配置 Azure 存储连接字符串Configure Azure Storage connection strings

连接字符串包含应用程序在运行时使用共享密钥授权访问 Azure 存储帐户中的数据所需的授权信息。A connection string includes the authorization information required for your application to access data in an Azure Storage account at runtime using Shared Key authorization. 可以将连接字符串配置为:You can configure connection strings to:

  • 连接到 Azurite 存储模拟器。Connect to the Azurite storage emulator.
  • 在 Azure 中访问存储帐户。Access a storage account in Azure.
  • 通过共享访问签名 (SAS) 访问 Azure 中的指定资源。Access specified resources in Azure via a shared access signature (SAS).

若要了解如何查看帐户访问密钥并复制连接字符串,请参阅管理存储帐户访问密钥To learn how to view your account access keys and copy a connection string, see Manage storage account access keys.

保护访问密钥Protect your access keys

存储帐户访问密钥类似于存储帐户的根密码。Your storage account access keys are similar to a root password for your storage account. 始终要小心保护访问密钥。Always be careful to protect your access keys. 使用 Azure 密钥保管库安全地管理和轮换密钥。Use Azure Key Vault to manage and rotate your keys securely. 避免将访问密钥分发给其他用户、对其进行硬编码或将其以纯文本形式保存在其他人可以访问的任何位置。Avoid distributing access keys to other users, hard-coding them, or saving them anywhere in plain text that is accessible to others. 如果你认为访问密钥可能已泄露,请轮换密钥。Rotate your keys if you believe they may have been compromised.

备注

Azure 建议使用 Azure Active Directory (Azure AD) 而不是共享密钥来为针对 Blob 和队列数据的请求授权(如果可能)。Azure recommends using Azure Active Directory (Azure AD) to authorize requests against blob and queue data if possible, instead of Shared Key. Azure AD 通过共享密钥提供更高的安全性和易用性。Azure AD provides superior security and ease of use over Shared Key. 有关使用 Azure AD 授权访问数据的详细信息,请参阅使用 Azure Active Directory 授权访问 Azure Blob 和队列For more information about authorizing access to data with Azure AD, see Authorize access to Azure blobs and queues using Azure Active Directory.

存储连接字符串Store a connection string

应用程序需要在运行时访问连接字符串,才能授权对 Azure 存储发出的请求。Your application needs to access the connection string at runtime to authorize requests made to Azure Storage. 可使用多个选项来存储连接字符串:You have several options for storing your connection string:

  • 可以将连接字符串存储在环境变量中。You can store your connection string in an environment variable.
  • 在桌面或设备上运行的应用程序可在 app.configweb.config 文件中存储连接字符串。An application running on the desktop or on a device can store the connection string in an app.config or web.config file. 将连接字符串添加到这些文件中的 AppSettings 节。Add the connection string to the AppSettings section in these files.
  • 在 Azure 云服务中运行的应用程序可在 Azure 服务配置架构 (.cscfg) 文件中存储连接字符串。An application running in an Azure cloud service can store the connection string in the Azure service configuration schema (.cscfg) file. 将连接字符串添加到服务配置文件的 ConfigurationSettings 节。Add the connection string to the ConfigurationSettings section of the service configuration file.

在一个配置文件中存储连接字符串可以轻松地更新连接字符串,从而在 Azurite 存储模拟器和云中的 Azure 存储帐户之间切换。Storing your connection string in a configuration file makes it easy to update the connection string to switch between the Azurite storage emulator and an Azure storage account in the cloud. 只需编辑连接字符串,使其指向目标环境。You only need to edit the connection string to point to your target environment.

可以使用 Microsoft Azure Configuration Manager 在运行时访问连接字符串,而不考虑应用程序在何处运行。You can use the Microsoft Azure Configuration Manager to access your connection string at runtime regardless of where your application is running.

为 Azurite 配置连接字符串Configure a connection string for Azurite

Azurite 支持单一固定的帐户和众所周知的用于共享密钥身份验证的身份验证密钥。Azurite supports a single fixed account and a well-known authentication key for Shared Key authentication. 此帐户和密钥是允许用于 Azurite 的唯一共享密钥凭据。This account and key are the only Shared Key credentials permitted for use with Azurite. 它们分别是:They are:

Account name: devstoreaccount1
Account key: Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==

备注

Azurite 支持的身份验证密钥仅用于测试客户端身份验证代码的功能。The authentication key supported by Azurite is intended only for testing the functionality of your client authentication code. 它没有任何安全用途。It does not serve any security purpose. 不能在 Azurite 中使用生产存储帐户和密钥。You cannot use your production storage account and key with Azurite. 不应将开发帐户用于生产数据。You should not use the development account with production data.

