使用共享访问签名 (SAS)Using shared access signatures (SAS)

通过使用共享访问签名 (SAS),可将存储帐户中对象的受限访问权限授予其他客户端且不必公开帐户密钥。A shared access signature (SAS) provides you with a way to grant limited access to objects in your storage account to other clients, without exposing your account key. 本文概述 SAS 模型、查看 SAS 最佳实践以及一些示例。In this article, we provide an overview of the SAS model, review SAS best practices, and look at some examples.

有关此处所述之外的使用 SAS 的其他代码示例,请参阅 .NET 中的 Azure Blob 存储入门以及 Azure 代码示例库提供的其他示例。For additional code examples using SAS beyond those presented here, see Getting Started with Azure Blob Storage in .NET and other samples available in the Azure Code Samples library. 可以下载示例应用程序并运行,或在 GitHub 上浏览代码。You can download the sample applications and run them, or browse the code on GitHub.

什么是共享访问签名?What is a shared access signature?

共享访问签名对存储帐户中的资源提供委托访问。A shared access signature provides delegated access to resources in your storage account. 通过 SAS,可以授予客户端对存储帐户中资源的访问权限,无需共享帐户密钥。With a SAS, you can grant clients access to resources in your storage account, without sharing your account keys. 这是在应用程序中使用共享访问签名的关键之处 - SAS 是用于共享存储资源的一种安全方式,不会危及帐户密钥。This is the key point of using shared access signatures in your applications--a SAS is a secure way to share your storage resources without compromising your account keys.


Azure 存储支持使用 Azure Active Directory (Azure AD) 授予对 Blob 和队列存储资源的访问权限。Azure Storage supports authorizing access to Blob and Queue storage resources using Azure Active Directory (Azure AD). 与共享密钥授权和共享访问签名 (SAS) 相比,使用 Azure AD 返回的 OAuth 2.0 令牌对用户或应用程序授权具有更高的安全性和易用性。Authorizing users or applications using an OAuth 2.0 token returned by Azure AD provides superior security and ease of use over Shared Key authorization and shared access signatures (SAS). 使用 Azure AD 时,不需将帐户访问密钥与代码存储在一起,因此没有潜在的安全漏洞风险。With Azure AD, there is no need to store the account access key with your code and risk potential security vulnerabilities.

Azure 建议尽量对 Azure 存储应用程序使用 Azure AD。Azure recommends using Azure AD with your Azure Storage applications when possible. 有关详细信息,请参阅使用 Azure Active Directory 授予对 Azure Blob 和队列的访问权限For more information, see Authorize access to Azure blobs and queues using Azure Active Directory.


存储帐户密钥类似于存储帐户的根密码。Your storage account key is similar to the root password for your storage account. 始终要小心保护帐户密钥。Always be careful to protect your account key. 避免将其分发给其他用户、对其进行硬编码或将其以纯文本形式保存在其他人可以访问的任何位置。Avoid distributing it to other users, hard-coding it, or saving it anywhere in plaintext that is accessible to others. 如果认为帐户密钥可能已泄漏,请使用 Azure 门户重新生成帐户密钥。Regenerate your account key using the Azure portal if you believe it may have been compromised.

就像帐户访问密钥一样,对 SAS(共享访问签名)令牌进行保护至关重要。SAS (Shared Access Signature) tokens are critical to protect just like the account access keys. 然而,提供粒度 SAS 会授权客户端访问存储帐户中的资源,不应当将其公开共享。While providing granularity SAS grants clients access to the resources in your storage account and should not be shared publicly. 如果出于故障排除原因而需要共享,请考虑使用日志文件的修订版本或者将 SAS 令牌从日志文件中删除(如果存在),并确保屏幕截图也不包含 SAS 信息。When sharing is required for troubleshooting reasons consider using a redacted version of any log files or deleting the SAS tokens (if present) from the log files, and make sure the screenshots don't contain the SAS information either.

Azure 建议尽量对 blob 和队列存储应用程序(预览版)使用 Azure Active Directory (Azure AD) 身份验证,以便增强安全性。Azure recommends using Azure Active Directory (Azure AD) authentication for your Blob and Queue storage applications (preview) when possible for enhanced security. 有关详细信息,请参阅使用 Azure Active Directory 对 Azure blob 和队列访问进行身份验证(预览版)For more information, see Authenticate access to Azure blobs and queues using Azure Active Directory (preview).

