使用 .NET 创建帐户 SASCreate an account SAS with .NET

使用共享访问签名 (SAS),可以授予对存储帐户中容器和 blob 的有限访问权限。A shared access signature (SAS) enables you to grant limited access to containers and blobs in your storage account. 创建 SAS 时,需要指定其约束条件,包括允许客户端访问哪些 Azure 存储资源、它们对这些资源具有哪些权限,以及 SAS 的有效期。When you create a SAS, you specify its constraints, including which Azure Storage resources a client is allowed to access, what permissions they have on those resources, and how long the SAS is valid.

每个 SAS 均使用密钥进行签名。Every SAS is signed with a key. 可通过以下两种方式之一对 SAS 进行签名:You can sign a SAS in one of two ways:

  • 使用 Azure Active Directory (Azure AD) 凭据创建的密钥。With a key created using Azure Active Directory (Azure AD) credentials. 使用 Azure AD 凭据签名的 SAS 是用户委托 SAS。A SAS that is signed with Azure AD credentials is a user delegation SAS.
  • 使用存储帐户密钥。With the storage account key. 服务 SAS 和帐户 SAS 均使用存储帐户密钥进行签名。 Both a service SAS and an account SAS are signed with the storage account key.

用户委托 SAS 为使用存储帐户密钥签名的 SAS 提供更高的安全性。A user delegation SAS offers superior security to a SAS that is signed with the storage account key. Azure 建议尽可能使用用户委托 SAS。Azure recommends using a user delegation SAS when possible. 有关详细信息,请参阅向具有共享访问签名的数据授予有限的访问权限 (SAS)For more information, see Grant limited access to data with shared access signatures (SAS).

本文介绍如何使用存储帐户密钥通过用于 .NET 的 Azure 存储客户端库创建帐户 SAS。This article shows how to use the storage account key to create an account SAS with the Azure Storage client library for .NET.

创建帐户 SASCreate an account SAS

若要为容器创建帐户 SAS,请调用 CloudStorageAccount.GetSharedAccessSignature 方法。To create an account SAS for a container, call the CloudStorageAccount.GetSharedAccessSignature method.

以下代码示例创建一个帐户 SAS,该 SAS 对 Blob 和文件服务是有效的,并授予客户端读取、写入和列表权限,使其能够访问服务级别 API。The following code example creates an account SAS that is valid for the Blob and File services, and gives the client permissions read, write, and list permissions to access service-level APIs. 帐户 SAS 将协议限制为 HTTPS,因此请求必须使用 HTTPS 发出。The account SAS restricts the protocol to HTTPS, so the request must be made with HTTPS. 请务必将尖括号中的占位符值替换为你自己的值:Remember to replace placeholder values in angle brackets with your own values:

static string GetAccountSASToken()
{
    // To create the account SAS, you need to use Shared Key credentials. Modify for your account.
    const string ConnectionString = "DefaultEndpointsProtocol=https;AccountName=<storage-account>;AccountKey=<account-key>;EndpointSuffix=core.chinacloudapi.cn";
    CloudStorageAccount storageAccount = CloudStorageAccount.Parse(ConnectionString);

    // Create a new access policy for the account.
    SharedAccessAccountPolicy policy = new SharedAccessAccountPolicy()
        {
            Permissions = SharedAccessAccountPermissions.Read | SharedAccessAccountPermissions.Write | SharedAccessAccountPermissions.List,
            Services = SharedAccessAccountServices.Blob | SharedAccessAccountServices.File,
            ResourceTypes = SharedAccessAccountResourceTypes.Service,
            SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),
            Protocols = SharedAccessProtocol.HttpsOnly
        };

    // Return the SAS token.
    return storageAccount.GetSharedAccessSignature(policy);
}

通过客户端使用帐户 SASUse an account SAS from a client

若要使用帐户 SAS 访问 Blob 服务的服务级别 API,请使用存储帐户的 SAS 和 Blob 存储终结点构造 Blob 服务客户端对象。To use the account SAS to access service-level APIs for the Blob service, construct a Blob service client object using the SAS and the Blob storage endpoint for your storage account. 请务必将尖括号中的占位符值替换为你自己的值:Remember to replace placeholder values in angle brackets with your own values:

static void UseAccountSAS(string sasToken)
{
    // Create new storage credentials using the SAS token.
    StorageCredentials accountSAS = new StorageCredentials(sasToken);
    // Use these credentials and the account name to create a Blob service client.
    CloudStorageAccount accountWithSAS = new CloudStorageAccount(accountSAS, "<storage-account>", endpointSuffix: core.chinacloudapi.cn, useHttps: true);
    CloudBlobClient blobClientWithSAS = accountWithSAS.CreateCloudBlobClient();

    // Now set the service properties for the Blob client created with the SAS.
    blobClientWithSAS.SetServiceProperties(new ServiceProperties()
    {
        HourMetrics = new MetricsProperties()
        {
            MetricsLevel = MetricsLevel.ServiceAndApi,
            RetentionDays = 7,
            Version = "1.0"
        },
        MinuteMetrics = new MetricsProperties()
        {
            MetricsLevel = MetricsLevel.ServiceAndApi,
            RetentionDays = 7,
            Version = "1.0"
        },
        Logging = new LoggingProperties()
        {
            LoggingOperations = LoggingOperations.All,
            RetentionDays = 14,
            Version = "1.0"
        }
    });

    // The permissions granted by the account SAS also permit you to retrieve service properties.
    ServiceProperties serviceProperties = blobClientWithSAS.GetServiceProperties();
    Console.WriteLine(serviceProperties.HourMetrics.MetricsLevel);
    Console.WriteLine(serviceProperties.HourMetrics.RetentionDays);
    Console.WriteLine(serviceProperties.HourMetrics.Version);
}

后续步骤Next steps