使用 PowerShell 为 blob 和队列数据访问分配 Azure 角色Use PowerShell to assign an Azure role for access to blob and queue data
Azure Active Directory (Azure AD) 通过 Azure 基于角色的访问控制 (Azure RBAC) 授权访问受保护的资源。Azure Active Directory (Azure AD) authorizes access rights to secured resources through Azure role-based access control (Azure RBAC). Azure 存储定义了一组 Azure 内置角色,它们包含用于访问容器或队列的通用权限集。Azure Storage defines a set of Azure built-in roles that encompass common sets of permissions used to access containers or queues.
将 Azure 角色分配到 Azure AD 安全主体后,Azure 会向该安全主体授予对这些资源的访问权限。When an Azure role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. 可以将访问权限限定于订阅、资源组、存储帐户、单个容器或队列级别。Access can be scoped to the level of the subscription, the resource group, the storage account, or an individual container or queue. Azure AD 安全主体可以是用户、组、应用程序服务主体,也可以是 Azure 资源的托管标识。An Azure AD security principal may be a user, a group, an application service principal, or a managed identity for Azure resources.
本文介绍如何使用 Azure PowerShell 列出 Azure 内置角色并将其分配给用户。This article describes how to use Azure PowerShell to list Azure built-in roles and assign them to users. 有关使用 Azure PowerShell 的详细信息,请参阅 Azure PowerShell 概述。For more information about using Azure PowerShell, see Overview of Azure PowerShell.
备注
本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介。To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShell。For Az module installation instructions, see Install Azure PowerShell.
Blob 和队列的 Azure 角色Azure roles for blobs and queues
Azure 提供了以下 Azure 内置角色,用于使用 Azure AD 和 OAuth 授予对 Blob 和队列数据的访问权限:Azure provides the following Azure built-in roles for authorizing access to blob and queue data using Azure AD and OAuth:
- 存储 Blob 数据所有者:用于为 Azure Data Lake Storage Gen2 设置所有权和管理 POSIX 访问控制。Storage Blob Data Owner: Use to set ownership and manage POSIX access control for Azure Data Lake Storage Gen2. 有关详细信息,请参阅 Azure Data Lake Storage Gen2 中的访问控制。For more information, see Access control in Azure Data Lake Storage Gen2.
- 存储 Blob 数据参与者:用来授予对 Blob 存储资源的读取/写入/删除权限。Storage Blob Data Contributor: Use to grant read/write/delete permissions to Blob storage resources.
- 存储 Blob 数据读取者:用来授予对 Blob 存储资源的只读权限。Storage Blob Data Reader: Use to grant read-only permissions to Blob storage resources.
- 存储 Blob 代理:获取用户委派密钥,用于创建使用 Azure AD 凭据为容器或 Blob 签名的共享访问签名。Storage Blob Delegator: Get a user delegation key to use to create a shared access signature that is signed with Azure AD credentials for a container or blob.
- 存储队列数据参与者:用来授予对 Azure 队列的读取/写入/删除权限。Storage Queue Data Contributor: Use to grant read/write/delete permissions to Azure queues.
- 存储队列数据读取者:用来授予对 Azure 队列的只读权限。Storage Queue Data Reader: Use to grant read-only permissions to Azure queues.
- 存储队列数据消息处理者:用来对 Azure 存储队列中的消息授予扫视、检索和删除权限。Storage Queue Data Message Processor: Use to grant peek, retrieve, and delete permissions to messages in Azure Storage queues.
- 存储队列数据消息发送者:用来对 Azure 存储队列中的消息授予添加权限。Storage Queue Data Message Sender: Use to grant add permissions to messages in Azure Storage queues.
只有为数据访问明确定义的角色才允许安全主体访问 Blob 或队列数据。Only roles explicitly defined for data access permit a security principal to access blob or queue data. 内置角色(例如“所有者”、“参与者”和“存储帐户参与者”)允许安全主体管理存储帐户,但不通过 Azure AD 提供对该帐户内的 blob 或队列数据的访问权限 。Built-in roles such as Owner, Contributor, and Storage Account Contributor permit a security principal to manage a storage account, but do not provide access to the blob or queue data within that account via Azure AD. 但是,如果角色包括 Microsoft.Storage/storageAccounts/listKeys/action,则获得了该角色的用户可以使用帐户访问密钥通过共享密钥授权来访问存储帐户中的数据。However, if a role includes the Microsoft.Storage/storageAccounts/listKeys/action, then a user to whom that role is assigned can access data in the storage account via Shared Key authorization with the account access keys. 有关详细信息,请参阅使用 Azure 门户访问 Blob 或队列数据。For more information, see Use the Azure portal to access blob or queue data.