通过 SAS,可以精细控制向拥有 SAS 的客户端授予的访问类型,包括:A SAS gives you granular control over the type of access you grant to clients who have the SAS, including:

  • SAS 有效的时间间隔,包括开始时间和到期时间。The interval over which the SAS is valid, including the start time and the expiry time.
  • SAS 授予的权限。The permissions granted by the SAS. 例如,Blob 的 SAS 可能授予对该 Blob 的读取和写入权限,但不授予删除权限。For example, a SAS for a blob might grant read and write permissions to that blob, but not delete permissions.
  • Azure 存储接受 SAS 的可选的 IP 地址或 IP 地址范围。An optional IP address or range of IP addresses from which Azure Storage will accept the SAS. 例如,你可能指定属于组织的 IP 地址范围。For example, you might specify a range of IP addresses belonging to your organization.
  • Azure 存储接受 SAS 所依据的协议。The protocol over which Azure Storage will accept the SAS. 可通过此可选参数使用 HTTPS 限制对客户端的访问。You can use this optional parameter to restrict access to clients using HTTPS.

何时应使用共享访问签名?When should you use a shared access signature?

需要将存储帐户中资源的访问权限提供给未处理存储帐户的访问密钥的任意客户端时,可以使用 SAS。You can use a SAS when you want to provide access to resources in your storage account to any client not possessing your storage account's access keys. 存储帐户包括主访问密钥和辅助访问密钥,这两种密钥都授予对帐户以及其中所有资源的管理访问权限。Your storage account includes both a primary and secondary access key, both of which grant administrative access to your account, and all resources within it. 公开这两种密钥的任何一种都会向可能的恶意或负面使用开放帐户。Exposing either of these keys opens your account to the possibility of malicious or negligent use. 共享访问签名提供一种安全的方法,允许客户端根据显式授予的权限读取、写入和删除存储帐户中的数据,而无需帐户密钥。Shared access signatures provide a safe alternative that allows clients to read, write, and delete data in your storage account according to the permissions you've explicitly granted, and without need for an account key.

SAS 通常适用于用户需要在存储帐户中读取和写入其数据的服务情形。A common scenario where a SAS is useful is a service where users read and write their own data to your storage account. 在存储帐户存储用户数据的情形中,有两种典型的设计模式:In a scenario where a storage account stores user data, there are two typical design patterns:

  1. 客户端通过执行身份验证的前端代理服务上传和下载数据。Clients upload and download data via a front-end proxy service, which performs authentication. 此前端代理服务的优势在于允许验证业务规则,但对于大量数据或大量事务,创建可扩展以匹配需求的服务可能成本高昂或十分困难。This front-end proxy service has the advantage of allowing validation of business rules, but for large amounts of data or high-volume transactions, creating a service that can scale to match demand may be expensive or difficult.


  2. 轻型服务按需对客户端进行身份验证,并生成 SAS。A lightweight service authenticates the client as needed and then generates a SAS. 在客户端接收 SAS 后,它们可以直接使用 SAS 定义的权限并且针对 SAS 允许的间隔访问存储帐户资源。Once the client receives the SAS, they can access storage account resources directly with the permissions defined by the SAS and for the interval allowed by the SAS. SAS 减少了通过前端代理服务路由所有数据的需要。The SAS mitigates the need for routing all data through the front-end proxy service.

    方案示意图:SAS 提供程序服务

许多实际服务可能会混合使用这两种方法。Many real-world services may use a hybrid of these two approaches. 例如,可能通过前端代理对某些数据进行处理和验证,同时使用 SAS 直接保存和/或读取其他数据。For example, some data might be processed and validated via the front-end proxy, while other data is saved and/or read directly using SAS.

此外,在某些情况下,需要使用 SAS 在复制操作中授予对源对象的访问权限:Additionally, you will need to use a SAS to authorize access to the source object in a copy operation in certain scenarios:

  • 将一个 Blob 复制到驻留在其他存储帐户中的另一个 Blob 时,必须使用 SAS 授予对源 Blob 的访问权限。When you copy a blob to another blob that resides in a different storage account, you must use a SAS to authorize access to the source blob. 还可以选择使用 SAS 授予对目标 Blob 的访问权限。You can optionally use a SAS to authorize access to the destination blob as well.
  • 将一个文件复制到驻留在其他存储帐户中的另一个文件时,必须使用 SAS 授予对源文件的访问权限。When you copy a file to another file that resides in a different storage account, you must use a SAS to authorize access to the source file. 还可以选择使用 SAS 授予对目标文件的访问权限。You can optionally use a SAS to authorize access to the destination file as well.
  • 将一个 Blob 复制到一个文件,或将一个文件复制到一个 Blob 时,必须使用 SAS 授予对源对象的访问权限,即使源对象和目标对象驻留在同一存储帐户中。When you copy a blob to a file, or a file to a blob, you must use a SAS to authorize access to the source object, even if the source and destination objects reside within the same storage account.