Azurite 仅支持通过 HTTP 进行连接。Azurite supports connection via HTTP only. 但是,若要访问生产性 Azure 存储帐户中的资源,建议使用 HTTPS 协议。However, HTTPS is the recommended protocol for accessing resources in a production Azure storage account.

使用快捷方式连接到模拟器帐户Connect to the emulator account using a shortcut

从应用程序连接到 Azurite 的最简单方法是在应用程序的配置文件中配置一个引用快捷方式 UseDevelopmentStorage=true 的连接字符串。The easiest way to connect to Azurite from your application is to configure a connection string in your application's configuration file that references the shortcut UseDevelopmentStorage=true. 以下是 app.config 文件中连接对象为 Azurite 的连接字符串的示例:Here's an example of a connection string to Azurite in an app.config file:

<appSettings>
  <add key="StorageConnectionString" value="UseDevelopmentStorage=true" />
</appSettings>

使用从众所周知的帐户名称和密钥连接到存储模拟器Connect to the emulator account using the well-known account name and key

要创建引用存储模拟器帐户名称和密钥的连接字符串,必须在连接字符串中希望从模拟器中使用的每个服务指定终结点。To create a connection string that references the emulator account name and key, you must specify the endpoints for each of the services you wish to use from the emulator in the connection string. 这是必须的,这样连接字符串将引用与生产存储帐户中的终结点不同的模拟器终结点。This is necessary so that the connection string will reference the emulator endpoints, which are different than those for a production storage account. 例如,连接字符串的值将如下所示:For example, the value of your connection string will look like this:

DefaultEndpointsProtocol=http;AccountName=devstoreaccount1;
AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==;
EndpointSuffix=core.chinacloudapi.cn;
BlobEndpoint=http://127.0.0.1:10000/devstoreaccount1;
QueueEndpoint=http://127.0.0.1:10001/devstoreaccount1;

此值等同于如上所示的快捷方式 UseDevelopmentStorage=trueThis value is identical to the shortcut shown above, UseDevelopmentStorage=true.

有关 Azurite 的详细信息,请参阅使用 Azurite 模拟器进行本地 Azure 存储开发For more information about Azurite, see Use the Azurite emulator for local Azure Storage development.

为 Azure 存储帐户配置连接字符串Configure a connection string for an Azure storage account

若要为 Azure 存储帐户创建连接字符串,请使用以下格式。To create a connection string for your Azure storage account, use the following format. 指示要通过 HTTPS(建议)还是 HTTP 连接到存储帐户,将 myAccountName 替换为存储帐户的名称,将 myAccountKey 替换为帐户访问密钥:Indicate whether you want to connect to the storage account through HTTPS (recommended) or HTTP, replace myAccountName with the name of your storage account, and replace myAccountKey with your account access key:

DefaultEndpointsProtocol=[http|https];AccountName=myAccountName;AccountKey=myAccountKey;EndpointSuffix=core.chinacloudapi.cn

例如,连接字符串可能如下所示:For example, your connection string might look similar to:

DefaultEndpointsProtocol=https;AccountName=storagesample;AccountKey=<account-key>;EndpointSuffix=core.chinacloudapi.cn

尽管 Azure 存储支持在连接字符串中使用 HTTP 和 HTTPS,但我们 强烈建议使用 HTTPSAlthough Azure Storage supports both HTTP and HTTPS in a connection string, HTTPS is highly recommended.

提示

可以在 Azure 门户中找到存储帐户的连接字符串。You can find your storage account's connection strings in the Azure portal. 在存储帐户的菜单边栏选项卡中导航到“设置” > “访问密钥”,即可看到主访问密钥和辅助访问密钥的连接字符串。 Navigate to SETTINGS > Access keys in your storage account's menu blade to see connection strings for both primary and secondary access keys.

使用共享访问签名创建连接字符串Create a connection string using a shared access signature

如果拥有的共享访问签名 (SAS) URL 能够授予对存储帐户中资源的访问权限,则可以在连接字符串中使用 SAS。If you possess a shared access signature (SAS) URL that grants you access to resources in a storage account, you can use the SAS in a connection string. 由于 SAS 包含验证请求所需的信息,因此带 SAS 的连接字符串将提供协议、服务终结点以及访问资源所需的凭据。Because the SAS contains the information required to authenticate the request, a connection string with a SAS provides the protocol, the service endpoint, and the necessary credentials to access the resource.

