阻止对 Azure 存储帐户进行共享密钥授权(预览)Prevent Shared Key authorization for an Azure Storage account (preview)

对 Azure 存储帐户的每个安全请求都必须经过授权。Every secure request to an Azure Storage account must be authorized. 默认情况下,可以使用 Azure Active Directory (Azure AD) 凭据对请求进行授权,或使用帐户访问密钥进行共享密钥授权。By default, requests can be authorized with either Azure Active Directory (Azure AD) credentials, or by using the account access key for Shared Key authorization. 在这两种类型的授权中,与共享密钥相比,Azure AD 提供更高级别的安全性和易用性,是 Azure 推荐的授权方法。Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Azure. 若要要求客户端使用 Azure AD 来对请求进行授权,你可以禁止使用共享密钥 对存储帐户进行授权的请求(预览)。To require clients to use Azure AD to authorize requests, you can disallow requests to the storage account that are authorized with Shared Key (preview).

当禁止对某个存储帐户进行共享密钥授权时,Azure 存储将拒绝向该帐户发出的所有使用帐户访问密钥进行授权的后续请求。When you disallow Shared Key authorization for a storage account, Azure Storage rejects all subsequent requests to that account that are authorized with the account access keys. 只有通过 Azure AD 进行授权的安全请求才会成功。Only secured requests that are authorized with Azure AD will succeed. 有关使用 Azure AD 的详细信息,请参阅使用 Azure Active Directory 授予对 blob 和队列的访问权限For more information about using Azure AD, see Authorize access to blobs and queues using Azure Active Directory.

本文介绍如何检测通过共享密钥授权发送的请求,以及如何修正存储帐户的共享密钥授权。This article describes how to detect requests sent with Shared Key authorization and how to remediate Shared Key authorization for your storage account. 若要了解如何注册使用预览功能,请参阅关于预览To learn how to register for the preview, see About the preview.

检测客户端应用程序使用的授权类型Detect the type of authorization used by client applications

如果你不允许对存储帐户进行共享密钥授权,则从使用帐户访问密钥进行共享密钥授权的客户端发出的请求将失败。When you disallow Shared Key authorization for a storage account, requests from clients that are using the account access keys for Shared Key authorization will fail. 若要了解在进行此更改之前禁用共享密钥授权可能会对客户端应用程序产生何种影响,请为存储帐户启用日志记录和指标。To understand how disallowing Shared Key authorization may affect client applications before you make this change, enable logging and metrics for the storage account. 然后,你可以分析一段时间内帐户的请求模式,以确定请求的授权方式。You can then analyze patterns of requests to your account over a period of time to determine how requests are being authorized.

使用指标来确定存储帐户收到的通过共享密钥或共享访问签名 (SAS) 授权的请求数。Use metrics to determine how many requests the storage account is receiving that are authorized with Shared Key or a shared access signature (SAS). 使用日志来确定发送这些请求的客户端。Use logs to determine which clients are sending those requests.

有关在预览过程中解释使用共享访问签名发出的请求的详细信息,请参阅关于预览For more information about interpreting requests made with a shared access signature during the preview, see About the preview.

监视通过共享密钥授权的请求数Monitor how many requests are authorized with Shared Key

若要跟踪对存储帐户请求的授权方式,请在 Azure 门户中使用 Azure 指标资源管理器。To track how requests to a storage account are being authorized, use Azure Metrics Explorer in the Azure portal. 若要详细了解 Azure 指标资源管理器,请参阅 Azure 指标资源管理器入门For more information about Metrics Explorer, see Getting started with Azure Metrics Explorer.

按照以下步骤创建一个指标,该指标用于跟踪使用共享密钥或 SAS 发出的请求:Follow these steps to create a metric that tracks requests made with Shared Key or SAS:

  1. 导航到 Azure 门户中的存储帐户。Navigate to your storage account in the Azure portal. 在“监视”部分下,选择“指标” 。Under the Monitoring section, select Metrics.

  2. 选择“添加指标”。Select Add metric. 在“指标”对话框中,指定以下值:In the Metric dialog, specify the following values:

    1. 将“范围”字段设置为存储帐户的名称。Leave the Scope field set to the name of the storage account.
    2. 将“指标命名空间”设置为“帐户”。Set the Metric Namespace to Account. 此指标将报告对存储帐户的所有请求。This metric will report on all requests against the storage account.
    3. 将“指标”字段设置为“事务”。Set the Metric field to Transactions.
    4. 将“聚合”字段设置为“求和”。Set the Aggregation field to Sum.