共享访问签名的类型Types of shared access signatures

可创建两种类型的共享访问签名:You can create two types of shared access signatures:

  • 服务 SAS。Service SAS. 服务 SAS 只能委派对以下一个存储服务中的资源的访问权限:Blob、队列、表或文件服务。The service SAS delegates access to a resource in just one of the storage services: the Blob, Queue, Table, or File service. 有关构造服务 SAS 令牌的深入信息,请参阅 Constructing a Service SAS(构造服务 SAS)和 Service SAS Examples(服务 SAS 示例)。See Constructing a Service SAS and Service SAS Examples for in-depth information about constructing the service SAS token.
  • 帐户 SAS。Account SAS. 帐户 SAS 可委派对一个或多个存储服务中的资源的访问权限。The account SAS delegates access to resources in one or more of the storage services. 通过服务 SAS 提供的所有操作也可以通过帐户 SAS 提供。All of the operations available via a service SAS are also available via an account SAS. 此外,使用帐户 SAS,还可以委派对适用于给定服务的操作(例如,获取/设置服务属性 和获取服务统计信息 )的访问权限。还可以委派对 blob 容器、表、队列和文件共享执行读取、写入和删除操作的访问权限,而这是服务 SAS 所不允许的。Additionally, with the account SAS, you can delegate access to operations that apply to a given service, such as Get/Set Service Properties and Get Service Stats. You can also delegate access to read, write, and delete operations on blob containers, tables, queues, and file shares that are not permitted with a service SAS. 有关构造帐户 SAS 令牌的深入信息,请参阅 Constructing an Account SAS(构造帐户 SAS)。See Constructing an Account SAS for in-depth information about constructing the account SAS token.

共享访问签名的工作方式How a shared access signature works

共享访问签名是一种签名 URI,它指向一个或多个存储资源并且包括包含一组特定的查询参数的令牌。A shared access signature is a signed URI that points to one or more storage resources and includes a token that contains a special set of query parameters. 该令牌指示客户端可以如何访问资源。The token indicates how the resources may be accessed by the client. 签名是其中一个查询参数,它是由 SAS 参数构造的并且使用帐户密钥进行签名。One of the query parameters, the signature, is constructed from the SAS parameters and signed with the account key. Azure 存储使用该签名授予对存储资源的访问权限。This signature is used by Azure Storage to authorize access to the storage resource.

下面是 SAS URI 的一个示例,其中显示了资源 URI 和 SAS 令牌:Here's an example of a SAS URI, showing the resource URI and the SAS token:


SAS 令牌是在客户端 侧生成的字符串(请参阅 SAS 示例部分获取代码示例)。The SAS token is a string you generate on the client side (see the SAS examples section for code examples). 例如,在任何情况下,Azure 存储均不会跟踪使用存储客户端库生成的 SAS 令牌。A SAS token you generate with the storage client library, for example, is not tracked by Azure Storage in any way. 可以在客户端上创建不限数量的 SAS 令牌。You can create an unlimited number of SAS tokens on the client side.

客户端将 SAS URI 作为请求的一部分提供给 Azure 存储时,服务检查 SAS 参数和签名,以验证签名是否对请求的身份验证有效。When a client provides a SAS URI to Azure Storage as part of a request, the service checks the SAS parameters and signature to verify that it is valid for authenticating the request. 如果服务确认签名有效,则请求获得授权。If the service verifies that the signature is valid, then the request is authorized. 否则,请求被拒绝,错误代码为 403(禁止访问)。Otherwise, the request is declined with error code 403 (Forbidden).

共享访问签名的参数Shared access signature parameters

帐户 SAS 令牌和服务 SAS 令牌包括一些公用参数,但所采用的参数也有几个不同。The account SAS and service SAS tokens include some common parameters, and also take a few parameters that are different.