若要创建包含共享访问签名的连接字符串,请按以下格式指定该字符串:To create a connection string that includes a shared access signature, specify the string in the following format:

BlobEndpoint=myBlobEndpoint;
QueueEndpoint=myQueueEndpoint;
TableEndpoint=myTableEndpoint;
FileEndpoint=myFileEndpoint;
SharedAccessSignature=sasToken

尽管连接字符串必须至少包含一个服务终结点,但每个服务终结点都是可选的。Each service endpoint is optional, although the connection string must contain at least one.

备注

建议最好配合使用 HTTPS 与 SAS。Using HTTPS with a SAS is recommended as a best practice.

如果在配置文件的连接字符串中指定 SAS,可能需要为 URL 中的特殊字符编码。If you are specifying a SAS in a connection string in a configuration file, you may need to encode special characters in the URL.

服务 SAS 示例Service SAS example

下面是包含 Blob 存储服务 SAS 的连接字符串示例:Here's an example of a connection string that includes a service SAS for Blob storage:

BlobEndpoint=https://storagesample.blob.core.chinacloudapi.cn;
SharedAccessSignature=sv=2015-04-05&sr=b&si=tutorial-policy-635959936145100803&sig=9aCzs76n0E7y5BpEi2GvsSv433BZa22leDOZXX%2BXXIU%3D

下面是具有特殊字符编码的同一个连接字符串的示例:And here's an example of the same connection string with encoding of special characters:

BlobEndpoint=https://storagesample.blob.core.chinacloudapi.cn;
SharedAccessSignature=sv=2015-04-05&amp;sr=b&amp;si=tutorial-policy-635959936145100803&amp;sig=9aCzs76n0E7y5BpEi2GvsSv433BZa22leDOZXX%2BXXIU%3D

帐户 SAS 示例Account SAS example

下面是包含 Blob 和文件存储帐户 SAS 的连接字符串示例。Here's an example of a connection string that includes an account SAS for Blob and File storage. 请注意,其中指定了两个服务的终结点:Note that endpoints for both services are specified:

BlobEndpoint=https://storagesample.blob.core.chinacloudapi.cn;
FileEndpoint=https://storagesample.file.core.chinacloudapi.cn;
SharedAccessSignature=sv=2015-07-08&sig=iCvQmdZngZNW%2F4vw43j6%2BVz6fndHF5LI639QJba4r8o%3D&spr=https&st=2016-04-12T03%3A24%3A31Z&se=2016-04-13T03%3A29%3A31Z&srt=s&ss=bf&sp=rwl

下面是具有 URL 编码的同一个连接字符串的示例:And here's an example of the same connection string with URL encoding:

BlobEndpoint=https://storagesample.blob.core.chinacloudapi.cn;
FileEndpoint=https://storagesample.file.core.chinacloudapi.cn;
SharedAccessSignature=sv=2015-07-08&amp;sig=iCvQmdZngZNW%2F4vw43j6%2BVz6fndHF5LI639QJba4r8o%3D&amp;spr=https&amp;st=2016-04-12T03%3A24%3A31Z&amp;se=2016-04-13T03%3A29%3A31Z&amp;srt=s&amp;ss=bf&amp;sp=rwl

为显式存储终结点创建连接字符串Create a connection string for an explicit storage endpoint

可以在连接字符串中指定显式服务终结点,而不使用默认终结点。You can specify explicit service endpoints in your connection string instead of using the default endpoints. 若要创建指定显式终结点的连接字符串,请使用以下格式为每个服务指定完整的服务终结点,包括协议规范(HTTPS(建议)或 HTTP):To create a connection string that specifies an explicit endpoint, specify the complete service endpoint for each service, including the protocol specification (HTTPS (recommended) or HTTP), in the following format:

DefaultEndpointsProtocol=[http|https];
BlobEndpoint=myBlobEndpoint;
FileEndpoint=myFileEndpoint;
QueueEndpoint=myQueueEndpoint;
TableEndpoint=myTableEndpoint;
AccountName=myAccountName;
AccountKey=myAccountKey

如果已将 Blob 存储终结点映射到自定义域,可能需要指定显式终结点。One scenario where you might wish to specify an explicit endpoint is when you've mapped your Blob storage endpoint to a custom domain. 在这种情况下,可以在连接字符串中指定 Blob 存储的自定义终结点。In that case, you can specify your custom endpoint for Blob storage in your connection string. 可以选择性指定其他服务的默认终结点(如果应用程序使用这些服务)。You can optionally specify the default endpoints for the other services if your application uses them.

