be used to read and write to any data in the storage account.

如果在将锁应用于存储帐户时客户端拥有帐户访问密钥,则该客户端可以继续使用这些密钥来访问数据。If a client is in possession of the account access keys at the time that the lock is applied to the storage account, then that client can continue to use the keys to access data. 但是,无权访问密钥的客户端需要使用 Azure Active Directory (Azure AD) 凭据来访问存储帐户中的 blob 或队列数据。However, clients who do not have access to the keys will need to use Azure Active Directory (Azure AD) credentials to access blob or queue data in the storage account.

如果 Azure 门户的用户以前已使用帐户访问密钥访问了门户中的 blob 或队列数据,则在应用了 ReadOnly 锁时可能会影响这些用户。Users of the Azure portal may be affected when a ReadOnly lock is applied, if they have previously accessed blob or queue data in the portal with the account access keys. 应用锁后,门户用户需要使用 Azure AD 凭据来访问门户中的 blob 或队列数据。After the lock is applied, portal users will need to use Azure AD credentials to access blob or queue data in the portal. 若要执行此操作,用户必须至少为其分配两个 RBAC 角色:至少 Azure 资源管理器读者角色,以及 Azure 存储数据访问角色之一。To do so, a user must have at least two RBAC roles assigned to them: the Azure Resource Manager Reader role at a minimum, and one of the Azure Storage data access roles. 有关详细信息,请参阅以下文章之一:For more information, see one of the following articles:

以前使用帐户密钥访问 Azure 文件中的数据或表服务的客户端可能变得无法访问。Data in Azure Files or the Table service may become unaccessible to clients who have previously been accessing it with the account keys. 最佳做法是,如果必须将 ReadOnly 锁应用于存储帐户,则将 Azure 文件和表服务工作负载移至未使用 ReadOnly 锁锁定的存储帐户。As a best practice, if you must apply a ReadOnly lock to a storage account, then move your Azure Files and Table service workloads to a storage account that is not locked with a ReadOnly lock.

后续步骤Next steps