使用 Azure CLI 为 blob 和队列数据分配 RBAC 角色Use Azure CLI to assign an RBAC role for access to blob and queue data

Azure Active Directory (Azure AD) 通过基于角色的访问控制 (RBAC) 授权访问受保护的资源。Azure Active Directory (Azure AD) authorizes access rights to secured resources through role-based access control (RBAC). Azure 存储定义了一组内置的 RBAC 角色,它们包含用于访问 Blob 或队列数据的通用权限集。Azure Storage defines a set of built-in RBAC roles that encompass common sets of permissions used to access blob or queue data.

将 RBAC 角色分配到 Azure AD 安全主体后,Azure 会向该安全主体授予对这些资源的访问权限。When an RBAC role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. 可以将访问权限限定于订阅、资源组、存储帐户、单个容器或队列级别。Access can be scoped to the level of the subscription, the resource group, the storage account, or an individual container or queue. Azure AD 安全主体可以是用户、组、应用程序服务主体,也可以是 Azure 资源的托管标识An Azure AD security principal may be a user, a group, an application service principal, or a managed identity for Azure resources.

本文介绍如何使用 Azure CLI 列出内置的 RBAC 角色并将其分配给用户。This article describes how to use Azure CLI to list built-in RBAC roles and assign them to users. 若要详细了解如何使用 Azure CLI,请参阅 Azure 命令行界面 (CLI)For more information about using Azure CLI, see Azure Command-Line Interface (CLI).

Blob 和队列的 RBAC 角色RBAC roles for blobs and queues

Azure 提供以下内置 RBAC 角色,用于授权使用 Azure AD 和 OAuth 访问 blob 和队列数据:Azure provides the following built-in RBAC roles for authorizing access to blob and queue data using Azure AD and OAuth:

要详细了解用于数据服务和管理服务的 Azure 存储的内置 RBAC 角色,请参阅用于 Azure RBAC 的 Azure 内置角色中的“存储”部分。For detailed information about built-in RBAC roles for Azure Storage for both the data services and the management service, see the Storage section in Azure built-in roles for Azure RBAC. 此外,要了解在 Azure 中提供权限的不同类型角色,请参阅经典订阅管理员角色、Azure RBAC 角色和 Azure AD 角色Additionally, for information about the different types of roles that provide permissions in Azure, see Classic subscription administrator roles, Azure RBAC roles, and Azure AD roles.

备注

RBAC 角色分配可能需要最多五分钟的时间进行传播。RBAC role assignments may take up to five minutes to propagate.

只有为数据访问显式定义的角色才允许安全主体访问 blob 或队列数据。Only roles explicitly defined for data access permit a security principal to access blob or queue data. 所有者参与者存储帐户参与者等角色允许安全主体管理存储帐户,但不提供对该帐户中 blob 或队列数据的访问。Roles such as Owner, Contributor, and Storage Account Contributor permit a security principal to manage a storage account, but do not provide access to the blob or queue data within that account.

可以使用 Azure AD 帐户或存储帐户访问密钥授权访问 Azure 门户中的 Blob 或队列数据。Access to blob or queue data in the Azure portal can be authorized using either your Azure AD account or the storage account access key. 有关详细信息,请参阅使用 Azure 门户访问 blob 或队列数据For more information, see Use the Azure portal to access blob or queue data.

确定资源范围Determine resource scope

在将 RBAC 角色分配到某个安全主体之前,请确定该安全主体应该获取的访问范围。Before you assign an RBAC role to a security principal, determine the scope of access that the security principal should have. 最佳做法指出,最好是授予尽可能小的范围。Best practices dictate that it's always best to grant only the narrowest possible scope.

以下列表描述了可将 Azure Blob 和队列资源访问权限限定到哪些级别,从最小的范围开始:The following list describes the levels at which you can scope access to Azure blob and queue resources, starting with the narrowest scope:

  • 单个容器。An individual container. 在此范围内,角色分配适用于容器中的所有 Blob,以及容器属性和元数据。At this scope, a role assignment applies to all of the blobs in the container, as well as container properties and metadata.
  • 单个队列。An individual queue. 在此范围内,角色分配适用于队列中的消息,以及队列属性和元数据。At this scope, a role assignment applies to messages in the queue, as well as queue properties and metadata.
  • 存储帐户。The storage account. 在此范围内,角色分配适用于所有容器及其 Blob,或者适用于所有队列及其消息。At this scope, a role assignment applies to all containers and their blobs, or to all queues and their messages.
  • 资源组。The resource group. 在此范围内,角色分配适用于资源组中所有存储帐户内的所有容器或队列。At this scope, a role assignment applies to all of the containers or queues in all of the storage accounts in the resource group.
  • 订阅。The subscription. 在此范围内,角色分配适用于订阅中所有资源组内的所有存储帐户中的所有容器或队列。At this scope, a role assignment applies to all of the containers or queues in all of the storage accounts in all of the resource groups in the subscription.

