管理存储帐户访问密钥Manage storage account access keys

当你创建存储帐户时,Azure 会生成两个 512 位存储帐户访问密钥。When you create a storage account, Azure generates two 512-bit storage account access keys. 这些密钥可用于通过共享密钥授权来授予对你存储帐户中数据的访问权限。These keys can be used to authorize access to data in your storage account via Shared Key authorization.

Azure 建议使用 Azure 密钥保管库来管理访问密钥,并且定期轮换和重新生成密钥。Azure recommends that you use Azure Key Vault to manage your access keys, and that you regularly rotate and regenerate your keys. 使用 Azure 密钥保管库可以轻松轮换密钥,而无需中断应用程序。Using Azure Key Vault makes it easy to rotate your keys without interruption to your applications. 还可以手动轮换密钥。You can also manually rotate your keys.

保护访问密钥Protect your access keys

存储帐户访问密钥类似于存储帐户的根密码。Your storage account access keys are similar to a root password for your storage account. 始终要小心保护访问密钥。Always be careful to protect your access keys. 使用 Azure 密钥保管库安全地管理和轮换密钥。Use Azure Key Vault to manage and rotate your keys securely. 避免将访问密钥分发给其他用户、对其进行硬编码或将其以纯文本形式保存在其他人可以访问的任何位置。Avoid distributing access keys to other users, hard-coding them, or saving them anywhere in plain text that is accessible to others. 如果你认为访问密钥可能已泄露,请轮换密钥。Rotate your keys if you believe they may have been compromised.

如果可能,请使用 Azure Active Directory (Azure AD) 而不是共享密钥来为针对 Blob 和队列存储的请求授权。If possible, use Azure Active Directory (Azure AD) to authorize requests to Blob and Queue storage instead of Shared Key. Azure AD 通过共享密钥提供更高的安全性和易用性。Azure AD provides superior security and ease of use over Shared Key. 有关使用 Azure AD 授权访问数据的详细信息,请参阅使用 Azure Active Directory 授权访问 Azure Blob 和队列For more information about authorizing access to data with Azure AD, see Authorize access to Azure blobs and queues using Azure Active Directory.

查看访问密钥和连接字符串View access keys and connection string

若要从 Azure 门户查看和复制存储帐户访问密钥或连接字符串,请执行以下操作:To view and copy your storage account access keys or connection string from the Azure portal:

  1. 导航到 Azure 门户Navigate to the Azure portal.

  2. 找到自己的存储帐户。Locate your storage account.

  3. 在存储帐户概述的“设置”部分,选择“访问密钥”。 In the Settings section of the storage account overview, select Access keys. 此时会显示帐户访问密钥,以及每个密钥的完整连接字符串。Your account access keys appear, as well as the complete connection string for each key.

  4. 找到“key1”下面的“密钥”值,单击“复制”按钮复制该帐户密钥。 Find the Key value under key1, and click the Copy button to copy the account key.

  5. 或者,可以复制整个连接字符串。Alternately, you can copy the entire connection string. 找到“密钥 1”下面的“连接字符串”值,单击“复制”按钮复制该连接字符串。 Find the Connection string value under key1, and click the Copy button to copy the connection string.

    显示如何在 Azure 门户中查看访问密钥的屏幕截图

可以使用任一密钥来访问 Azure 存储,但通常情况下,使用第一个密钥是很好的做法,并将第二个密钥保留到轮换密钥时使用。You can use either key to access Azure Storage, but in general it's a good practice to use the first key, and reserve the use of the second key for when you are rotating keys.

使用 Azure 密钥保管库管理访问密钥Use Azure Key Vault to manage your access keys

Azure 建议使用 Azure 密钥保管库来管理和轮换访问密钥。Azure recommends using Azure Key Vault to manage and rotate your access keys. 应用程序可以安全地访问密钥保管库中的密钥,这样就可以避免使用应用程序代码来存储密钥。Your application can securely access your keys in Key Vault, so that you can avoid storing them with your application code. 有关使用密钥保管库进行密钥管理的详细信息,请参阅以下文章:For more information about using Key Vault for key management, see the following articles:

手动轮换访问密钥Manually rotate access keys

Azure 建议定期轮换访问密钥,以帮助保护存储帐户的安全。Azure recommends that you rotate your access keys periodically to help keep your storage account secure. 如果可能,请使用 Azure 密钥保管库管理访问密钥。If possible, use Azure Key Vault to manage your access keys. 如果不使用密钥保管库,将需要手动轮换密钥。If you are not using Key Vault, you will need to rotate your keys manually.

系统会分配两个访问密钥,以便可以轮换密钥。Two access keys are assigned so that you can rotate your keys. 拥有两个密钥可确保应用程序在整个轮换过程中能够持续访问 Azure 存储。Having two keys ensures that your application maintains access to Azure Storage throughout the process.

警告

重新生成访问密钥可能会影响依赖于存储帐户密钥的所有应用程序或 Azure 服务。Regenerating your access keys can affect any applications or Azure services that are dependent on the storage account key. 使用帐户密钥访问存储帐户的任何客户端必须更新为使用新密钥,其中包括媒体服务、云、桌面和移动应用程序,以及适用于 Azure 存储的图形用户界面应用程序,例如 Azure存储资源管理器Any clients that use the account key to access the storage account must be updated to use the new key, including media services, cloud, desktop and mobile applications, and graphical user interface applications for Azure Storage, such as Azure Storage Explorer.

遵循以下过程轮换存储帐户密钥:Follow this process to rotate your storage account keys:

  1. 将应用程序代码中的连接字符串更新为使用辅助密钥。Update the connection strings in your application code to use the secondary key.
  2. 为存储帐户重新生成主访问密钥。Regenerate the primary access key for your storage account. 在 Azure 门户中的“访问密钥”边栏选项卡上,单击“重新生成密钥 1”,然后单击“是”确认要生成新密钥。 On the Access Keys blade in the Azure portal, click Regenerate Key1, and then click Yes to confirm that you want to generate a new key.
  3. 更新代码中的连接字符串以引用新的主访问密钥。Update the connection strings in your code to reference the new primary access key.
  4. 以相同方式重新生成辅助访问密钥。Regenerate the secondary access key in the same manner.

备注

Azure 建议同一时间在所有应用程序中只使用一个密钥。Azure recommends using only one of the keys in all of your applications at the same time. 如果在某些地方使用密钥 1 并在其他地方使用密钥 2,则无法在没有部分应用程序失去访问的情况下轮转密钥。If you use Key 1 in some places and Key 2 in others, you will not be able to rotate your keys without some application losing access.

后续步骤Next steps