使用 Azure Active Directory 授予对 Blob 和队列的访问权限Authorize access to blobs and queues using Azure Active Directory

Azure 存储支持使用 Azure Active Directory (Azure AD) 授予对 Blob 和队列存储的请求权限。Azure Storage supports using Azure Active Directory (Azure AD) to authorize requests to Blob and Queue storage. 可以通过 Azure AD 使用基于角色的访问控制 (RBAC) 授予对服务主体的访问权限,该服务主体可能是用户、组或应用程序服务主体。With Azure AD, you can use role-based access control (RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. 安全主体经 Azure AD 进行身份验证后会返回 OAuth 2.0 令牌。The security principal is authenticated by Azure AD to return an OAuth 2.0 token. 然后,令牌可用于对针对 Blob 或队列存储的请求进行授权。The token can then be used to authorize a request against Blob or Queue storage.

与共享密钥授权相比,使用 Azure AD 对针对 Azure 存储的请求进行授权提供了更高的安全性和易用性。Authorizing requests against Azure Storage with Azure AD provides superior security and ease of use over Shared Key authorization. Azure 建议尽可能将 Azure AD 授权与 Blob 和队列应用程序一起使用,以最大程度地减少共享密钥中固有的潜在安全漏洞。Azure recommends using Azure AD authorization with your blob and queue applications when possible to minimize potential security vulnerabilities inherent in Shared Key.

可以针对所有公共区域和国家/地区云的所有常规用途帐户和 Blob 存储帐户使用 Azure AD 进行授权。Authorization with Azure AD is available for all general-purpose and Blob storage accounts in all public regions and national clouds. 仅通过 Azure 资源管理器部署模型创建的存储帐户支持 Azure AD 授权。Only storage accounts created with the Azure Resource Manager deployment model support Azure AD authorization.

Blob 存储还支持创建通过 Azure AD 凭据签名的共享访问签名 (SAS)。Blob storage additionally supports creating shared access signatures (SAS) that are signed with Azure AD credentials. 有关详细信息,请参阅向具有共享访问签名的数据授予有限的访问权限For more information, see Grant limited access to data with shared access signatures.

Azure 表存储不支持通过 Azure AD 进行授权。Authorization with Azure AD is not supported for Azure Table storage. 使用共享密钥授权对表存储的请求。Use Shared Key to authorize requests to Table storage.

适用于 Blob 和队列的 Azure AD 概述Overview of Azure AD for blobs and queues

当某个安全主体(用户、组或应用程序)尝试访问 Blob 或队列资源时,除非该 Blob 可供匿名访问,否则必须为请求授权。When a security principal (a user, group, or application) attempts to access a blob or queue resource, the request must be authorized, unless it is a blob available for anonymous access. 使用 Azure AD 是,访问资源的过程包括两个步骤。With Azure AD, access to a resource is a two-step process. 首先,验证安全主体的身份并返回 OAuth 2.0 令牌。First, the security principal's identity is authenticated and an OAuth 2.0 token is returned. 接下来,将该令牌作为请求的一部分传递给 Blob 或队列服务,服务将使用它来授权访问指定的资源。Next, the token is passed as part of a request to the Blob or Queue service and used by the service to authorize access to the specified resource.

身份验证步骤要求应用程序在运行时请求 OAuth 2.0 访问令牌。The authentication step requires that an application request an OAuth 2.0 access token at runtime. 如果应用程序在 Azure 实体(如 Azure VM、虚拟机规模集或 Azure Functions 应用)中运行,则可以使用托管标识访问 blob 或队列。If an application is running from within an Azure entity such as an Azure VM, a virtual machine scale set, or an Azure Functions app, it can use a managed identity to access blobs or queues. 若要了解如何授权托管标识向 Azure Blob 或队列服务发出的请求,请参阅使用 Azure Active Directory 和 Azure 资源的托管标识授权访问 Blob 和队列To learn how to authorize requests made by a managed identity to the Azure Blob or Queue service, see Authorize access to blobs and queues with Azure Active Directory and managed identities for Azure Resources.

授权步骤要求将一个或多个 Azure 角色分配给安全主体。The authorization step requires that one or more Azure roles be assigned to the security principal. Azure 存储提供了 Azure 角色,这些角色涵盖了针对 Blob 和队列数据的通用权限集。Azure Storage provides Azure roles that encompass common sets of permissions for blob and queue data. 分配给安全主体的角色确定了该主体拥有的权限。The roles that are assigned to a security principal determine the permissions that the principal will have. 若要详细了解如何为 Azure 存储分配 Azure 角色,请参阅通过 RBAC 管理存储数据访问权限To learn more about assigning Azure roles for Azure Storage, see Manage access rights to storage data with RBAC.

向 Azure Blob 或队列服务发出请求的本机应用程序和 Web 应用程序也可以使用 Azure AD 进行访问授权。Native applications and web applications that make requests to the Azure Blob or Queue service can also authorize access with Azure AD. 若要了解如何请求访问令牌并使用它来授权对 Blob 或队列数据的请求,请参阅从 Azure 存储应用程序使用 Azure AD 授予对 Azure 存储的访问权限To learn how to request an access token and use it to authorize requests for blob or queue data, see Authorize access to Azure Storage with Azure AD from an Azure Storage application.