列出可用的 RBAC 角色List available RBAC roles

若要通过 Azure CLI 列出可用的内置 RBAC 角色,请使用 az role definition list 命令:To list available built-in RBAC roles with Azure CLI, use the az role definition list command:

az role definition list --out table

会看到列出了内置的 Azure 存储数据角色以及 Azure 的其他内置角色:You'll see the built-in Azure Storage data roles listed, together with other built-in roles for Azure:

Storage Blob Data Contributor             Allows for read, write and delete access to Azure Storage blob containers and data
Storage Blob Data Owner                   Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control.
Storage Blob Data Reader                  Allows for read access to Azure Storage blob containers and data
Storage Queue Data Contributor            Allows for read, write, and delete access to Azure Storage queues and queue messages
Storage Queue Data Message Processor      Allows for peek, receive, and delete access to Azure Storage queue messages
Storage Queue Data Message Sender         Allows for sending of Azure Storage queue messages
Storage Queue Data Reader                 Allows for read access to Azure Storage queues and queue messages

向安全主体分配 RBAC 角色Assign an RBAC role to a security principal

若要向安全主体分配 RBAC 角色,请使用 az role assignment create 命令。To assign an RBAC role to a security principal, use the az role assignment create command. 命令的格式因分配范围而异。The format of the command can differ based on the scope of the assignment. 以下示例显示如何在各种范围内为用户分配角色,但可以使用相同的命令将角色分配给任何安全主体。The following examples show how to assign a role to a user at various scopes, but you can use the same command to assign a role to any security principal.

容器范围Container scope

若要分配容器范围的角色,请为 --scope 参数指定一个包含容器范围的字符串。To assign a role scoped to a container, specify a string containing the scope of the container for the --scope parameter. 容器的范围采用以下格式:The scope for a container is in the form:

/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/blobServices/default/containers/<container>

以下示例为用户分配存储 Blob 数据参与者角色,其范围为容器级别。The following example assigns the Storage Blob Data Contributor role to a user, scoped to the level of the container. 请务必将括号中的示例值和占位符值替换为你自己的值:Make sure to replace the sample values and the placeholder values in brackets with your own values:

az role assignment create \
    --role "Storage Blob Data Contributor" \
    --assignee <email> \
    --scope "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/blobServices/default/containers/<container>"

队列范围Queue scope

若要分配队列范围的角色,请为 --scope 参数指定一个包含队列范围的字符串。To assign a role scoped to a queue, specify a string containing the scope of the queue for the --scope parameter. 队列的范围采用以下格式:The scope for a queue is in the form:

/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/queueServices/default/queues/<queue>

以下示例为用户分配存储队列数据参与者角色,其范围为队列级别。The following example assigns the Storage Queue Data Contributor role to a user, scoped to the level of the queue. 请务必将括号中的示例值和占位符值替换为你自己的值:Make sure to replace the sample values and the placeholder values in brackets with your own values:

az role assignment create \
    --role "Storage Queue Data Contributor" \
    --assignee <email> \
    --scope "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/queueServices/default/queues/<queue>"

存储帐户范围Storage account scope

若要分配存储帐户范围的角色,请为 --scope 参数指定存储帐户资源的范围。To assign a role scoped to the storage account, specify the scope of the storage account resource for the --scope parameter. 存储帐户的范围采用以下格式:The scope for a storage account is in the form:

/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>

以下示例演示如何在存储帐户级别向用户分配“存储 Blob 数据读取者”角色 。The following example shows how to assign the Storage Blob Data Reader role to a user at the level of the storage account. 请务必将示例值替换为你自己的值:Make sure to replace the sample values with your own values: \

az role assignment create \
    --role "Storage Blob Data Reader" \
    --assignee <email> \
    --scope "/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>"

资源组范围Resource group scope

若要分配资源组范围的角色,请为 --resource-group 参数指定资源组名称或 ID。To assign a role scoped to the resource group, specify the resource group name or ID for the --resource-group parameter. 以下示例在资源组级别向用户分配“存储队列数据读取者”角色 。The following example assigns the Storage Queue Data Reader role to a user at the level of the resource group. 请务必将括号中的示例值和占位符值替换为你自己的值:Make sure to replace the sample values and placeholder values in brackets with your own values:

az role assignment create \
    --role "Storage Queue Data Reader" \
    --assignee <email> \
    --resource-group <resource-group>

订阅范围Subscription scope

若要分配订阅范围的角色,请为 --scope 参数指定订阅的范围。To assign a role scoped to the subscription, specify the scope for the subscription for the --scope parameter. 订阅的范围采用以下格式:The scope for a subscription is in the form:

/subscriptions/<subscription>

以下示例演示如何在存储帐户级别向用户分配“存储 Blob 数据读取者”角色 。The following example shows how to assign the Storage Blob Data Reader role to a user at the level of the storage account. 请务必将示例值替换为你自己的值:Make sure to replace the sample values with your own values:

az role assignment create \
    --role "Storage Blob Data Reader" \
    --assignee <email> \
    --scope "/subscriptions/<subscription>"

后续步骤Next steps