    新指标会显示给定时间间隔内针对存储帐户的事务数之和。The new metric will display the sum of the number of transactions against the storage account over a given interval of time. 生成的指标如下图所示:The resulting metric appears as shown in the following image:

    显示如何将指标配置为对使用共享密钥或 SAS 进行的事务数求和的屏幕截图

  3. 接下来,选择“添加筛选器”按钮,为授权类型指标创建筛选器。Next, select the Add filter button to create a filter on the metric for type of authorization.

  4. 在“筛选器”对话框中,指定以下值:In the Filter dialog, specify the following values:

    1. 将属性值设置为“身份验证”。Set the Property value to Authentication.
    2. 将“运算符”字段设置为等号 (=)。Set the Operator field to the equal sign (=).
    3. 在“值”字段中,选择“帐户密钥”和“SAS” 。In the Values field, select Account Key and SAS.
  5. 在右上角,选择要查看指标的时间范围。In the upper-right corner, select the time range for which you want to view the metric. 还可以通过指定从 1 分钟到 1 个月的时间间隔,来指示请求聚合粒度。You can also indicate how granular the aggregation of requests should be, by specifying intervals anywhere from 1 minute to 1 month. 例如,将“时间范围”设置为30天,并将“时间粒度”设置为 1 天,以查看过去 30 天内按天聚合的请求 。For example, set the Time range to 30 days and the Time granularity to 1 day to see requests aggregated by day over the past 30 days.

配置指标后,对存储帐户的请求将开始显示在图表上。After you have configured the metric, requests to your storage account will begin to appear on the graph. 下图显示了使用共享密钥授权或使用 SAS 令牌发出的请求。The following image shows requests that were authorized with Shared Key or made with a SAS token. 在过去的 30 天内,请求按天聚合。Requests are aggregated per day over the past thirty days.

显示通过共享密钥授权的聚合请求的屏幕截图

你还可以配置警报规则,让系统在对针对存储帐户发出的匿名请求达到一定数量时通知你。You can also configure an alert rule to notify you when a certain number of requests that are authorized with Shared Key are made against your storage account. 有关详细信息,请参阅使用 Azure Monitor 创建、查看和管理指标警报For more information, see Create, view, and manage metric alerts using Azure Monitor.

修正通过共享密钥进行的授权Remediate authorization via Shared Key

你可以采取措施来阻止通过共享密钥进行访问。You can take action to prevent access via Shared Key. 但首先,你需要将使用共享密钥授权的所有应用程序更新为改用 Azure AD。But first, you need to update any applications that are using Shared Key authorization to use Azure AD instead. 可以按照检测客户端应用程序使用的授权类型所述的方法监视日志和指标,以便对转换进行跟踪。You can monitor logs and metrics as described in Detect the type of authorization used by client applications to track the transition. 有关将 Azure AD 用于 blob 和队列数据的详细信息,请参阅使用 Azure Active Directory 授予对 blob 和队列的访问权限For more information about using Azure AD with blob and queue data, see Authorize access to blobs and queues using Azure Active Directory.

确信可以安全地拒绝通过共享密钥授权的请求时,可以将存储帐户的“AllowSharedKeyAccess”属性设置为“false” 。When you are confident that you can safely reject requests that are authorized with Shared Key, you can set the AllowSharedKeyAccess property for the storage account to false.

默认情况下,不会设置“AllowSharedKeyAccess”属性,并且在显式设置此属性之前,它不会返回值。The AllowSharedKeyAccess property is not set by default and does not return a value until you explicitly set it. 当属性值为“null”或“true”时,存储帐户允许通过共享密钥授权的请求 。The storage account permits requests that are authorized with Shared Key when the property value is null or when it is true.

警告

如果任何客户端当前正在使用共享密钥访问存储帐户中的数据,则 Azure 建议将这些客户端迁移到 Azure AD,然后再禁止对存储帐户的共享密钥访问。If any clients are currently accessing data in your storage account with Shared Key, then Azure recommends that you migrate those clients to Azure AD before disallowing Shared Key access to the storage account.

若要在 Azure 门户中禁止对存储帐户的共享密钥授权,请按照以下步骤操作:To disallow Shared Key authorization for a storage account in the Azure portal, follow these steps:

  1. 导航到 Azure 门户中的存储帐户。Navigate to your storage account in the Azure portal.

  2. 在“设置”下找到“配置”设置。 Locate the Configuration setting under Settings.

