管理存储帐户访问密钥Manage storage account access keys

当你创建存储帐户时,Azure 会生成两个 512 位存储帐户访问密钥。When you create a storage account, Azure generates two 512-bit storage account access keys. 这些密钥可用于通过共享密钥授权来授予对你存储帐户中数据的访问权限。These keys can be used to authorize access to data in your storage account via Shared Key authorization.

Azure 建议使用 Azure 密钥保管库来管理访问密钥,并且定期轮换和重新生成密钥。Azure recommends that you use Azure Key Vault to manage your access keys, and that you regularly rotate and regenerate your keys. 使用 Azure 密钥保管库可以轻松轮换密钥,而无需中断应用程序。Using Azure Key Vault makes it easy to rotate your keys without interruption to your applications. 还可以手动轮换密钥。You can also manually rotate your keys.

保护访问密钥Protect your access keys

存储帐户访问密钥类似于存储帐户的根密码。Your storage account access keys are similar to a root password for your storage account. 始终要小心保护访问密钥。Always be careful to protect your access keys. 使用 Azure 密钥保管库安全地管理和轮换密钥。Use Azure Key Vault to manage and rotate your keys securely. 避免将访问密钥分发给其他用户、对其进行硬编码或将其以纯文本形式保存在其他人可以访问的任何位置。Avoid distributing access keys to other users, hard-coding them, or saving them anywhere in plain text that is accessible to others. 如果你认为访问密钥可能已泄露,请轮换密钥。Rotate your keys if you believe they may have been compromised.

备注

Azure 建议使用 Azure Active Directory (Azure AD) 而不是共享密钥来为针对 Blob 和队列数据的请求授权(如果可能)。Azure recommends using Azure Active Directory (Azure AD) to authorize requests against blob and queue data if possible, instead of Shared Key. Azure AD 通过共享密钥提供更高的安全性和易用性。Azure AD provides superior security and ease of use over Shared Key. 有关使用 Azure AD 授权访问数据的详细信息,请参阅使用 Azure Active Directory 授权访问 Azure Blob 和队列For more information about authorizing access to data with Azure AD, see Authorize access to Azure blobs and queues using Azure Active Directory.

查看帐户访问密钥View account access keys

可以使用 Azure 门户、PowerShell 或 Azure CLI 查看和复制帐户访问密钥。You can view and copy your account access keys with the Azure portal, PowerShell, or Azure CLI. Azure 门户还为你的存储帐户提供了一个可供复制的连接字符串。The Azure portal also provides a connection string for your storage account that you can copy.

若要从 Azure 门户查看和复制存储帐户访问密钥或连接字符串,请执行以下操作:To view and copy your storage account access keys or connection string from the Azure portal:

  1. Azure 门户中导航到存储帐户。Navigate to your storage account in the Azure portal.

  2. 在“设置”下,选择“访问密钥” 。Under Settings, select Access keys. 此时会显示帐户访问密钥,以及每个密钥的完整连接字符串。Your account access keys appear, as well as the complete connection string for each key.

  3. 找到“key1”下面的“密钥”值,单击“复制”按钮复制该帐户密钥。 Locate the Key value under key1, and click the Copy button to copy the account key.

  4. 或者,可以复制整个连接字符串。Alternately, you can copy the entire connection string. 找到“密钥 1”下面的“连接字符串”值,单击“复制”按钮复制该连接字符串。 Find the Connection string value under key1, and click the Copy button to copy the connection string.

    显示如何在 Azure 门户中查看访问密钥的屏幕截图

可以使用这两个密钥中的任何一个来访问 Azure 存储,但通常情况下,最好使用第一个密钥,并保留第二个密钥在轮换密钥时使用。You can use either of the two keys to access Azure Storage, but in general it's a good practice to use the first key, and reserve the use of the second key for when you are rotating keys.

若要查看或读取帐户的访问密钥,用户必须是服务管理员,或者分配到包含“Microsoft.Storage/storageAccounts/listkeys/action”的 Azure 角色。To view or read an account's access keys, the user must either be a Service Administrator, or must be assigned an Azure role that includes the Microsoft.Storage/storageAccounts/listkeys/action. 包含此操作的 Azure 内置角色有“所有者”、“贡献者”和“存储帐户密钥操作员服务角色”等 。Some Azure built-in roles that include this action are the Owner, Contributor, and Storage Account Key Operator Service Role roles. 有关服务管理员角色的详细信息,请参阅经典订阅管理员角色、Azure 角色和 Azure AD 角色For more information about the Service Administrator role, see Classic subscription administrator roles, Azure roles, and Azure AD roles. 若要详细了解 Azure 存储的内置角色,请参阅 Azure RBAC 的 Azure 内置角色中的“存储”部分。For detailed information about built-in roles for Azure Storage, see the Storage section in Azure built-in roles for Azure RBAC.