帐户 SAS 令牌和服务 SAS 令牌共有的参数Parameters common to account SAS and service SAS tokens

  • Api 版本 一个可选参数,它指定要用于执行请求的存储服务版本。Api version An optional parameter that specifies the storage service version to use to execute the request.
  • 服务版本 一个必需参数,它指定用于对请求进行授权的存储服务版本。Service version A required parameter that specifies the storage service version to use to authorize the request.
  • 开始时间。Start time. 这是 SAS 生效的时间。This is the time at which the SAS becomes valid. 共享访问签名的开始时间是可选的。The start time for a shared access signature is optional. 如果省略开始时间,SAS 将立即生效。If a start time is omitted, the SAS is effective immediately. 开始时间必须以 UTC(协调世界时)格式表示,并使用特殊的 UTC 指示符(“Z”),例如 1994-11-05T13:15:30ZThe start time must be expressed in UTC (Coordinated Universal Time), with a special UTC designator ("Z"), for example 1994-11-05T13:15:30Z.
  • 到期时间。Expiry time. 在此时间之后,SAS 不再有效。This is the time after which the SAS is no longer valid. 最佳实践建议你或者为 SAS 指定到期时间,或者将其与某一存储访问策略相关联。Best practices recommend that you either specify an expiry time for a SAS, or associate it with a stored access policy. 到期时间必须以 UTC(协调世界时)格式表示,并使用特殊的 UTC 指示符(“Z”),例如 1994-11-05T13:15:30Z(详见下文)。The expiry time must be expressed in UTC (Coordinated Universal Time), with a special UTC designator ("Z"), for example 1994-11-05T13:15:30Z (see more below).
  • 权限。Permissions. 对 SAS 指定的权限指示客户端可使用 SAS 对存储资源执行哪些操作。The permissions specified on the SAS indicate what operations the client can perform against the storage resource using the SAS. 帐户 SAS 和服务 SAS 提供的权限不同。Available permissions differ for an account SAS and a service SAS.
  • IP。IP. 一个可选参数,它指定 Azure 外部要从中接受请求的一个 IP 地址或 IP 地址范围(有关 Express Route,请参阅路由会话配置状态部分)。An optional parameter that specifies an IP address or a range of IP addresses outside of Azure (see the section Routing session configuration state for Express Route) from which to accept requests.
  • 协议。Protocol. 一个可选参数,它指定请求允许的协议。An optional parameter that specifies the protocol permitted for a request. 可能的值包括“HTTPS 和 HTTP”(https,http)(它是默认值)或者“仅限 HTTPS”(https)。Possible values are both HTTPS and HTTP (https,http), which is the default value, or HTTPS only (https). 请注意,“仅限 HTTP”是不允许的值。Note that HTTP only is not a permitted value.
  • 签名。Signature. 签名由指定为部分令牌的其他参数构造,并进行加密。The signature is constructed from the other parameters specified as part token and then encrypted. 可以使用该签名授予对指定存储资源的访问权限。The signature is used to authorize access to the specified storage resources.

服务 SAS 令牌的参数Parameters for a service SAS token

  • 存储资源。Storage resource. 可以使用服务 SAS 为其委派访问权限的存储资源包括:Storage resources for which you can delegate access with a service SAS include:
    • 容器和 BlobContainers and blobs
    • 文件共享和文件File shares and files
    • 队列Queues
    • 表和表实体范围。Tables and ranges of table entities.

帐户 SAS 令牌的参数Parameters for an account SAS token

  • 一个服务或多个服务。Service or services. 帐户 SAS 可委派对一个或多个存储服务的访问权限。An account SAS can delegate access to one or more of the storage services. 例如,可以创建一个帐户 SAS 以委派对 Blob 和文件服务的访问权限。For example, you can create an account SAS that delegates access to the Blob and File service. 也可以创建一个 SAS,委派对所有四种服务(Blob、队列、表和文件)的访问权限。Or you can create a SAS that delegates access to all four services (Blob, Queue, Table, and File).
  • 存储资源类型。Storage resource types. 帐户 SAS 适用于一个或多个类别的存储资源,而不是特定资源。An account SAS applies to one or more classes of storage resources, rather than a specific resource. 可以创建帐户 SAS 以委派对以下项的访问权限:You can create an account SAS to delegate access to:
    • 服务级别 API,针对存储帐户资源进行调用。Service-level APIs, which are called against the storage account resource. 示例包括:获取/设置服务属性 、获取服务统计信息 和列出容器/队列/表/共享 。Examples include Get/Set Service Properties, Get Service Stats, and List Containers/Queues/Tables/Shares.
    • 容器级别 API,针对每个服务的容器对象进行调用:blob 容器、队列、表和文件共享。Container-level APIs, which are called against the container objects for each service: blob containers, queues, tables, and file shares. 示例包括:创建/删除容器 、创建/删除队列 、创建/删除表 、创建/删除共享 和列出 Blob/文件和目录 。Examples include Create/Delete Container, Create/Delete Queue, Create/Delete Table, Create/Delete Share, and List Blobs/Files and Directories.
    • 对象级别 API,针对 blob、队列消息、表实体和文件进行调用。Object-level APIs, which are called against blobs, queue messages, table entities, and files. 例如,放置 Blob 、查询实体 、获取消息 和创建文件 。For example, Put Blob, Query Entity, Get Messages, and Create File.

SAS URI 的示例Examples of SAS URIs

服务 SAS URI 示例Service SAS URI example

下面是服务 SAS URI 的一个示例,它提供对某一 Blob 的读写权限。Here is an example of a service SAS URI that provides read and write permissions to a blob. 该表分解了 URI 的每个部分,以便理解它是如何影响 SAS 的:The table breaks down each part of the URI to understand how it contributes to the SAS:

名称Name SAS 部分SAS portion 说明Description
Blob URIBlob URI https://myaccount.blob.core.chinacloudapi.cn/sascontainer/sasblob.txt Blob 的地址。The address of the blob. 请注意,强烈建议使用 HTTPS。Note that using HTTPS is highly recommended.
存储服务版本Storage services version sv=2015-04-05 对于存储服务版本 2012-02-12 和更高版本,此参数指示要使用的版本。For storage services version 2012-02-12 and later, this parameter indicates the version to use.
开始时间Start time st=2015-04-29T22%3A18%3A26Z 以 UTC 时间格式指定。Specified in UTC time. 如果想要 SAS 立即生效,则省略开始时间。If you want the SAS to be valid immediately, omit the start time.
到期时间Expiry time se=2015-04-30T02%3A23%3A26Z 以 UTC 时间格式指定。Specified in UTC time.
资源Resource sr=b 资源是 Blob。The resource is a blob.
权限Permissions sp=rw SAS 授予的权限包括读取 (r) 和写入 (w)。The permissions granted by the SAS include Read (r) and Write (w).
IP 范围IP range sip= 要从中接受请求的 IP 地址范围。The range of IP addresses from which a request will be accepted.
协议Protocol spr=https 仅允许使用 HTTPS 的请求。Only requests using HTTPS are permitted.
签名Signature sig=Z%2FRHIX5Xcg0Mq2rqI3OlWTjEg2tYkboXr1P9ZUXDtkk%3D 用于授予对 Blob 的访问权限。Used to authorize access to the blob. 该签名是利用 SHA256 算法通过“字符串到签名”和密钥进行计算,并使用 Base64 编码进行编码的 HMAC。The signature is an HMAC computed over a string-to-sign and key using the SHA256 algorithm, and then encoded using Base64 encoding.

帐户 SAS URI 示例Account SAS URI example

下面是在令牌中使用相同的公用参数的帐户 SAS 的一个示例。Here is an example of an account SAS that uses the same common parameters on the token. 由于这些参数已在前面说明,因此不在此处对其进行说明。Since these parameters are described above, they are not described here. 下表中仅说明了特定于帐户 SAS 的参数。Only the parameters that are specific to account SAS are described in the table below.

名称Name SAS 部分SAS portion 说明Description
资源 URIResource URI https://myaccount.blob.core.chinacloudapi.cn/?restype=service&comp=properties Blob 服务终结点,包含用于获取服务属性(使用 GET 调用时)或设置服务属性(使用 SET 调用时)的参数。The Blob service endpoint, with parameters for getting service properties (when called with GET) or setting service properties (when called with SET).
服务Services ss=bf 该 SAS 适用于 Blob 和文件服务The SAS applies to the Blob and File services
资源类型Resource types srt=s 该 SAS 适用于服务级别操作。The SAS applies to service-level operations.
权限Permissions sp=rw 这些权限向读取和写入操作授予访问权限。The permissions grant access to read and write operations.

鉴于权限仅限于服务级别,使用此 SAS 的可访问操作包括:获取 Blob 服务属性 (读取)和设置 Blob 服务属性 (写入)。Given that permissions are restricted to the service level, accessible operations with this SAS are Get Blob Service Properties (read) and Set Blob Service Properties (write). 但是,使用其他资源 URI,同一个 SAS 令牌还可用于委派对获取 Blob 服务统计信息 (读取)的访问权限。However, with a different resource URI, the same SAS token could also be used to delegate access to Get Blob Service Stats (read).

使用存储访问策略控制 SASControlling a SAS with a stored access policy

共享访问签名可以采取以下两种形式的一种:A shared access signature can take one of two forms:

  • 临时 SAS: 创建临时 SAS 时,针对该 SAS 的开始时间、到期时间和权限都在 SAS URI 中指定(在省略开始时间的情况下,也可以是暗示的)。Ad hoc SAS: When you create an ad hoc SAS, the start time, expiry time, and permissions for the SAS are all specified in the SAS URI (or implied, in the case where start time is omitted). 这种类型的 SAS 可以创建为帐户 SAS 或服务 SAS。This type of SAS can be created as an account SAS or a service SAS.
  • 具有存储访问策略的 SAS: 存储访问策略在资源容器(Blob 容器、表、队列或文件共享)上定义,可用于管理针对一个或多个共享访问签名的约束。SAS with stored access policy: A stored access policy is defined on a resource container--a blob container, table, queue, or file share--and can be used to manage constraints for one or more shared access signatures. 将某一 SAS 与一个存储访问策略相关联时,该 SAS 将继承对该存储访问策略定义的约束:开始时间、到期时间和权限。When you associate a SAS with a stored access policy, the SAS inherits the constraints--the start time, expiry time, and permissions--defined for the stored access policy.


目前,帐户 SAS 必须是一个临时 SAS。Currently, an account SAS must be an ad hoc SAS. 帐户 SAS 尚不支持存储访问策略。Stored access policies are not yet supported for account SAS.

