授权访问 Azure 存储中的数据Authorizing access to data in Azure Storage

每次访问存储帐户中的数据时,客户端都会通过 HTTP/HTTPS 向 Azure 存储发出请求。Each time you access data in your storage account, your client makes a request over HTTP/HTTPS to Azure Storage. 每个对安全资源的请求都必须经过授权,以便服务确保客户端具有访问数据所需的权限。Every request to a secure resource must be authorized, so that the service ensures that the client has the permissions required to access the data.

下表介绍了多个选项,Azure 存储提供这些选项,用于授权对资源的访问:The following table describes the options that Azure Storage offers for authorizing access to resources:

Azure 项目Azure artifact 共享密钥(存储帐户密钥)Shared Key (storage account key) 共享访问签名 (SAS)Shared access signature (SAS) Azure Active Directory (Azure AD)Azure Active Directory (Azure AD)
Azure BlobAzure Blobs 支持Supported 支持Supported 支持Supported
Azure 文件存储 (SMB)Azure Files (SMB) 支持Supported 不支持Not supported 不支持Not supported
Azure 文件存储 (REST)Azure Files (REST) 支持Supported 支持Supported 不支持Not supported
Azure 队列Azure Queues 支持Supported 支持Supported 支持Supported
Azure 表Azure Tables 支持Supported 支持Supported 不支持Not supported

下面简要介绍每个授权选项:Each authorization option is briefly described below:

  • 用于 Blob 和队列的 Azure Active Directory (Azure AD) 集成Azure Active Directory (Azure AD) integration for blobs, and queues. Azure AD 提供基于角色的访问控制 (RBAC),用于控制客户端对存储帐户中资源的访问权限。Azure AD provides role-based access control (RBAC) for control over a client's access to resources in a storage account. 有关用于 Blob 和队列的 Azure AD 集成的详细信息,请参阅使用 Azure Active Directory 授予对 Azure Blob 和队列的访问权限For more information regarding Azure AD integration for blobs and queues, see Authorize access to Azure blobs and queues using Azure Active Directory.
  • 用于 blob、文件、队列和表的共享密钥授权Shared Key authorization for blobs, files, queues, and tables. 使用共享密钥的客户端会随使用存储帐户访问密钥签名的每个请求传递一个标头。A client using Shared Key passes a header with every request that is signed using the storage account access key. 有关详细信息,请参阅通过共享密钥进行授权For more information, see Authorize with Shared Key.
  • 用于 blob、文件、队列和表的共享访问签名Shared access signatures for blobs, files, queues, and tables. 共享访问签名 (SAS) 针对存储帐户中的资源提供有限的委托访问权限。Shared access signatures (SAS) provide limited delegated access to resources in a storage account. 通过对签名的有效时间间隔或对它授予的权限添加约束,可灵活地管理访问权限。Adding constraints on the time interval for which the signature is valid or on permissions it grants provides flexibility in managing access. 有关详细信息,请参阅使用共享访问签名 (SAS)For more information, see Using shared access signatures (SAS).

默认情况下,Azure 存储中的所有资源都受到保护,并且只能由帐户所有者使用。By default, all resources in Azure Storage are secured, and are available only to the account owner. 虽然你可以使用上述任何授权策略来为客户端授予访问存储帐户资源的权限,但 Azure 建议尽可能使用 Azure AD,以便最大限度地提高安全性和易用性。Although you can use any of the authorization strategies outlined above to grant clients access to resources in your storage account, Azure recommends using Azure AD when possible for maximum security and ease of use.

后续步骤Next steps