分配 Azure 角色以授予访问权限Assign Azure roles for access rights

Azure Active Directory (Azure AD) 通过 Azure 基于角色的访问控制 (Azure RBAC) 授予对受保护资源的访问权限。Azure Active Directory (Azure AD) authorizes access rights to secured resources through Azure role-based access control (Azure RBAC). Azure 存储定义了一组内置的 Azure 角色,它们包含用于访问 Blob 和队列数据的通用权限集。Azure Storage defines a set of Azure built-in roles that encompass common sets of permissions used to access blob and queue data. 还可以定义自定义角色来访问 Blob 和队列数据。You can also define custom roles for access to blob and queue data.

将 Azure 角色分配到 Azure AD 安全主体后,Azure 会向该安全主体授予对这些资源的访问权限。When an Azure role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. 可以将访问权限限定于订阅、资源组、存储帐户、单个容器或队列级别。Access can be scoped to the level of the subscription, the resource group, the storage account, or an individual container or queue. Azure AD 安全主体可以是用户、组、应用程序服务主体,也可以是 Azure 资源的托管标识An Azure AD security principal may be a user, a group, an application service principal, or a managed identity for Azure resources.

适用于 Blob 和队列的内置 Azure 角色Azure built-in roles for blobs and queues

Azure 提供了以下 Azure 内置角色,用于使用 Azure AD 和 OAuth 授予对 Blob 和队列数据的访问权限:Azure provides the following Azure built-in roles for authorizing access to blob and queue data using Azure AD and OAuth:

只有为数据访问明确定义的角色才允许安全主体访问 Blob 或队列数据。Only roles explicitly defined for data access permit a security principal to access blob or queue data. 内置角色(例如“所有者”、“参与者”和“存储帐户参与者”)允许安全主体管理存储帐户,但不通过 Azure AD 提供对该帐户内的 blob 或队列数据的访问权限 。Built-in roles such as Owner, Contributor, and Storage Account Contributor permit a security principal to manage a storage account, but do not provide access to the blob or queue data within that account via Azure AD. 但是,如果角色包括 Microsoft.Storage/storageAccounts/listKeys/action,则获得了该角色的用户可以使用帐户访问密钥通过共享密钥授权来访问存储帐户中的数据。However, if a role includes the Microsoft.Storage/storageAccounts/listKeys/action, then a user to whom that role is assigned can access data in the storage account via Shared Key authorization with the account access keys. 有关详细信息,请参阅使用 Azure 门户访问 Blob 或队列数据For more information, see Use the Azure portal to access blob or queue data.

要详细了解数据服务和管理服务的 Azure 存储的 Azure 内置角色,请参阅 Azure RBAC 的 Azure 内置角色的“存储”部分。For detailed information about Azure built-in roles for Azure Storage for both the data services and the management service, see the Storage section in Azure built-in roles for Azure RBAC. 此外,若要了解 Azure 中提供权限的不同类型的角色,请参阅经典订阅管理员角色、Azure 角色和 Azure AD 角色Additionally, for information about the different types of roles that provide permissions in Azure, see Classic subscription administrator roles, Azure roles, and Azure AD roles.

重要

Azure 角色分配最多需要 5 分钟时间来进行传播。Azure role assignments may take up to five minutes to propagate.

若要了解如何将内置 Azure 角色分配给安全主体,请参阅以下文章之一:To learn how to assign an Azure built-in role to a security principal, see one of the following articles:

有关如何为 Azure 存储定义内置角色的详细信息,请参阅了解角色定义For more information about how built-in roles are defined for Azure Storage, see Understand role definitions. 若要了解如何创建 Azure 自定义角色,请参阅 Azure 自定义角色For information about creating Azure custom roles, see Azure custom roles.

数据操作访问权限Access permissions for data operations

有关调用特定 Blob 或队列服务操作所需的权限的详细信息,请参阅用于调用 Blob 和队列数据操作的权限For details on the permissions required to call specific Blob or Queue service operations, see Permissions for calling blob and queue data operations.

资源范围Resource scope

向安全主体分配 Azure 角色之前,请确定安全主体应具有的访问权限的范围。Before you assign an Azure role to a security principal, determine the scope of access that the security principal should have. 最佳做法规定,始终最好只授予最小的可能范围。Best practices dictate that it's always best to grant only the narrowest possible scope.