要详细了解数据服务和管理服务的 Azure 存储的 Azure 内置角色,请参阅 Azure RBAC 的 Azure 内置角色的“存储”部分。For detailed information about Azure built-in roles for Azure Storage for both the data services and the management service, see the Storage section in Azure built-in roles for Azure RBAC. 此外,若要了解 Azure 中提供权限的不同类型的角色,请参阅经典订阅管理员角色、Azure 角色和 Azure AD 角色。Additionally, for information about the different types of roles that provide permissions in Azure, see Classic subscription administrator roles, Azure roles, and Azure AD roles.
重要
Azure 角色分配最多需要 5 分钟时间来进行传播。Azure role assignments may take up to five minutes to propagate.
确定资源范围Determine resource scope
向安全主体分配 Azure 角色之前,请确定安全主体应具有的访问权限的范围。Before you assign an Azure role to a security principal, determine the scope of access that the security principal should have. 最佳做法规定,始终最好只授予最小的可能范围。Best practices dictate that it's always best to grant only the narrowest possible scope.
以下列表描述可以限定 Azure blob 和队列资源访问权限范围的等级,从最窄的范围开始:The following list describes the levels at which you can scope access to Azure blob and queue resources, starting with the narrowest scope:
- 单个容器。An individual container. 在此范围内,角色分配将应用于容器中的所有 blob,以及容器属性和元数据。At this scope, a role assignment applies to all of the blobs in the container, as well as container properties and metadata.
- 单个队列。An individual queue. 在此范围内,角色分配将应用于队列中的消息,以及队列属性和元数据。At this scope, a role assignment applies to messages in the queue, as well as queue properties and metadata.
- 存储帐户。The storage account. 在此范围内,角色分配将应用于所有容器及其 blob,或者所有队列及其消息。At this scope, a role assignment applies to all containers and their blobs, or to all queues and their messages.
- 资源组。The resource group. 在此范围内,角色分配适用于资源组中所有存储帐户内的所有容器或队列。At this scope, a role assignment applies to all of the containers or queues in all of the storage accounts in the resource group.
- 订阅。The subscription. 在此范围内,角色分配适用于订阅中所有资源组内的所有存储帐户中的所有容器或队列。At this scope, a role assignment applies to all of the containers or queues in all of the storage accounts in all of the resource groups in the subscription.
有关 Azure 角色分配和范围的详细信息,请参阅什么是 Azure 基于角色的访问控制 (Azure RBAC)?。For more information about Azure role assignments and scope, see What is Azure role-based access control (Azure RBAC)?.
列出可用的 Azure 角色List available Azure roles
若要使用 Azure PowerShell 列出可用的 Azure 内置角色,请使用 Get-AzRoleDefinition 命令:To list available Azure built-in roles with Azure PowerShell, use the Get-AzRoleDefinition command:
Get-AzRoleDefinition | FT Name, Description
会看到列出了内置的 Azure 存储数据角色以及 Azure 的其他内置角色:You'll see the built-in Azure Storage data roles listed, together with other built-in roles for Azure:
Storage Blob Data Contributor Allows for read, write and delete access to Azure Storage blob containers and data
Storage Blob Data Owner Allows for full access to Azure Storage blob containers and data, including assigning POSIX access control.
Storage Blob Data Reader Allows for read access to Azure Storage blob containers and data
Storage Queue Data Contributor Allows for read, write, and delete access to Azure Storage queues and queue messages
Storage Queue Data Message Processor Allows for peek, receive, and delete access to Azure Storage queue messages
Storage Queue Data Message Sender Allows for sending of Azure Storage queue messages
Storage Queue Data Reader Allows for read access to Azure Storage queues and queue messages
向安全主体分配 Azure 角色Assign an Azure role to a security principal
若要将 Azure 角色分配给安全主体,请使用 New-AzRoleAssignment 命令。To assign an Azure role to a security principal, use the New-AzRoleAssignment command. 命令的格式因分配范围而异。The format of the command can differ based on the scope of the assignment. 为了运行此命令,需要在相应的范围内分配“所有者”和“参与者”角色。In order to run the command, you need to have Owner or Contributor role assigned at the corresponding scope. 以下示例显示如何在各种范围内为用户分配角色,但可以使用相同的命令将角色分配给任何安全主体。The following examples show how to assign a role to a user at various scopes, but you can use the same command to assign a role to any security principal.
备注
创建 Azure 存储帐户时,系统不会自动向你分配通过 Azure AD 访问数据的权限。When you create an Azure Storage account, you are not automatically assigned permissions to access data via Azure AD. 你必须为自己显式分配一个用于 Azure 存储的 Azure 角色。You must explicitly assign yourself an Azure role for Azure Storage. 可以在订阅、资源组、存储帐户、容器或队列级别分配它。You can assign it at the level of your subscription, resource group, storage account, or container or queue.