使用 Azure 密钥保管库管理访问密钥Use Azure Key Vault to manage your access keys

Azure 建议使用 Azure 密钥保管库来管理和轮换访问密钥。Azure recommends using Azure Key Vault to manage and rotate your access keys. 应用程序可以安全地访问密钥保管库中的密钥,这样就可以避免使用应用程序代码来存储密钥。Your application can securely access your keys in Key Vault, so that you can avoid storing them with your application code. 有关使用密钥保管库进行密钥管理的详细信息,请参阅以下文章:For more information about using Key Vault for key management, see the following articles:

手动轮换访问密钥Manually rotate access keys

Azure 建议定期轮换访问密钥,以帮助保护存储帐户的安全。Azure recommends that you rotate your access keys periodically to help keep your storage account secure. 如果可能,请使用 Azure 密钥保管库管理访问密钥。If possible, use Azure Key Vault to manage your access keys. 如果不使用密钥保管库,将需要手动轮换密钥。If you are not using Key Vault, you will need to rotate your keys manually.

系统会分配两个访问密钥,以便可以轮换密钥。Two access keys are assigned so that you can rotate your keys. 拥有两个密钥可确保应用程序在整个轮换过程中能够持续访问 Azure 存储。Having two keys ensures that your application maintains access to Azure Storage throughout the process.

警告

重新生成访问密钥可能会影响依赖于存储帐户密钥的所有应用程序或 Azure 服务。Regenerating your access keys can affect any applications or Azure services that are dependent on the storage account key. 使用帐户密钥访问存储帐户的任何客户端必须更新为使用新密钥,其中包括媒体服务、云、桌面和移动应用程序,以及适用于 Azure 存储的图形用户界面应用程序,例如 Azure存储资源管理器Any clients that use the account key to access the storage account must be updated to use the new key, including media services, cloud, desktop and mobile applications, and graphical user interface applications for Azure Storage, such as Azure Storage Explorer.

在 Azure 门户中轮换存储帐户访问密钥:To rotate your storage account access keys in the Azure portal:

  1. 更新应用程序代码中的连接字符串以引用存储帐户的辅助访问密钥。Update the connection strings in your application code to reference the secondary access key for the storage account.
  2. Azure 门户中导航到存储帐户。Navigate to your storage account in the Azure portal.
  3. 在“设置”下,选择“访问密钥” 。Under Settings, select Access keys.
  4. 若要为存储帐户重新生成主访问密钥,请选择主访问密钥旁边的“重新生成”按钮。To regenerate the primary access key for your storage account, select the Regenerate button next to the primary access key.
  5. 更新代码中的连接字符串以引用新的主访问密钥。Update the connection strings in your code to reference the new primary access key.
  6. 以相同方式重新生成辅助访问密钥。Regenerate the secondary access key in the same manner.

备注

Azure 建议同一时间在所有应用程序中只使用一个密钥。Azure recommends using only one of the keys in all of your applications at the same time. 如果在某些地方使用密钥 1 并在其他地方使用密钥 2,则无法在没有部分应用程序失去访问的情况下轮转密钥。If you use Key 1 in some places and Key 2 in others, you will not be able to rotate your keys without some application losing access.

若要轮换帐户的访问密钥,用户必须是服务管理员,或者分配到包含“Microsoft.Storage/storageAccounts/regeneratekey/action”的 Azure 角色。To rotate an account's access keys, the user must either be a Service Administrator, or must be assigned an Azure role that includes the Microsoft.Storage/storageAccounts/regeneratekey/action. 包含此操作的 Azure 内置角色有“所有者”、“贡献者”和“存储帐户密钥操作员服务角色”等 。Some Azure built-in roles that include this action are the Owner, Contributor, and Storage Account Key Operator Service Role roles. 有关服务管理员角色的详细信息,请参阅经典订阅管理员角色、Azure 角色和 Azure AD 角色For more information about the Service Administrator role, see Classic subscription administrator roles, Azure roles, and Azure AD roles. 若要详细了解 Azure 存储的 Azure 内置角色,请参阅 Azure RBAC 的 Azure 内置角色中的“存储”部分。For detailed information about Azure built-in roles for Azure Storage, see the Storage section in Azure built-in roles for Azure RBAC.

后续步骤Next steps