使用 Azure Active Directory 授予对 Azure Blob 和队列的访问权限Authorize access to Azure blobs and queues using Azure Active Directory

Azure 存储支持使用 Azure Active Directory (AD) 授予对 Blob 和队列存储的请求权限。Azure Storage supports using Azure Active Directory (AD) to authorize requests to Blob and Queue storage. 可以通过 Azure AD 使用基于角色的访问控制 (RBAC) 授予对服务主体的访问权限,该服务主体可能是用户、组或应用程序服务主体。With Azure AD, you can use role-based access control (RBAC) to grant permissions to a security principal, which may be a user, group, or application service principal. 安全主体经 Azure AD 进行身份验证后会返回 OAuth 2.0 令牌。The security principal is authenticated by Azure AD to return an OAuth 2.0 token. 可以使用令牌对用户要求访问 Blob 或队列存储中资源的请求进行授权。The token can be used to authorize a request to access a resource in Blob or Queue storage.

与共享密钥授权和共享访问签名 (SAS) 相比,使用 Azure AD 返回的 OAuth 2.0 令牌对用户或应用程序授权具有更高的安全性和易用性。Authorizing users or applications using an OAuth 2.0 token returned by Azure AD provides superior security and ease of use over Shared Key authorization and shared access signatures (SAS). 使用 Azure AD 时,不需将帐户访问密钥与代码存储在一起,因此没有潜在的安全漏洞风险。With Azure AD, there is no need to store the account access key with your code and risk potential security vulnerabilities. 虽然可以继续为应用程序使用共享密钥授权,但是,使用 Azure AD 不需要将帐户访问密钥与代码存储在一起。While you can continue to use Shared Key authorization with your applications, using Azure AD circumvents the need to store your account access key with your code. 也可以继续使用共享访问签名 (SAS) 授予对存储帐户中的资源的精细访问权限,但 Azure AD 提供了类似的功能,并且不需要管理 SAS 令牌,也不需要担心吊销已泄露的 SAS。You can also continue to use shared access signatures (SAS) to grant fine-grained access to resources in your storage account, but Azure AD offers similar capabilities without the need to manage SAS tokens or worry about revoking a compromised SAS. Azure 建议尽量对 Azure 存储应用程序使用 Azure AD 授权。Azure recommends using Azure AD authorization with your Azure Storage applications when possible.

可以针对所有公共区域和国家/地区云的所有常规用途帐户和 Blob 存储帐户使用 Azure AD 进行授权。Authorization with Azure AD is available for all general-purpose and Blob storage accounts in all public regions and national clouds. 仅通过 Azure 资源管理器部署模型创建的存储帐户支持 Azure AD 授权。Only storage accounts created with the Azure Resource Manager deployment model support Azure AD authorization. Azure 表存储不支持通过 Azure AD 进行授权。Authorization with Azure AD is not supported for Azure Table storage.

适用于 Blob 和队列的 Azure AD 概述Overview of Azure AD for blobs and queues

当某个安全主体(用户、组或应用程序)尝试访问 Blob 或队列资源时,除非该 Blob 可供匿名访问,否则必须为请求授权。When a security principal (a user, group, or application) attempts to access a blob or queue resource, the request must be authorized, unless it is a blob available for anonymous access. 使用 Azure AD 是,访问资源的过程包括两个步骤。With Azure AD, access to a resource is a two-step process. 首先,验证安全主体的身份并返回 OAuth 2.0 令牌。First, the security principal's identity is authenticated and an OAuth 2.0 token is returned. 接下来,将该令牌作为请求的一部分传递给 Blob 或队列服务,服务将使用它来授权访问指定的资源。Next, the token is passed as part of a request to the Blob or Queue service and used by the service to authorize access to the specified resource.

身份验证步骤要求应用程序在运行时请求 OAuth 2.0 访问令牌。The authentication step requires that an application request an OAuth 2.0 access token at runtime. 如果应用程序在 Azure 实体(如 Azure VM、虚拟机规模集或 Azure Functions 应用)中运行,则可以使用托管标识访问 blob 或队列。If an application is running from within an Azure entity such as an Azure VM, a virtual machine scale set, or an Azure Functions app, it can use a managed identity to access blobs or queues. 若要了解如何授权托管标识向 Azure Blob 或队列服务发出的请求,请参阅使用 Azure Active Directory 和 Azure 资源的托管标识授权访问 Blob 和队列To learn how to authorize requests made by a managed identity to the Azure Blob or Queue service, see Authorize access to blobs and queues with Azure Active Directory and managed identities for Azure Resources.