下面是用于指定 Blob 服务的显式终结点的连接字符串的示例:Here is an example of a connection string that specifies an explicit endpoint for the Blob service:

# Blob endpoint only
DefaultEndpointsProtocol=https;
BlobEndpoint=http://www.mydomain.com;
AccountName=storagesample;
AccountKey=<account-key>

此示例指定所有服务(包括 Blob 服务的自定义域)的显式终结点:This example specifies explicit endpoints for all services, including a custom domain for the Blob service:

# All service endpoints
DefaultEndpointsProtocol=https;
BlobEndpoint=http://www.mydomain.com;
FileEndpoint=https://myaccount.file.core.chinacloudapi.cn;
QueueEndpoint=https://myaccount.queue.core.chinacloudapi.cn;
TableEndpoint=https://myaccount.table.core.chinacloudapi.cn;
AccountName=storagesample;
AccountKey=<account-key>

连接字符串中的终结点值用于构造存储服务的请求 URI,以及指示返回到代码的任何 URI 形式。The endpoint values in a connection string are used to construct the request URIs to the storage services, and dictate the form of any URIs that are returned to your code.

如果已将某个存储终结点映射到自定义域并在连接字符串中省略该终结点,则无法使用该连接字符串从代码访问该服务中的数据。If you've mapped a storage endpoint to a custom domain and omit that endpoint from a connection string, then you will not be able to use that connection string to access data in that service from your code.

若要详细了解如何为 Azure 存储配置自定义域,请参阅将自定义域映射到 Azure Blob 存储终结点For more information about configuring a custom domain for Azure Storage, see Map a custom domain to an Azure Blob Storage endpoint.

重要

连接字符串中的服务终结点值必须是格式正确的 URI,包括 https://(推荐)或 http://Service endpoint values in your connection strings must be well-formed URIs, including https:// (recommended) or http://.

创建带有终结点后缀的连接字符串Create a connection string with an endpoint suffix

若要针对具有不同终结点后缀的区域或实例内的存储服务创建连接字符串,例如针对 Azure 中国世纪互联或 Azure 政府,请使用以下连接字符串格式。To create a connection string for a storage service in regions or instances with different endpoint suffixes, such as for Azure China 21Vianet or Azure Government, use the following connection string format. 指明是要通过 HTTPS(建议)还是 HTTP 连接到存储帐户,将 myAccountName 替换为存储帐户的名称,将 myAccountKey 替换为帐户访问密钥,将 mySuffix 替换为 URI 后缀:Indicate whether you want to connect to the storage account through HTTPS (recommended) or HTTP, replace myAccountName with the name of your storage account, replace myAccountKey with your account access key, and replace mySuffix with the URI suffix:

DefaultEndpointsProtocol=[http|https];
AccountName=myAccountName;
AccountKey=myAccountKey;
EndpointSuffix=mySuffix;

下面是 Azure 中国世纪互联的存储服务的示例连接字符串:Here's an example connection string for storage services in Azure China 21Vianet:

DefaultEndpointsProtocol=https;
AccountName=storagesample;
AccountKey=<account-key>;
EndpointSuffix=core.chinacloudapi.cn;

分析连接字符串Parsing a connection string

适用于 .NET 的 Microsoft Azure Configuration Manager 库 提供用于分析配置文件中连接字符串的类。The Microsoft Azure Configuration Manager Library for .NET provides a class for parsing a connection string from a configuration file. CloudConfigurationManager 类会分析配置设置。The CloudConfigurationManager class parses configuration settings. 它分析在桌面、移动设备、Azure 虚拟机或 Azure 云服务中运行的客户端应用程序的设置。It parses settings for client applications that run on the desktop, on a mobile device, in an Azure virtual machine, or in an Azure cloud service.

若要引用 CloudConfigurationManager 包,请添加以下 using 指令:To reference the CloudConfigurationManager package, add the following using directives:

using Microsoft.Azure; //Namespace for CloudConfigurationManager
using Microsoft.Azure.Storage;

下面的示例演示了如何检索配置文件中的连接字符串:Here's an example that shows how to retrieve a connection string from a configuration file:

// Parse the connection string and return a reference to the storage account.
CloudStorageAccount storageAccount = CloudStorageAccount.Parse(
    CloudConfigurationManager.GetSetting("StorageConnectionString"));

可以选择使用 Azure Configuration Manager。Using the Azure Configuration Manager is optional. 还可以使用 API,例如 .NET Framework 的 ConfigurationManager 类You can also use an API such as the .NET Framework's ConfigurationManager Class.

后续步骤Next steps