使用 .NET 创建帐户 SASCreate an account SAS with .NET

使用共享访问签名 (SAS),可以授予对存储帐户中容器和 blob 的有限访问权限。A shared access signature (SAS) enables you to grant limited access to containers and blobs in your storage account. 创建 SAS 时,需要指定其约束条件,包括允许客户端访问哪些 Azure 存储资源、它们对这些资源具有哪些权限,以及 SAS 的有效期。When you create a SAS, you specify its constraints, including which Azure Storage resources a client is allowed to access, what permissions they have on those resources, and how long the SAS is valid.

每个 SAS 均使用密钥进行签名。Every SAS is signed with a key. 可通过以下两种方式之一对 SAS 进行签名:You can sign a SAS in one of two ways:

  • 使用 Azure Active Directory (Azure AD) 凭据创建的密钥。With a key created using Azure Active Directory (Azure AD) credentials. 使用 Azure AD 凭据签名的 SAS 是用户委托 SAS。A SAS that is signed with Azure AD credentials is a user delegation SAS.
  • 使用存储帐户密钥。With the storage account key. 服务 SAS 和帐户 SAS 均使用存储帐户密钥进行签名。 Both a service SAS and an account SAS are signed with the storage account key.

用户委托 SAS 为使用存储帐户密钥签名的 SAS 提供更高的安全性。A user delegation SAS offers superior security to a SAS that is signed with the storage account key. Azure 建议尽可能使用用户委托 SAS。Azure recommends using a user delegation SAS when possible. 有关详细信息,请参阅向具有共享访问签名的数据授予有限的访问权限 (SAS)For more information, see Grant limited access to data with shared access signatures (SAS).

本文介绍如何使用存储帐户密钥通过用于 .NET 的 Azure 存储客户端库创建帐户 SAS。This article shows how to use the storage account key to create an account SAS with the Azure Storage client library for .NET.

创建帐户 SASCreate an account SAS

帐户 SAS 将使用帐户访问密钥进行签名。A account SAS is signed with the account access key. 使用 StorageSharedKeyCredential 类创建用于为 SAS 签名的凭据。Use the StorageSharedKeyCredential class to create the credential that is used to sign the SAS. 接下来,新建 AccountSasBuilder 对象,并调用 ToSasQueryParameters 以获取 SAS 令牌字符串。Next, create a new AccountSasBuilder object and call the ToSasQueryParameters to get the SAS token string.

private static string GetAccountSASToken(StorageSharedKeyCredential key)
{
    // Create a SAS token that's valid for one hour.
    AccountSasBuilder sasBuilder = new AccountSasBuilder()
    {
        Services = AccountSasServices.Blobs | AccountSasServices.Files,
        ResourceTypes = AccountSasResourceTypes.Service,
        ExpiresOn = DateTimeOffset.UtcNow.AddHours(1),
        Protocol = SasProtocol.Https
    };

    sasBuilder.SetPermissions(AccountSasPermissions.Read |
        AccountSasPermissions.Write);

    // Use the key to get the SAS token.
    string sasToken = sasBuilder.ToSasQueryParameters(key).ToString();

    Console.WriteLine("SAS token for the storage account is: {0}", sasToken);
    Console.WriteLine();

    return sasToken;
}

通过客户端使用帐户 SASUse an account SAS from a client

若要使用帐户 SAS 访问 Blob 服务的服务级别 API,请使用存储帐户的 SAS 和 Blob 存储终结点构造 Blob 服务客户端对象。To use the account SAS to access service-level APIs for the Blob service, construct a Blob service client object using the SAS and the Blob storage endpoint for your storage account.

private static void UseAccountSAS(Uri blobServiceUri, string sasToken)
{  
    var blobServiceClient = new BlobServiceClient
        (new Uri($"{blobServiceUri}?{sasToken}"), null);

    BlobRetentionPolicy retentionPolicy = new BlobRetentionPolicy();
    retentionPolicy.Enabled = true;
    retentionPolicy.Days = 7;

    blobServiceClient.SetProperties(new BlobServiceProperties()
    {
        HourMetrics = new BlobMetrics()
        {
            RetentionPolicy = retentionPolicy,
            Version = "1.0"
        },
        MinuteMetrics = new BlobMetrics()
        {
            RetentionPolicy = retentionPolicy,
            Version = "1.0"
        },
        Logging = new BlobAnalyticsLogging()
        {
            Write = true,
            Read = true,
            Delete = true,
            RetentionPolicy = retentionPolicy,
            Version = "1.0"
        }
    });

    // The permissions granted by the account SAS also permit you to retrieve service properties.

    BlobServiceProperties serviceProperties = blobServiceClient.GetProperties().Value;
    Console.WriteLine(serviceProperties.HourMetrics.RetentionPolicy);
    Console.WriteLine(serviceProperties.HourMetrics.Version);
}

后续步骤Next steps