  3. 将“允许共享密钥访问”设置为“已禁用” 。Set Allow shared key access to Disabled.

    显示如何禁止对帐户的共享密钥访问的屏幕截图

禁用共享密钥授权后,使用共享密钥授权对存储帐户发出的请求将失败,错误代码为 403(禁止访问)。After you disallow Shared Key authorization, making a request to the storage account with Shared Key authorization will fail with error code 403 (Forbidden). Azure 存储会返回错误,指示不允许对存储帐户进行基于密钥的授权。Azure Storage returns error indicating that key-based authorization is not permitted on the storage account.

验证是否不允许使用共享密钥访问Verify that Shared Key access is not allowed

若要验证是否不再允许使用共享密钥授权,可以尝试使用帐户访问密钥调用数据操作。To verify that Shared Key authorization is no longer permitted, you can attempt to call a data operation with the account access key. 以下示例尝试使用访问密钥创建容器。The following example attempts to create a container using the access key. 在不允许对存储帐户进行共享密钥授权的情况下,此调用将失败。This call will fail when Shared Key authorization is disallowed for the storage account. 请记得将括号中的占位符值替换为你自己的值:Remember to replace the placeholder values in brackets with your own values:

az storage container create \
    --account-name <storage-account> \
    --name sample-container \
    --account-key <key>
    --auth-mode key

备注

匿名请求是未经授权的,如果已将存储帐户和容器配置为匿名公共读取访问,则该请求将继续。Anonymous requests are not authorized and will proceed if you have configured the storage account and container for anonymous public read access. 有关详细信息,请参阅配置对容器和 Blob 的匿名公共读取访问For more information, see Configure anonymous public read access for containers and blobs.

允许或禁止共享密钥访问的权限Permissions for allowing or disallowing Shared Key access

若要为存储帐户设置“AllowSharedKeyAccess”属性,用户必须具有创建和管理存储帐户的权限。To set the AllowSharedKeyAccess property for the storage account, a user must have permissions to create and manage storage accounts. 提供这些权限的 Azure 基于角色的访问控制 (Azure RBAC) 角色包含 Microsoft.Storage/storageAccounts/write 或 Microsoft.Storage/storageAccounts/* 操作 。Azure role-based access control (Azure RBAC) roles that provide these permissions include the Microsoft.Storage/storageAccounts/write or Microsoft.Storage/storageAccounts/* action. 具有此操作的内置角色包括:Built-in roles with this action include:

这些角色不提供通过 Azure Active Directory (Azure AD) 对存储帐户中数据的访问权限。These roles do not provide access to data in a storage account via Azure Active Directory (Azure AD). 但是,它们包含 Microsoft.Storage/storageAccounts/listkeys/action,可以授予对帐户访问密钥的访问权限。However, they include the Microsoft.Storage/storageAccounts/listkeys/action, which grants access to the account access keys. 借助此权限,用户可以使用帐户访问密钥访问存储帐户中的所有数据。With this permission, a user can use the account access keys to access all data in a storage account.

角色分配的范围必须设定为存储帐户级别或更高级别,以允许用户启用或禁用对存储帐户的共享密钥访问。Role assignments must be scoped to the level of the storage account or higher to permit a user to allow or disallow Shared Key access for the storage account. 有关角色范围的详细信息,请参阅了解 Azure RBAC 的范围For more information about role scope, see Understand scope for Azure RBAC.

请注意,仅向需要能够创建存储帐户或更新其属性的用户分配这些角色。Be careful to restrict assignment of these roles only to those who require the ability to create a storage account or update its properties. 使用最小特权原则确保用户拥有完成任务所需的最少权限。Use the principle of least privilege to ensure that users have the fewest permissions that they need to accomplish their tasks. 有关使用 Azure RBAC 管理访问权限的详细信息,请参阅 Azure RBAC 最佳做法For more information about managing access with Azure RBAC, see Best practices for Azure RBAC.

备注

经典订阅管理员角色“服务管理员”和“共同管理员”具有 Azure 资源管理器所有者角色的等效权限。The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager Owner role. 所有者角色包括所有操作,因此具有这些管理角色之一的用户也可以创建和管理存储帐户。The Owner role includes all actions, so a user with one of these administrative roles can also create and manage storage accounts. 有关详细信息,请参阅经典订阅管理员角色、Azure 角色和 Azure AD 管理员角色For more information, see Classic subscription administrator roles, Azure roles, and Azure AD administrator roles.

