使用 PowerShell 为 blob 和队列数据访问分配 Azure 角色Use PowerShell to assign an Azure role for access to blob and queue data

Azure Active Directory (Azure AD) 通过 Azure 基于角色的访问控制 (Azure RBAC) 授权访问受保护的资源。Azure Active Directory (Azure AD) authorizes access rights to secured resources through Azure role-based access control (Azure RBAC). Azure 存储定义了一组 Azure 内置角色,它们包含用于访问容器或队列的通用权限集。Azure Storage defines a set of Azure built-in roles that encompass common sets of permissions used to access containers or queues.

将 Azure 角色分配到 Azure AD 安全主体后,Azure 会向该安全主体授予对这些资源的访问权限。When an Azure role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. 可以将访问权限限定于订阅、资源组、存储帐户、单个容器或队列级别。Access can be scoped to the level of the subscription, the resource group, the storage account, or an individual container or queue. Azure AD 安全主体可以是用户、组、应用程序服务主体,也可以是 Azure 资源的托管标识An Azure AD security principal may be a user, a group, an application service principal, or a managed identity for Azure resources.

本文介绍如何使用 Azure PowerShell 列出 Azure 内置角色并将其分配给用户。This article describes how to use Azure PowerShell to list Azure built-in roles and assign them to users. 有关使用 Azure PowerShell 的详细信息,请参阅 Azure PowerShell 概述For more information about using Azure PowerShell, see Overview of Azure PowerShell.

备注

本文已经过更新,以便使用 Azure Az PowerShell 模块。This article has been updated to use the Azure Az PowerShell module. 若要与 Azure 交互,建议使用的 PowerShell 模块是 Az PowerShell 模块。The Az PowerShell module is the recommended PowerShell module for interacting with Azure. 若要开始使用 Az PowerShell 模块,请参阅安装 Azure PowerShellTo get started with the Az PowerShell module, see Install Azure PowerShell. 若要了解如何迁移到 Az PowerShell 模块,请参阅 将 Azure PowerShell 从 AzureRM 迁移到 AzTo learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

Blob 和队列的 Azure 角色Azure roles for blobs and queues

Azure 提供了以下 Azure 内置角色,用于使用 Azure AD 和 OAuth 授予对 Blob 和队列数据的访问权限:Azure provides the following Azure built-in roles for authorizing access to blob and queue data using Azure AD and OAuth:

只有为数据访问明确定义的角色才允许安全主体访问 Blob 或队列数据。Only roles explicitly defined for data access permit a security principal to access blob or queue data. 内置角色(例如“所有者”、“参与者”和“存储帐户参与者”)允许安全主体管理存储帐户,但不通过 Azure AD 提供对该帐户内的 blob 或队列数据的访问权限 。Built-in roles such as Owner, Contributor, and Storage Account Contributor permit a security principal to manage a storage account, but do not provide access to the blob or queue data within that account via Azure AD. 但是,如果角色包括 Microsoft.Storage/storageAccounts/listKeys/action,则获得了该角色的用户可以使用帐户访问密钥通过共享密钥授权来访问存储帐户中的数据。However, if a role includes the Microsoft.Storage/storageAccounts/listKeys/action, then a user to whom that role is assigned can access data in the storage account via Shared Key authorization with the account access keys. 有关详细信息,请参阅使用 Azure 门户访问 Blob 或队列数据For more information, see Use the Azure portal to access blob or queue data.

要详细了解数据服务和管理服务的 Azure 存储的 Azure 内置角色,请参阅 Azure RBAC 的 Azure 内置角色的“存储”部分。For detailed information about Azure built-in roles for Azure Storage for both the data services and the management service, see the Storage section in Azure built-in roles for Azure RBAC. 此外,若要了解 Azure 中提供权限的不同类型的角色,请参阅经典订阅管理员角色、Azure 角色和 Azure AD 角色Additionally, for information about the different types of roles that provide permissions in Azure, see Classic subscription administrator roles, Azure roles, and Azure AD roles.

重要

Azure 角色分配最多需要 30 分钟时间来进行传播。Azure role assignments may take up to 30 minutes to propagate.

