使用 Azure 门户为 blob 和队列数据分配 RBAC 角色Use the Azure portal to assign an RBAC role for access to blob and queue data

Azure Active Directory (Azure AD) 通过基于角色的访问控制 (RBAC) 授权访问受保护的资源。Azure Active Directory (Azure AD) authorizes access rights to secured resources through role-based access control (RBAC). Azure 存储定义了一组内置的 RBAC 角色,它们包含用于访问 Blob 或队列数据的通用权限集。Azure Storage defines a set of built-in RBAC roles that encompass common sets of permissions used to access blob or queue data.

将 RBAC 角色分配到 Azure AD 安全主体后,Azure 会向该安全主体授予对这些资源的访问权限。When an RBAC role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. 可以将访问权限限定于订阅、资源组、存储帐户、单个容器或队列级别。Access can be scoped to the level of the subscription, the resource group, the storage account, or an individual container or queue. Azure AD 安全主体可以是用户、组、应用程序服务主体,也可以是 Azure 资源的托管标识An Azure AD security principal may be a user, a group, an application service principal, or a managed identity for Azure resources.

本文介绍如何使用 Azure 门户分配 RBAC 角色。This article describes how to use the Azure portal to assign RBAC roles. Azure 门户提供一个简单的界面用于分配 RBAC 角色,以及管理对存储资源的访问权限。The Azure portal provides a simple interface for assigning RBAC roles and managing access to your storage resources. 也可以使用 Azure 命令行工具或 Azure 存储管理 API 来为 Blob 和队列资源分配 RBAC 角色。You can also assign RBAC roles for blob and queue resources using Azure command-line tools or the Azure Storage management APIs. 有关存储资源的 RBAC 角色的详细信息,请参阅使用 Azure Active Directory 验证对 Azure Blob 和队列的访问For more information about RBAC roles for storage resources, see Authenticate access to Azure blobs and queues using Azure Active Directory.

Blob 和队列的 RBAC 角色RBAC roles for blobs and queues

Azure 提供以下内置 RBAC 角色,用于授权使用 Azure AD 和 OAuth 访问 blob 和队列数据:Azure provides the following built-in RBAC roles for authorizing access to blob and queue data using Azure AD and OAuth:

要详细了解用于数据服务和管理服务的 Azure 存储的内置 RBAC 角色,请参阅用于 Azure RBAC 的 Azure 内置角色中的“存储”部分。For detailed information about built-in RBAC roles for Azure Storage for both the data services and the management service, see the Storage section in Azure built-in roles for Azure RBAC. 此外,要了解在 Azure 中提供权限的不同类型角色,请参阅经典订阅管理员角色、Azure RBAC 角色和 Azure AD 角色Additionally, for information about the different types of roles that provide permissions in Azure, see Classic subscription administrator roles, Azure RBAC roles, and Azure AD roles.

Note

RBAC 角色分配可能需要最多五分钟的时间进行传播。RBAC role assignments may take up to five minutes to propagate.

只有为数据访问显式定义的角色才允许安全主体访问 blob 或队列数据。Only roles explicitly defined for data access permit a security principal to access blob or queue data. 所有者参与者存储帐户参与者等角色允许安全主体管理存储帐户,但不提供对该帐户中 blob 或队列数据的访问。Roles such as Owner, Contributor, and Storage Account Contributor permit a security principal to manage a storage account, but do not provide access to the blob or queue data within that account.

可以使用 Azure AD 帐户或存储帐户访问密钥授权访问 Azure 门户中的 Blob 或队列数据。Access to blob or queue data in the Azure portal can be authorized using either your Azure AD account or the storage account access key. 有关详细信息,请参阅使用 Azure 门户访问 blob 或队列数据For more information, see Use the Azure portal to access blob or queue data.

确定资源范围Determine resource scope

在将 RBAC 角色分配到某个安全主体之前,请确定该安全主体应该获取的访问范围。Before you assign an RBAC role to a security principal, determine the scope of access that the security principal should have. 最佳做法指出,最好是授予尽可能小的范围。Best practices dictate that it's always best to grant only the narrowest possible scope.