授权步骤需要将一个或多个 RBAC 角色分配给安全主体。The authorization step requires that one or more RBAC roles be assigned to the security principal. Azure 存储提供 RBAC 角色,这些角色涵盖了针对 Blob 和队列数据的通用权限集。Azure Storage provides RBAC roles that encompass common sets of permissions for blob and queue data. 分配给安全主体的角色确定了该主体拥有的权限。The roles that are assigned to a security principal determine the permissions that the principal will have. 若要详细了解如何为 Azure 存储分配 RBAC 角色,请参阅通过 RBAC 管理存储数据访问权限To learn more about assigning RBAC roles for Azure Storage, see Manage access rights to storage data with RBAC.

向 Azure Blob 或队列服务发出请求的本机应用程序和 Web 应用程序也可以使用 Azure AD 进行访问授权。Native applications and web applications that make requests to the Azure Blob or Queue service can also authorize access with Azure AD. 若要了解如何请求访问令牌并使用它来授权对 Blob 或队列数据的请求,请参阅从 Azure 存储应用程序使用 Azure AD 授予对 Azure 存储的访问权限To learn how to request an access token and use it to authorize requests for blob or queue data, see Authorize access to Azure Storage with Azure AD from an Azure Storage application.

分配 RBAC 角色以授予访问权限Assigning RBAC roles for access rights

Azure Active Directory (Azure AD) 通过基于角色的访问控制 (RBAC) 授权访问受保护的资源。Azure Active Directory (Azure AD) authorizes access rights to secured resources through role-based access control (RBAC). Azure 存储定义了一组内置的 RBAC 角色,它们包含用于访问 Blob 和队列数据的通用权限集。Azure Storage defines a set of built-in RBAC roles that encompass common sets of permissions used to access blob and queue data. 还可以定义自定义角色来访问 Blob 和队列数据。You can also define custom roles for access to blob and queue data.

将 RBAC 角色分配到 Azure AD 安全主体后,Azure 会向该安全主体授予对这些资源的访问权限。When an RBAC role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. 可以将访问权限限定于订阅、资源组、存储帐户、单个容器或队列级别。Access can be scoped to the level of the subscription, the resource group, the storage account, or an individual container or queue. Azure AD 安全主体可以是用户、组、应用程序服务主体,也可以是 Azure 资源的托管标识An Azure AD security principal may be a user, a group, an application service principal, or a managed identity for Azure resources.

适用于 Blob 和队列的内置 RBAC 角色Built-in RBAC roles for blobs and queues

Azure 提供以下内置 RBAC 角色,用于授权使用 Azure AD 和 OAuth 访问 blob 和队列数据:Azure provides the following built-in RBAC roles for authorizing access to blob and queue data using Azure AD and OAuth:

Note

请记住,RBAC 角色分配可能需要最多五分钟的时间进行传播。Keep in mind that RBAC role assignments may take up to five minutes to propagate.

若要了解如何将内置 RBAC 角色分配给安全主体,请参阅以下文章之一:To learn how to assign a built-in RBAC role to a security principal, see one of the following articles:

有关如何为 Azure 存储定义内置角色的详细信息,请参阅了解角色定义For more information about how built-in roles are defined for Azure Storage, see Understand role definitions. 若要了解如何创建自定义 RBAC 角色,请参阅针对 Azure 基于角色的访问控制创建自定义角色For information about creating custom RBAC roles, see Create custom roles for Azure Role-Based Access Control.

数据操作访问权限Access permissions for data operations

有关调用特定 Blob 或队列服务操作所需的权限的详细信息,请参阅用于调用 Blob 和队列数据操作的权限For details on the permissions required to call specific Blob or Queue service operations, see Permissions for calling blob and queue data operations.

资源范围Resource scope

在将 RBAC 角色分配到某个安全主体之前,请确定该安全主体应该获取的访问范围。Before you assign an RBAC role to a security principal, determine the scope of access that the security principal should have. 最佳做法指出,最好是授予尽可能小的范围。Best practices dictate that it's always best to grant only the narrowest possible scope.

以下列表描述了可将 Azure Blob 和队列资源访问权限限定到哪些级别,从最小的范围开始:The following list describes the levels at which you can scope access to Azure blob and queue resources, starting with the narrowest scope:

  • 单个容器。An individual container. 在此范围内,角色分配适用于容器中的所有 Blob,以及容器属性和元数据。At this scope, a role assignment applies to all of the blobs in the container, as well as container properties and metadata.
  • 单个队列。An individual queue. 在此范围内,角色分配适用于队列中的消息,以及队列属性和元数据。At this scope, a role assignment applies to messages in the queue, as well as queue properties and metadata.
  • 存储帐户。The storage account. 在此范围内,角色分配适用于所有容器及其 Blob,或者适用于所有队列及其消息。At this scope, a role assignment applies to all containers and their blobs, or to all queues and their messages.
  • 资源组。The resource group. 在此范围内,角色分配适用于资源组中所有存储帐户内的所有容器或队列。At this scope, a role assignment applies to all of the containers or queues in all of the storage accounts in the resource group.
  • 订阅。The subscription. 在此范围内,角色分配适用于订阅中所有资源组内的所有存储帐户中的所有容器或队列。At this scope, a role assignment applies to all of the containers or queues in all of the storage accounts in all of the resource groups in the subscription.