确定资源范围Determine resource scope

向安全主体分配 Azure 角色之前,请确定安全主体应具有的访问权限的范围。Before you assign an Azure role to a security principal, determine the scope of access that the security principal should have. 最佳做法规定,始终最好只授予最小的可能范围。Best practices dictate that it's always best to grant only the narrowest possible scope. 在较广范围内中定义的 Azure RBAC 角色由其下的资源继承。Azure RBAC roles defined at a broader scope are inherited by the resources beneath them.

以下列表描述可以限定 Azure blob 和队列资源访问权限范围的等级,从最窄的范围开始:The following list describes the levels at which you can scope access to Azure blob and queue resources, starting with the narrowest scope:

  • 单个容器。An individual container. 在此范围内,角色分配将应用于容器中的所有 blob,以及容器属性和元数据。At this scope, a role assignment applies to all of the blobs in the container, as well as container properties and metadata.
  • 单个队列。An individual queue. 在此范围内,角色分配将应用于队列中的消息,以及队列属性和元数据。At this scope, a role assignment applies to messages in the queue, as well as queue properties and metadata.
  • 存储帐户。The storage account. 在此范围内,角色分配将应用于所有容器及其 blob,或者所有队列及其消息。At this scope, a role assignment applies to all containers and their blobs, or to all queues and their messages.
  • 资源组。The resource group. 在此范围内,角色分配适用于资源组中所有存储帐户内的所有容器或队列。At this scope, a role assignment applies to all of the containers or queues in all of the storage accounts in the resource group.
  • 订阅。The subscription. 在此范围内,角色分配适用于订阅中所有资源组内的所有存储帐户中的所有容器或队列。At this scope, a role assignment applies to all of the containers or queues in all of the storage accounts in all of the resource groups in the subscription.

有关 Azure 角色分配和范围的详细信息,请参阅什么是 Azure 基于角色的访问控制 (Azure RBAC)?For more information about Azure role assignments and scope, see What is Azure role-based access control (Azure RBAC)?.

列出可用的 Azure 角色List available Azure roles

若要使用 Azure PowerShell 列出可用的 Azure 内置角色,请使用 Get-AzRoleDefinition 命令:To list available Azure built-in roles with Azure PowerShell, use the Get-AzRoleDefinition command:

Get-AzRoleDefinition | FT Name, Description

会看到列出了内置的 Azure 存储数据角色以及 Azure 的其他内置角色:You'll see the built-in Azure Storage data roles listed, together with other built-in roles for Azure:

Storage Blob Data Contributor             Allows for read, write and delete access to Azure Storage blob containers and data
Storage Blob Data Owner                   Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control.
Storage Blob Data Reader                  Allows for read access to Azure Storage blob containers and data
Storage Queue Data Contributor            Allows for read, write, and delete access to Azure Storage queues and queue messages
Storage Queue Data Message Processor      Allows for peek, receive, and delete access to Azure Storage queue messages
Storage Queue Data Message Sender         Allows for sending of Azure Storage queue messages
Storage Queue Data Reader                 Allows for read access to Azure Storage queues and queue messages

向安全主体分配 Azure 角色Assign an Azure role to a security principal

若要将 Azure 角色分配给安全主体,请使用 New-AzRoleAssignment 命令。To assign an Azure role to a security principal, use the New-AzRoleAssignment command. 命令的格式因分配范围而异。The format of the command can differ based on the scope of the assignment. 为了运行此命令,需要在相应的范围内分配“所有者”和“参与者”角色。In order to run the command, you need to have Owner or Contributor role assigned at the corresponding scope. 以下示例显示如何在各种范围内为用户分配角色,但可以使用相同的命令将角色分配给任何安全主体。The following examples show how to assign a role to a user at various scopes, but you can use the same command to assign a role to any security principal.

重要

创建 Azure 存储帐户时,系统不会自动向你分配通过 Azure AD 访问数据的权限。When you create an Azure Storage account, you are not automatically assigned permissions to access data via Azure AD. 必须为自己显式分配一个 Azure RBAC 角色以进行数据访问。You must explicitly assign yourself an Azure RBAC role for data access. 可以在订阅、资源组、存储帐户、容器或队列级别分配它。You can assign it at the level of your subscription, resource group, storage account, or container or queue.

如果存储帐户被 Azure 资源管理器只读锁锁定,那么该锁将阻止将范围限定为存储帐户或数据容器(blob 容器或队列)的 Azure RBAC 角色分配。If the storage account is locked with an Azure Resource Manager read-only lock, then the lock prevents the assignment of Azure RBAC roles that are scoped to the storage account or to a data container (blob container or queue).