以下列表描述了可将 Azure Blob 和队列资源访问权限限定到哪些级别,从最小的范围开始:The following list describes the levels at which you can scope access to Azure blob and queue resources, starting with the narrowest scope:

  • 单个容器。An individual container. 在此范围内,角色分配适用于容器中的所有 Blob,以及容器属性和元数据。At this scope, a role assignment applies to all of the blobs in the container, as well as container properties and metadata.
  • 单个队列。An individual queue. 在此范围内,角色分配适用于队列中的消息,以及队列属性和元数据。At this scope, a role assignment applies to messages in the queue, as well as queue properties and metadata.
  • 存储帐户。The storage account. 在此范围内,角色分配适用于所有容器及其 Blob,或者适用于所有队列及其消息。At this scope, a role assignment applies to all containers and their blobs, or to all queues and their messages.
  • 资源组。The resource group. 在此范围内,角色分配适用于资源组中所有存储帐户内的所有容器或队列。At this scope, a role assignment applies to all of the containers or queues in all of the storage accounts in the resource group.
  • 订阅。The subscription. 在此范围内,角色分配适用于订阅中所有资源组内的所有存储帐户中的所有容器或队列。At this scope, a role assignment applies to all of the containers or queues in all of the storage accounts in all of the resource groups in the subscription.

使用 Azure 门户分配 RBAC 角色Assign RBAC roles using the Azure portal

在确定角色分配的适当范围以后,请导航到 Azure 门户中的该资源。After you have determined the appropriate scope for a role assignment, navigate to that resource in the Azure portal. 显示资源的“访问控制(标识和访问管理)”设置,并按以下说明管理角色分配: Display the Access Control (IAM) settings for the resource, and follow these instructions to manage role assignments:

  1. 分配适当的 Azure 存储 RBAC 角色,以便授予对 Azure AD 安全主体的访问权限。Assign the appropriate Azure Storage RBAC role to grant access to an Azure AD security principal.

  2. 可将 Azure 资源管理器读取者角色分配给需要通过 Azure 门户使用其 Azure AD 凭据访问容器或队列的用户。Assign the Azure Resource Manager Reader role to users who need to access containers or queues via the Azure portal using their Azure AD credentials.

以下各部分更详细地说明了其中的每个步骤。The following sections describe each of these steps in more detail.

Note

作为 Azure 存储帐户的所有者,系统不会自动向你分配数据访问权限。As an owner of your Azure Storage account, you are not automatically assigned permissions to access data. 你必须为自己显式分配一个用于 Azure 存储的 RBAC 角色。You must explicitly assign yourself an RBAC role for Azure Storage. 可以在订阅、资源组、存储帐户、容器或队列级别分配它。You can assign it at the level of your subscription, resource group, storage account, or a container or queue.

如果存储帐户启用了分层命名空间,则不能分配限定于容器或队列的角色。You cannot assign a role scoped to a container or queue if your storage account has a hierarchical namespace enabled.

分配内置的 RBAC 角色Assign a built-in RBAC role

在将角色分配到安全主体之前,请务必考虑所要授予的权限的范围。Before you assign a role to a security principal, be sure to consider the scope of the permissions you are granting. 查看确定资源范围部分以确定适当的范围。Review the Determine resource scope section to decide the appropriate scope.

此处所示的过程将分配限定于容器的角色,但你可以按照相同的步骤分配限定于队列的角色:The procedure shown here assigns a role scoped to a container, but you can follow the same steps to assign a role scoped to a queue:

  1. Azure 门户中,转到存储帐户并显示该帐户的“概述” 。In the Azure portal, go to your storage account and display the Overview for the account.

  2. 在“服务”下选择“Blob”。 Under Services, select Blobs.

  3. 找到要针对其分配角色的容器,并显示该容器的设置。Locate the container for which you want to assign a role, and display the container's settings.

  4. 选择“访问控制(IAM)”以显示容器的访问控制设置 。Select Access control (IAM) to display access control settings for the container. 选择“角色分配” 选项卡以查看角色分配列表。Select the Role assignments tab to see the list of role assignments.

    显示容器访问控制设置的屏幕截图

  5. 单击“添加角色分配” 按钮以添加一个新角色。Click the Add role assignment button to add a new role.

  6. 在“添加角色分配”窗口中,选择要分配的 Azure 存储角色 。In the Add role assignment window, select the Azure Storage role that you want to assign. 然后通过搜索找到要为其分配该角色的安全主体。Then search to locate the security principal to which you want to assign that role.