容器范围Container scope
若要分配容器范围的角色,请为 --scope
参数指定一个包含容器范围的字符串。To assign a role scoped to a container, specify a string containing the scope of the container for the --scope
parameter. 容器的范围采用以下格式:The scope for a container is in the form:
/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/blobServices/default/containers/<container-name>
以下示例为用户分配 存储 Blob 数据参与者 角色,其范围为名为 sample-container 的容器。The following example assigns the Storage Blob Data Contributor role to a user, scoped to a container named sample-container. 请务必将括号中的示例值和占位符值替换为你自己的值:Make sure to replace the sample values and the placeholder values in brackets with your own values:
New-AzRoleAssignment -SignInName <email> `
-RoleDefinitionName "Storage Blob Data Contributor" `
-Scope "/subscriptions/<subscription>/resourceGroups/sample-resource-group/providers/Microsoft.Storage/storageAccounts/<storage-account>/blobServices/default/containers/sample-container"
队列范围Queue scope
若要分配队列范围的角色,请为 --scope
参数指定一个包含队列范围的字符串。To assign a role scoped to a queue, specify a string containing the scope of the queue for the --scope
parameter. 队列的范围采用以下格式:The scope for a queue is in the form:
/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/queueServices/default/queues/<queue-name>
以下示例为用户分配 存储队列数据参与者 角色,其范围为名为 sample-queue 的队列。The following example assigns the Storage Queue Data Contributor role to a user, scoped to a queue named sample-queue. 请务必将括号中的示例值和占位符值替换为你自己的值:Make sure to replace the sample values and the placeholder values in brackets with your own values:
New-AzRoleAssignment -SignInName <email> `
-RoleDefinitionName "Storage Queue Data Contributor" `
-Scope "/subscriptions/<subscription>/resourceGroups/sample-resource-group/providers/Microsoft.Storage/storageAccounts/<storage-account>/queueServices/default/queues/sample-queue"
存储帐户范围Storage account scope
若要分配存储帐户范围的角色,请为 --scope
参数指定存储帐户资源的范围。To assign a role scoped to the storage account, specify the scope of the storage account resource for the --scope
parameter. 存储帐户的范围采用以下格式:The scope for a storage account is in the form:
/subscriptions/<subscription>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>
以下示例演示如何将“存储 Blob 数据读取者”角色的范围限定为存储帐户级别的用户 。The following example shows how to scope the Storage Blob Data Reader role to a user at the level of the storage account. 请务必将示例值替换为你自己的值:Make sure to replace the sample values with your own values:
New-AzRoleAssignment -SignInName <email> `
-RoleDefinitionName "Storage Blob Data Reader" `
-Scope "/subscriptions/<subscription>/resourceGroups/sample-resource-group/providers/Microsoft.Storage/storageAccounts/<storage-account>"
资源组范围Resource group scope
若要分配资源组范围的角色,请为 --resource-group
参数指定资源组名称或 ID。To assign a role scoped to the resource group, specify the resource group name or ID for the --resource-group
parameter. 以下示例在资源组级别向用户分配“存储队列数据读取者”角色 。The following example assigns the Storage Queue Data Reader role to a user at the level of the resource group. 请务必将括号中的示例值和占位符值替换为你自己的值:Make sure to replace the sample values and placeholder values in brackets with your own values:
New-AzRoleAssignment -SignInName <email> `
-RoleDefinitionName "Storage Queue Data Reader" `
-ResourceGroupName "sample-resource-group"
订阅范围Subscription scope
若要分配订阅范围的角色,请为 --scope
参数指定订阅的范围。To assign a role scoped to the subscription, specify the scope for the subscription for the --scope
parameter. 订阅的范围采用以下格式:The scope for a subscription is in the form:
/subscriptions/<subscription>
以下示例演示如何在存储帐户级别向用户分配“存储 Blob 数据读取者”角色 。The following example shows how to assign the Storage Blob Data Reader role to a user at the level of the storage account. 请务必将示例值替换为你自己的值:Make sure to replace the sample values with your own values:
New-AzRoleAssignment -SignInName <email> `
-RoleDefinitionName "Storage Blob Data Reader" `
-Scope "/subscriptions/<subscription>"
后续步骤Next steps
- 使用 Azure PowerShell 模块添加或删除 Azure 角色分配Add or remove Azure role assignments using the Azure PowerShell module
- 使用 Azure CLI 分配用于访问 blob 和队列数据的 Azure 角色Use the Azure CLI to assign an Azure role for access to blob and queue data
- 使用 Azure 门户为 blob 和队列数据分配 Azure 角色Use the Azure portal to assign an Azure role for access to blob and queue data