容器范围Container scope

若要分配容器范围的角色,请为 --scope 参数指定一个包含容器范围的字符串。To assign a role scoped to a container, specify a string containing the scope of the container for the --scope parameter. 容器的范围采用以下格式:The scope for a container is in the form:

/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/blobServices/default/containers/<container-name>

以下示例为用户分配 存储 Blob 数据参与者 角色,其范围为名为 sample-container 的容器。The following example assigns the Storage Blob Data Contributor role to a user, scoped to a container named sample-container. 请务必将括号中的示例值和占位符值替换为你自己的值:Make sure to replace the sample values and the placeholder values in brackets with your own values:

New-AzRoleAssignment -SignInName <email> `
    -RoleDefinitionName "Storage Blob Data Contributor" `
    -Scope  "/subscriptions/<subscription>/resourceGroups/sample-resource-group/providers/Microsoft.Storage/storageAccounts/<storage-account>/blobServices/default/containers/sample-container"

队列范围Queue scope

若要分配队列范围的角色,请为 --scope 参数指定一个包含队列范围的字符串。To assign a role scoped to a queue, specify a string containing the scope of the queue for the --scope parameter. 队列的范围采用以下格式:The scope for a queue is in the form:

/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/queueServices/default/queues/<queue-name>

以下示例为用户分配 存储队列数据参与者 角色,其范围为名为 sample-queue 的队列。The following example assigns the Storage Queue Data Contributor role to a user, scoped to a queue named sample-queue. 请务必将括号中的示例值和占位符值替换为你自己的值:Make sure to replace the sample values and the placeholder values in brackets with your own values:

New-AzRoleAssignment -SignInName <email> `
    -RoleDefinitionName "Storage Queue Data Contributor" `
    -Scope  "/subscriptions/<subscription>/resourceGroups/sample-resource-group/providers/Microsoft.Storage/storageAccounts/<storage-account>/queueServices/default/queues/sample-queue"

存储帐户范围Storage account scope

若要分配存储帐户范围的角色,请为 --scope 参数指定存储帐户资源的范围。To assign a role scoped to the storage account, specify the scope of the storage account resource for the --scope parameter. 存储帐户的范围采用以下格式:The scope for a storage account is in the form:

/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>

以下示例演示如何将“存储 Blob 数据读取者”角色的范围限定为存储帐户级别的用户 。The following example shows how to scope the Storage Blob Data Reader role to a user at the level of the storage account. 请务必将示例值替换为你自己的值:Make sure to replace the sample values with your own values:

New-AzRoleAssignment -SignInName <email> `
    -RoleDefinitionName "Storage Blob Data Reader" `
    -Scope  "/subscriptions/<subscription>/resourceGroups/sample-resource-group/providers/Microsoft.Storage/storageAccounts/<storage-account>"

资源组范围Resource group scope

若要分配资源组范围的角色,请为 --resource-group 参数指定资源组名称或 ID。To assign a role scoped to the resource group, specify the resource group name or ID for the --resource-group parameter. 以下示例在资源组级别向用户分配“存储队列数据读取者”角色 。The following example assigns the Storage Queue Data Reader role to a user at the level of the resource group. 请务必将括号中的示例值和占位符值替换为你自己的值:Make sure to replace the sample values and placeholder values in brackets with your own values:

New-AzRoleAssignment -SignInName <email> `
    -RoleDefinitionName "Storage Queue Data Reader" `
    -ResourceGroupName "sample-resource-group"

订阅范围Subscription scope

若要分配订阅范围的角色,请为 --scope 参数指定订阅的范围。To assign a role scoped to the subscription, specify the scope for the subscription for the --scope parameter. 订阅的范围采用以下格式:The scope for a subscription is in the form:

/subscriptions/<subscription>

以下示例演示如何在存储帐户级别向用户分配“存储 Blob 数据读取者”角色 。The following example shows how to assign the Storage Blob Data Reader role to a user at the level of the storage account. 请务必将示例值替换为你自己的值:Make sure to replace the sample values with your own values:

New-AzRoleAssignment -SignInName <email> `
    -RoleDefinitionName "Storage Blob Data Reader" `
    -Scope  "/subscriptions/<subscription>"

后续步骤Next steps