    显示如何分配 RBAC 角色的屏幕截图

  7. 单击“保存” 。Click Save. 分配有该角色的标识列出在该角色下。The identity to whom you assigned the role appears listed under that role. 例如,下图显示添加的用户现在对名为 sample-container 的容器中的数据具有读取权限。For example, the following image shows that the user added now has read permissions to data in the container named sample-container.

    显示已分配到某个角色的用户列表的屏幕截图

可以遵循类似的步骤来分配限定为存储帐户、资源组或订阅范围的角色。You can follow similar steps to assign a role scoped to the storage account, resource group, or subscription.

分配“读取者”角色以访问门户Assign the Reader role for portal access

将 Azure 存储的内置或自定义角色分配到某个安全主体时,会向该安全主体授予权限,以便针对存储帐户中的数据执行操作。When you assign a built-in or custom role for Azure Storage to a security principal, you are granting permissions to that security principal to perform operations on data in your storage account. 内置的“数据读取者”角色提供对容器或队列中的数据的读取权限,而内置的“数据参与者”角色提供对容器或队列的读取、写入和删除权限。 The built-in Data Reader roles provide read permissions for the data in a container or queue, while the built-in Data Contributor roles provide read, write, and delete permissions to a container or queue. 权限范围限定为指定的资源。Permissions are scoped to the specified resource.
例如,如果在名为 sample-container 的容器级别向用户 Mary 分配“存储 Blob 数据参与者”角色,则会向 Mary 授予对该容器中所有 Blob 的读取、写入和删除访问权限。For example, if you assign the Storage Blob Data Contributor role to user Mary at the level of a container named sample-container, then Mary is granted read, write, and delete access to all of the blobs in that container.

但是,如果 Mary 希望在 Azure 门户中查看某个 Blob,“存储 Blob 数据参与者”角色本身无法提供足够的权限用于在门户中导航,因此 Mary 无法查看该 Blob。 However, if Mary wants to view a blob in the Azure portal, then the Storage Blob Data Contributor role by itself will not provide sufficient permissions to navigate through the portal to the blob in order to view it. 必须拥有其他 Azure AD 权限才能在门户中导航和查看门户中显示的其他资源。Additional Azure AD permissions are required to navigate through the portal and view the other resources that are visible there.

如果用户需要在 Azure 门户中访问 Blob,请在存储帐户或更高的级别向这些用户分配一个额外的 RBAC 角色:读取者角色。If your users need to be able to access blobs in the Azure portal, then assign them an additional RBAC role, the Reader role, to those users, at the level of the storage account or above. “读取者”角色是一个 Azure 资源管理器角色,可让用户查看存储帐户资源,但不允许修改这些资源。 The Reader role is an Azure Resource Manager role that permits users to view storage account resources, but not modify them. 该角色不提供对 Azure 存储中的数据的读取权限,而只提供对帐户管理资源的读取权限。It does not provide read permissions to data in Azure Storage, but only to account management resources.

请遵循以下步骤分配“读取者”角色,使用户能够在 Azure 门户中访问 Blob。 Follow these steps to assign the Reader role so that a user can access blobs from the Azure portal. 在此示例中,分配范围限定为存储帐户:In this example, the assignment is scoped to the storage account:

  1. Azure 门户中导航到存储帐户。In the Azure portal, navigate to your storage account.
  2. 选择“访问控制(标识和访问管理)”以显示存储帐户的访问控制设置 。Select Access control (IAM) to display the access control settings for the storage account. 选择“角色分配” 选项卡以查看角色分配列表。Select the Role assignments tab to see the list of role assignments.
  3. 在“添加角色分配”窗口中,选择“读取者”角色。 In the Add role assignment window, select the Reader role.
  4. 在“分配访问权限至” 字段中,选择“Azure AD 用户、组或服务主体” 。From the Assign access to field, select Azure AD user, group, or service principal.
  5. 通过搜索找到要为其分配该角色的安全主体。Search to locate the security principal to which you want to assign the role.
  6. 保存角色分配。Save the role assignment.

只有必要对需要使用 Azure 门户访问 Blob 或队列的用户分配“读取者” 角色。Assigning the Reader role is necessary only for users who need to access blobs or queues using the Azure portal.

后续步骤Next steps