以下列表描述可以限定 Azure blob 和队列资源访问权限范围的等级,从最窄的范围开始:The following list describes the levels at which you can scope access to Azure blob and queue resources, starting with the narrowest scope:

  • 单个容器。An individual container. 在此范围内,角色分配将应用于容器中的所有 blob,以及容器属性和元数据。At this scope, a role assignment applies to all of the blobs in the container, as well as container properties and metadata.
  • 单个队列。An individual queue. 在此范围内,角色分配将应用于队列中的消息,以及队列属性和元数据。At this scope, a role assignment applies to messages in the queue, as well as queue properties and metadata.
  • 存储帐户。The storage account. 在此范围内,角色分配将应用于所有容器及其 blob,或者所有队列及其消息。At this scope, a role assignment applies to all containers and their blobs, or to all queues and their messages.
  • 资源组。The resource group. 在此范围内,角色分配适用于资源组中所有存储帐户内的所有容器或队列。At this scope, a role assignment applies to all of the containers or queues in all of the storage accounts in the resource group.
  • 订阅。The subscription. 在此范围内,角色分配适用于订阅中所有资源组内的所有存储帐户中的所有容器或队列。At this scope, a role assignment applies to all of the containers or queues in all of the storage accounts in all of the resource groups in the subscription.

有关 Azure 角色分配和范围的详细信息,请参阅什么是 Azure 基于角色的访问控制 (Azure RBAC)?For more information about Azure role assignments and scope, see What is Azure role-based access control (Azure RBAC)?.

使用 Azure AD 帐户访问数据Access data with an Azure AD account

可以使用用户的 Azure AD 帐户或使用帐户访问密钥(共享密钥授权)来授权通过 Azure 门户、PowerShell 或 Azure CLI 访问 Blob 或队列数据。Access to blob or queue data via the Azure portal, PowerShell, or Azure CLI can be authorized either by using the user's Azure AD account or by using the account access keys (Shared Key authorization).

通过 Azure 门户访问数据Data access from the Azure portal

Azure 门户可以使用 Azure AD 帐户或帐户访问密钥来访问 Azure 存储帐户中的 Blob 和队列数据。The Azure portal can use either your Azure AD account or the account access keys to access blob and queue data in an Azure storage account. Azure 门户使用哪种授权方案取决于分配给你的 Azure 角色。Which authorization scheme the Azure portal uses depends on the Azure roles that are assigned to you.

当你尝试访问 Blob 或队列数据时,Azure 门户首先会检查你是否分配有一个包含“Microsoft.Storage/storageAccounts/listkeys/action”的 Azure 角色。When you attempt to access blob or queue data, the Azure portal first checks whether you have been assigned an Azure role with Microsoft.Storage/storageAccounts/listkeys/action. 如果你拥有包含此操作的角色,则 Azure 门户将使用帐户密钥通过共享密钥授权来访问 Blob 和队列数据。If you have been assigned a role with this action, then the Azure portal uses the account key for accessing blob and queue data via Shared Key authorization. 如果你不拥有包含此操作的角色,则 Azure 门户会尝试使用你的 Azure AD 帐户访问数据。If you have not been assigned a role with this action, then the Azure portal attempts to access data using your Azure AD account.

若要使用 Azure AD 帐户通过 Azure 门户访问 Blob 或队列数据,需要拥有访问 Blob 和队列数据的权限,另外还需要拥有在 Azure 门户中浏览存储帐户资源的权限。To access blob or queue data from the Azure portal using your Azure AD account, you need permissions to access blob and queue data, and you also need permissions to navigate through the storage account resources in the Azure portal. Azure 存储提供的内置角色授予对 Blob 和队列资源的访问权限,但不授予对存储帐户资源的权限。The built-in roles provided by Azure Storage grant access to blob and queue resources, but they don't grant permissions to storage account resources. 出于此原因,访问门户还需要分配范围为存储帐户或更高级别的 Azure 资源管理器角色,例如读取者角色。For this reason, access to the portal also requires the assignment of an Azure Resource Manager role such as the Reader role, scoped to the level of the storage account or higher. “读取者”角色授予限制性最高的权限,但也接受可授予存储帐户管理资源访问权限的其他 Azure 资源管理器角色。The Reader role grants the most restricted permissions, but another Azure Resource Manager role that grants access to storage account management resources is also acceptable. 若要详细了解如何分配权限,使用户能够使用 Azure AD 帐户在 Azure 门户中访问数据,请参阅在 Azure 门户中使用 RBAC 授予对 Azure Blob 和队列数据的访问权限To learn more about how to assign permissions to users for data access in the Azure portal with an Azure AD account, see Grant access to Azure blob and queue data with RBAC in the Azure portal.

当你导航到容器或队列时,Azure 门户会指示当前正在使用哪种授权方案。The Azure portal indicates which authorization scheme is in use when you navigate to a container or queue. 有关在门户中访问数据的详细信息,请参阅使用 Azure 门户访问 Blob 或队列数据For more information about data access in the portal, see Use the Azure portal to access blob or queue data.

通过 PowerShell 或 Azure CLI 访问数据Data access from PowerShell or Azure CLI

Azure CLI 和 PowerShell 支持使用 Azure AD 凭据登录。Azure CLI and PowerShell support signing in with Azure AD credentials. 登录后,会话将在这些凭据下运行。After you sign in, your session runs under those credentials. 有关详细信息,请参阅使用 Azure AD 凭据运行 Azure CLI 或 PowerShell 命令以访问 Blob 或队列数据To learn more, see Run Azure CLI or PowerShell commands with Azure AD credentials to access blob or queue data.

后续步骤Next steps