了解禁用共享密钥如何影响 SAS 令牌Understand how disallowing Shared Key affects SAS tokens

当存储帐户不允许使用共享密钥访问时,Azure 存储会根据 SAS 的类型和请求的目标服务来处理 SAS 令牌。When Shared Key access is disallowed for the storage account, Azure Storage handles SAS tokens based on the type of SAS and the service that is targeted by the request. 下表显示了每种类型的 SAS 的授权方式,以及当存储帐户的“AllowSharedKeyAccess”属性为“false”时,Azure 存储将如何处理该 SAS 。The following table shows how each type of SAS is authorized and how Azure Storage will handle that SAS when the AllowSharedKeyAccess property for the storage account is false.

SAS 类型Type of SAS 授权类型Type of authorization AllowSharedKeyAccess 为 false 时的行为Behavior when AllowSharedKeyAccess is false
用户委托 SAS(仅限 Blob 存储)User delegation SAS (Blob storage only) Azure ADAzure AD 允许请求。Request is permitted. Azure 建议尽可能使用用户委托 SAS 以提高安全性。Azure recommends using a user delegation SAS when possible for superior security.
服务 SASService SAS 共享密钥Shared Key 拒绝对所有 Azure 存储服务的请求。Request is denied for all Azure Storage services.
帐户 SASAccount SAS 共享密钥Shared Key 拒绝对所有 Azure 存储服务的请求。Request is denied for all Azure Storage services.

有关共享访问签名的详细信息,请参阅使用共享访问签名 (SAS) 授予对 Azure 存储资源的有限访问权限For more information about shared access signatures, see Grant limited access to Azure Storage resources using shared access signatures (SAS).

考虑与其他 Azure 工具和服务的兼容性Consider compatibility with other Azure tools and services

许多 Azure 服务使用共享密钥授权来与 Azure 存储进行通信。A number of Azure services use Shared Key authorization to communicate with Azure Storage. 如果不允许对存储帐户进行共享密钥授权,这些服务将无法访问该帐户中的数据,并且应用程序可能会受到负面影响。If you disallow Shared Key authorization for a storage account, these services will not be able to access data in that account, and your applications may be adversely affected.

某些 Azure 工具提供了使用 Azure AD 授权来访问 Azure 存储的选项。Some Azure tools offer the option to use Azure AD authorization to access Azure Storage. 下表列出了一些常用的 Azure 工具,并说明了它们是否可以使用 Azure AD 来授权对 Azure 存储的请求。The following table lists some popular Azure tools and notes whether they can use Azure AD to authorize requests to Azure Storage.

Azure 工具Azure tool 对 Azure 存储的 Azure AD 授权Azure AD authorization to Azure Storage
Azure 门户Azure portal 支持。Supported. 有关使用 Azure AD 帐户从 Azure 门户进行授权的信息,请参阅选择如何授予对 Azure 门户中 blob 数据的访问权限For information about authorizing with your Azure AD account from the Azure portal, see Choose how to authorize access to blob data in the Azure portal.
AzCopyAzCopy 支持用于 Blob 存储。Supported for Blob storage. 有关授权 AzCopy 操作的信息,请参阅 AzCopy 文档中的选择如何提供授权凭据For information about authorizing AzCopy operations, see Choose how you'll provide authorization credentials in the AzCopy documentation.
Azure 存储资源管理器Azure Storage Explorer 仅支持用于 Blob 存储和 Azure Data Lake Storage Gen2。Supported for Blob storage and Azure Data Lake Storage Gen2 only. 不支持对队列存储的 Azure AD 访问。Azure AD access to Queue storage is not supported. 请确保选择正确的 Azure AD 租户。Make sure to select the correct Azure AD tenant. 有关详细信息,请参阅存储资源管理器入门For more information, see Get started with Storage Explorer
Azure PowerShellAzure PowerShell 支持。Supported. 有关如何使用 Azure AD 为 blob 或队列操作授权 PowerShell 命令的信息,请参阅使用 Azure AD 凭据运行 PowerShell 命令以访问 blob 数据使用 Azure AD 凭据运行 PowerShell 命令以访问队列数据For information about how to authorize PowerShell commands for blob or queue operations with Azure AD, see Run PowerShell commands with Azure AD credentials to access blob data or Run PowerShell commands with Azure AD credentials to access queue data.
Azure CLIAzure CLI 支持。Supported. 有关如何使用 Azure AD 授权 Azure CLI 命令来访问 blob 和队列数据的信息,请参阅使用 Azure AD 凭据运行 Azure CLI 命令以访问 blob 或队列数据For information about how to authorize Azure CLI commands with Azure AD for access to blob and queue data, see Run Azure CLI commands with Azure AD credentials to access blob or queue data.