这两种形式之间的差异对于一个关键情形而言十分重要:吊销。The difference between the two forms is important for one key scenario: revocation. 一个 SAS URI 就是一个 URL,因此,获取该 SAS 的任何人都可以使用它,而与谁是最初的创建者无关。Because a SAS URI is a URL, anyone that obtains the SAS can use it, regardless of who originally created it. 如果 SAS 是公开发布的,则世界上的任何人都可以使用它。If a SAS is published publicly, it can be used by anyone in the world. SAS 向所有对其进行处理的人授予资源的访问权限,直到发生以下 4 种情况之一:A SAS grants access to resources to anyone possessing it until one of four things happens:

  1. 达到了对该 SAS 指定的到期时间。The expiry time specified on the SAS is reached.
  2. 达到了对该 SAS 引用的存储访问策略指定的到期时间(如果引用存储访问策略并且该存储访问策略指定一个到期时间)。The expiry time specified on the stored access policy referenced by the SAS is reached (if a stored access policy is referenced, and if it specifies an expiry time). 这可能是因为经过了该间隔而发生,或者是因为修改了该存储访问策略而使到期时间已经是过去时间而发生(这是用于吊销该 SAS 的一种方法)。This can occur either because the interval elapses, or because you've modified the stored access policy with an expiry time in the past, which is one way to revoke the SAS.
  3. 删除了该 SAS 引用的存储访问策略,这是用于吊销 SAS 的另一种方法。The stored access policy referenced by the SAS is deleted, which is another way to revoke the SAS. 请注意,如果使用完全相同的名称重新创建该存储访问策略,则根据与该存储访问策略相关联的权限,所有现有 SAS 令牌都会再次有效(假定尚未经过该 SAS 的到期时间)。Note that if you recreate the stored access policy with exactly the same name, all existing SAS tokens will again be valid according to the permissions associated with that stored access policy (assuming that the expiry time on the SAS has not passed). 如果想要吊销 SAS,请确保使用不同名称(如果使用将来的到期时间重新创建该访问策略)。If you are intending to revoke the SAS, be sure to use a different name if you recreate the access policy with an expiry time in the future.
  4. 将重新生成用于创建 SAS 的帐户密钥。The account key that was used to create the SAS is regenerated. 重新生成帐户密钥会导致使用该密钥的所有应用程序组件授权失败,直到这些组件更新为使用另一个有效帐户密钥或者重新生成的新帐户密钥。Regenerating an account key will cause all application components using that key to fail to authorize until they're updated to use either the other valid account key or the newly regenerated account key.


共享访问签名 URI 与用于创建签名的帐户密钥和关联的存储访问策略(如果有)相关联。A shared access signature URI is associated with the account key used to create the signature, and the associated stored access policy (if any). 如果未指定存储访问策略,则吊销共享访问签名的唯一方法是更改帐户密钥。If no stored access policy is specified, the only way to revoke a shared access signature is to change the account key.

在客户端应用程序中使用 SAS 进行身份验证Authenticating from a client application with a SAS

拥有 SAS 的客户端可以使用 SAS 为针对存储帐户的请求授权,客户端没有此存储帐户的帐户密钥。A client who is in possession of a SAS can use the SAS to authorize a request against a storage account for which they do not possess the account keys. SAS 可以包含在连接字符串中,或直接在合适的构造函数或方法中使用 SAS。A SAS can be included in a connection string, or used directly from the appropriate constructor or method.

在连接字符串中使用 SASUsing a SAS in a connection string

如果拥有的共享访问签名 (SAS) URL 能够授予对存储帐户中资源的访问权限,则可以在连接字符串中使用 SAS。If you possess a shared access signature (SAS) URL that grants you access to resources in a storage account, you can use the SAS in a connection string. 由于 SAS 包含验证请求所需的信息,因此带 SAS 的连接字符串将提供协议、服务终结点以及访问资源所需的凭据。Because the SAS contains the information required to authenticate the request, a connection string with a SAS provides the protocol, the service endpoint, and the necessary credentials to access the resource.

若要创建包含共享访问签名的连接字符串,请按以下格式指定该字符串:To create a connection string that includes a shared access signature, specify the string in the following format:


尽管连接字符串必须至少包含一个服务终结点,但每个服务终结点都是可选的。Each service endpoint is optional, although the connection string must contain at least one.


建议最好配合使用 HTTPS 与 SAS。Using HTTPS with a SAS is recommended as a best practice.

如果在配置文件的连接字符串中指定 SAS,可能需要为 URL 中的特殊字符编码。If you are specifying a SAS in a connection string in a configuration file, you may need to encode special characters in the URL.

服务 SAS 示例Service SAS example

下面是包含 Blob 存储服务 SAS 的连接字符串示例:Here's an example of a connection string that includes a service SAS for Blob storage:


下面是具有特殊字符编码的同一个连接字符串的示例:And here's an example of the same connection string with encoding of special characters:


帐户 SAS 示例Account SAS example

下面是包含 Blob 和文件存储帐户 SAS 的连接字符串示例。Here's an example of a connection string that includes an account SAS for Blob and File storage. 请注意,其中指定了两个服务的终结点:Note that endpoints for both services are specified:


下面是具有 URL 编码的同一个连接字符串的示例:And here's an example of the same connection string with URL encoding:


在构造函数或方法中使用 SASUsing a SAS in a constructor or method

一些 Azure 存储客户端库构造函数和方法重载提供 SAS 参数,因此你可以使用 SAS 为针对服务的请求授权。Several Azure Storage client library constructors and method overloads offer a SAS parameter, so that you can authorize a request to the service with a SAS.