使用 Azure AD 帐户访问数据Access data with an Azure AD account

可以使用用户的 Azure AD 帐户或使用帐户访问密钥(共享密钥授权)来授权通过 Azure 门户、PowerShell 或 Azure CLI 访问 Blob 或队列数据。Access to blob or queue data via the Azure portal, PowerShell, or Azure CLI can be authorized either by using the user's Azure AD account or by using the account access keys (Shared Key authorization).

通过 Azure 门户访问数据Data access from the Azure portal

Azure 门户可以使用 Azure AD 帐户或帐户访问密钥来访问 Azure 存储帐户中的 Blob 和队列数据。The Azure portal can use either your Azure AD account or the account access keys to access blob and queue data in an Azure storage account. Azure 门户使用哪种授权方案取决于分配给你的 RBAC 角色。Which authorization scheme the Azure portal uses depends on the RBAC roles that are assigned to you.

当你尝试访问 Blob 或队列数据时,Azure 门户首先会检查你是否拥有一个包含 Microsoft.Storage/storageAccounts/listkeys/action 的 RBAC 角色。When you attempt to access blob or queue data, the Azure portal first checks whether you have been assigned an RBAC role with Microsoft.Storage/storageAccounts/listkeys/action. 如果你拥有包含此操作的角色,则 Azure 门户将使用帐户密钥通过共享密钥授权来访问 Blob 和队列数据。If you have been assigned a role with this action, then the Azure portal uses the account key for accessing blob and queue data via Shared Key authorization. 如果你不拥有包含此操作的角色,则 Azure 门户会尝试使用你的 Azure AD 帐户访问数据。If you have not been assigned a role with this action, then the Azure portal attempts to access data using your Azure AD account.

若要使用 Azure AD 帐户通过 Azure 门户访问 Blob 或队列数据,需要拥有访问 Blob 和队列数据的权限,另外还需要拥有在 Azure 门户中浏览存储帐户资源的权限。To access blob or queue data from the Azure portal using your Azure AD account, you need permissions to access blob and queue data, and you also need permissions to navigate through the storage account resources in the Azure portal. Azure 存储提供的内置角色授予对 Blob 和队列资源的访问权限,但不授予对存储帐户资源的权限。The built-in roles provided by Azure Storage grant access to blob and queue resources, but they don't grant permissions to storage account resources. 出于此原因,访问门户还需要分配范围为存储帐户或更高级别的 Azure 资源管理器角色,例如读取者角色。For this reason, access to the portal also requires the assignment of an Azure Resource Manager role such as the Reader role, scoped to the level of the storage account or higher. “读取者”角色授予限制性最高的权限,但也接受可授予存储帐户管理资源访问权限的其他 Azure 资源管理器角色。 The Reader role grants the most restricted permissions, but another Azure Resource Manager role that grants access to storage account management resources is also acceptable. 若要详细了解如何分配权限,使用户能够使用 Azure AD 帐户在 Azure 门户中访问数据,请参阅在 Azure 门户中使用 RBAC 授予对 Azure Blob 和队列数据的访问权限To learn more about how to assign permissions to users for data access in the Azure portal with an Azure AD account, see Grant access to Azure blob and queue data with RBAC in the Azure portal.

当你导航到容器或队列时,Azure 门户会指示当前正在使用哪种授权方案。The Azure portal indicates which authorization scheme is in use when you navigate to a container or queue. 有关在门户中访问数据的详细信息,请参阅使用 Azure 门户访问 Blob 或队列数据For more information about data access in the portal, see Use the Azure portal to access blob or queue data.

通过 PowerShell 或 Azure CLI 访问数据Data access from PowerShell or Azure CLI

Azure CLI 和 PowerShell 支持使用 Azure AD 凭据登录。Azure CLI and PowerShell support signing in with Azure AD credentials. 登录后,会话将在这些凭据下运行。After you sign in, your session runs under those credentials. 有关详细信息,请参阅使用 Azure AD 凭据运行 Azure CLI 或 PowerShell 命令以访问 Blob 或队列数据To learn more, see Run Azure CLI or PowerShell commands with Azure AD credentials to access blob or queue data.

后续步骤Next steps