转换 Azure 文件存储和表存储工作负荷Transition Azure Files and Table storage workloads

Azure 存储仅支持针对 Blob 和队列存储请求的 Azure AD 授权。Azure Storage supports Azure AD authorization for requests to Blob and Queue storage only. 如果你不允许对存储帐户使用共享密钥授权,则使用共享密钥授权的 Azure 文件存储或表存储的请求将失败。If you disallow authorization with Shared Key for a storage account, requests to Azure Files or Table storage that use Shared Key authorization will fail. 由于 Azure 门户始终使用共享密钥授权来访问文件和表数据,因此,如果你不允许对存储帐户使用共享密钥进行授权,将无法访问 Azure 门户中的文件或表数据。Because the Azure portal always uses Shared Key authorization to access file and table data, if you disallow authorization with Shared Key for the storage account, you will not be able to access file or table data in the Azure portal.

Azure 建议你在禁止通过共享密钥访问帐户之前,将任何 Azure 文件存储或表存储数据迁移到单独的存储帐户,或者不将此设置应用于支持 Azure 文件存储或表存储工作负荷的存储帐户。Azure recommends that you either migrate any Azure Files or Table storage data to a separate storage account before you disallow access to the account via Shared Key, or that you do not apply this setting to storage accounts that support Azure Files or Table storage workloads.

禁止对存储帐户进行共享密钥访问不会影响与 Azure 文件存储的 SMB 连接。Disallowing Shared Key access for a storage account does not affect SMB connections to Azure Files.

关于此预览版About the preview

Azure 中提供禁止使用共享密钥授权的预览功能。The preview for disallowing Shared Key authorization is available in the Azure. 仅支持使用 Azure 资源管理器部署模型的存储帐户。It is supported for storage accounts that use the Azure Resource Manager deployment model only. 有关哪些存储帐户使用 Azure 资源管理器部署模型的信息,请参阅存储帐户的类型For information about which storage accounts use the Azure Resource Manager deployment model, see Types of storage accounts.

预览功能包括以下各节所述的限制。The preview includes the limitations described in the following sections.

指标和日志记录报告使用 SAS 发出的所有请求,而不考虑它们的授权方式Metrics and logging report all requests made with a SAS regardless of how they are authorized

Azure 指标和 Azure Monitor 中的日志记录不区分预览功能中不同类型的共享访问签名。Azure metrics and logging in Azure Monitor do not distinguish between different types of shared access signatures in the preview. Azure 指标资源管理器中的 SAS 筛选器和 Azure Monitor 中 Azure 存储日志记录内的 SAS 字段都会报告通过任何类型的 SAS 授权的请求 。The SAS filter in Azure Metrics Explorer and the SAS field in Azure Storage logging in Azure Monitor both report requests that are authorized with any type of SAS. 但是,不同类型的共享访问签名以不同的方式获得授权,并且当不允许使用共享密钥访问时,行为会有所不同:However, different types of shared access signatures are authorized differently, and behave differently when Shared Key access is disallowed:

  • 服务 SAS 令牌或帐户 SAS 令牌使用共享密钥授权,当 AllowSharedKeyAccess 属性设置为 false时,不允许在对 Blob 存储的请求中使用 。A service SAS token or an account SAS token is authorized with Shared Key and will not be permitted on a request to Blob storage when the AllowSharedKeyAccess property is set to false.
  • 用户委派 SAS 使用 Azure AD 授权,当 AllowSharedKeyAccess 属性设置为 false时,不允许在对 Blob 存储的请求中使用 。A user delegation SAS is authorized with Azure AD and will be permitted on a request to Blob storage when the AllowSharedKeyAccess property is set to false.

评估通向存储帐户的流量时,请记住,检测客户端应用程序使用的授权类型中所述的指标和日志可能包括使用用户委托 SAS 发出的请求。When you are evaluating traffic to your storage account, keep in mind that metrics and logs as described in Detect the type of authorization used by client applications may include requests made with a user delegation SAS. 有关在 AllowSharedKeyAccess 属性设置为 false 时 Azure 存储如何响应 SAS 的详细信息,请参阅了解禁用共享密钥如何影响 SAS 令牌For more information about how Azure Storage responds to a SAS when the AllowSharedKeyAccess property is set to false, see Understand how disallowing Shared Key affects SAS tokens.

后续步骤Next steps