例如,此处使用 SAS URI 创建对块 blob 的引用。For example, here a SAS URI is used to create a reference to a block blob. SAS 提供请求所需的唯一凭据。The SAS provides the only credentials needed for the request. 之后将块 blob 引用用于写入操作:The block blob reference is then used for a write operation:

string sasUri = "https://storagesample.blob.core.chinacloudapi.cn/sample-container/" +
    "sampleBlob.txt?sv=2015-07-08&sr=b&sig=39Up9JzHkxhUIhFEjEH9594DJxe7w6cIRCg0V6lCGSo%3D" +

CloudBlockBlob blob = new CloudBlockBlob(new Uri(sasUri));

// Create operation: Upload a blob with the specified name to the container.
// If the blob does not exist, it will be created. If it does exist, it will be overwritten.
    MemoryStream msWrite = new MemoryStream(Encoding.UTF8.GetBytes(blobContent));
    msWrite.Position = 0;
    using (msWrite)
        await blob.UploadFromStreamAsync(msWrite);

    Console.WriteLine("Create operation succeeded for SAS {0}", sasUri);
catch (StorageException e)
    if (e.RequestInformation.HttpStatusCode == 403)
        Console.WriteLine("Create operation failed for SAS {0}", sasUri);
        Console.WriteLine("Additional error information: " + e.Message);

使用 SAS 的最佳实践Best practices when using SAS

在应用程序中使用共享访问签名时,需要知道以下两个可能的风险:When you use shared access signatures in your applications, you need to be aware of two potential risks:

  • 如果 SAS 泄露,则获取它的任何人都可以使用它,这可能会损害存储帐户。If a SAS is leaked, it can be used by anyone who obtains it, which can potentially compromise your storage account.
  • 如果提供给客户端应用程序的 SAS 到期并且应用程序无法从服务检索新 SAS,则可能会影响该应用程序的功能。If a SAS provided to a client application expires and the application is unable to retrieve a new SAS from your service, then the application's functionality may be hindered.

下面这些针对使用共享访问签名的建议可帮助降低这些风险:The following recommendations for using shared access signatures can help mitigate these risks:

  1. 始终使用 HTTPS 创建或分发 SAS。Always use HTTPS to create or distribute a SAS. 如果某一 SAS 通过 HTTP 传递并且被截取,则执行中间人攻击的攻击者将能够读取 SAS、并使用它,就像目标用户本可执行的操作一样,这可能会暴露敏感数据或者使恶意用户能够损坏数据。If a SAS is passed over HTTP and intercepted, an attacker performing a man-in-the-middle attack is able to read the SAS and then use it just as the intended user could have, potentially compromising sensitive data or allowing for data corruption by the malicious user.
  2. 尽可能参照存储访问策略。Reference stored access policies where possible. 存储访问策略使你可以选择撤消权限而不必重新生成存储帐户密钥。Stored access policies give you the option to revoke permissions without having to regenerate the storage account keys. 将针对 SAS 的到期时间设置为很久之后的某一时间(或者无限远),并且确保定期对其进行更新以便将到期时间移到将来的更远时间。Set the expiration on these very far in the future (or infinite) and make sure it's regularly updated to move it farther into the future.
  3. 对临时 SAS 使用近期的到期时间。Use near-term expiration times on an ad hoc SAS. 这样,即使某一 SAS 泄露,它也只会在短期内有效。In this way, even if a SAS is compromised, it's valid only for a short time. 如果无法参照某一存储访问策略,该行为尤其重要。This practice is especially important if you cannot reference a stored access policy. 临时到期时间还通过限制可用于上传到它的时间来限制可以写入 Blob 的数据量。Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.
  4. 如果需要,让客户端自动续订 SAS。Have clients automatically renew the SAS if necessary. 客户端应在到期时间之前很久就续订 SAS,这样,即使提供 SAS 的服务不可用,客户端也有时间重试。Clients should renew the SAS well before the expiration, in order to allow time for retries if the service providing the SAS is unavailable. 如果 SAS 旨在用于少量即时的短期操作,这些操作应在到期时间内完成,则上述做法可能是不必要的,因为不应续订 SAS。If your SAS is meant to be used for a small number of immediate, short-lived operations that are expected to be completed within the expiration period, then this may be unnecessary as the SAS is not expected to be renewed. 但是,如果客户端定期通过 SAS 发出请求,则有效期可能就会起作用。However, if you have client that is routinely making requests via SAS, then the possibility of expiration comes into play. 需要考虑的主要方面就是在以下两者间进行权衡:对短期 SAS 的需求(如前文所述)以及确保客户端尽早请求续订(以免在成功续订前因 SAS 到期而中断)。The key consideration is to balance the need for the SAS to be short-lived (as previously stated) with the need to ensure that the client is requesting renewal early enough (to avoid disruption due to the SAS expiring prior to successful renewal).
  5. 要注意 SAS 开始时间。 Be careful with SAS start time. 如果将 SAS 的开始时间设置为“现在” ,则由于时钟偏移(根据不同计算机,当前时间的差异),在前几分钟将会间歇地观察到失败。If you set the start time for a SAS to now, then due to clock skew (differences in current time according to different machines), failures may be observed intermittently for the first few minutes. 通常,将开始时间至少设置为 15 分钟前。In general, set the start time to be at least 15 minutes in the past. 或者根本不设置,这会使它在所有情况下都立即生效。Or, don't set it at all, which will make it valid immediately in all cases. 同样原则也适用于到期时间 - 请记住,对于任何请求,在任一方向可能会观察到最多 15 分钟的时钟偏移。The same generally applies to expiry time as well--remember that you may observe up to 15 minutes of clock skew in either direction on any request. 对于使用 2012-02-12 之前的 REST 版本的客户端,未参照某一存储访问策略的 SAS 的最大持续时间是 1 小时,指定超过 1 小时持续时间的任何策略都会失败。For clients using a REST version prior to 2012-02-12, the maximum duration for a SAS that does not reference a stored access policy is 1 hour, and any policies specifying longer term than that will fail.
  6. 对要访问的资源要具体。Be specific with the resource to be accessed. 一种安全性最佳做法是向用户提供所需最小权限。A security best practice is to provide a user with the minimum required privileges. 如果某一用户仅需要对单个实体的读取访问权限,则向该用户授予对该单个实体的读取访问权限,而不要授予针对所有实体的读取/写入/删除访问权限。If a user only needs read access to a single entity, then grant them read access to that single entity, and not read/write/delete access to all entities. 如果 SAS 泄露,这也有助于降低损失,因为攻击者手中掌握的 SAS 的权限较为有限。This also helps lessen the damage if a SAS is compromised because the SAS has less power in the hands of an attacker.
  7. 了解对任何使用都会向你的帐户收费,包括使用 SAS 所做的工作。Understand that your account will be billed for any usage, including that done with SAS. 如果向你提供了针对某一 Blob 的写访问权限,用户可以选择上传 200GB Blob。If you provide write access to a blob, a user may choose to upload a 200GB blob. 如果还向用户提供了对 Blob 的读访问权限,他们可能会选择下载 Blob 10 次,对你产生 2 TB 的传出费用。If you've given them read access as well, they may choose to download it 10 times, incurring 2 TB in egress costs for you. 此外,提供受限权限,帮助降低恶意用户的潜在操作威胁。Again, provide limited permissions to help mitigate the potential actions of malicious users. 使用短期 SAS 以便减少这一威胁(但要注意结束时间上的时钟偏移)。Use short-lived SAS to reduce this threat (but be mindful of clock skew on the end time).
  8. 验证使用 SAS 写入的数据。Validate data written using SAS. 在某一客户端应用程序将数据写入存储帐户时,请记住对于这些数据可能存在问题。When a client application writes data to your storage account, keep in mind that there can be problems with that data. 如果应用程序要求在数据可供使用前对数据进行验证或授权,应该在写入数据后、但在应用程序使用这些数据前执行此验证。If your application requires that data be validated or authorized before it is ready to use, you should perform this validation after the data is written and before it is used by your application. 这一实践还有助于防止损坏的数据或恶意数据写入帐户,这些数据可能是正常要求 SAS 的用户写入的,也可能是利用泄露的 SAS 的用户写入的。This practice also protects against corrupt or malicious data being written to your account, either by a user who properly acquired the SAS, or by a user exploiting a leaked SAS.
  9. 不要总是使用 SAS。Don't always use SAS. 有时候,与针对存储帐户的特定操作相关联的风险要超过 SAS 所带来的好处。Sometimes the risks associated with a particular operation against your storage account outweigh the benefits of SAS. 对于此类操作,应创建一个中间层服务,该服务在执行业务规则验证、身份验证和审核后写入存储帐户。For such operations, create a middle-tier service that writes to your storage account after performing business rule validation, authentication, and auditing. 此外,有时候以其他方式管理访问会更简单。Also, sometimes it's simpler to manage access in other ways. 例如,如果想要使某一容器中的所有 Blob 都可以公开读取,则可以使该容器成为公共的,而不是为每个客户端都提供 SAS 来进行访问。For example, if you want to make all blobs in a container publicly readable, you can make the container Public, rather than providing a SAS to every client for access.
  10. 使用存储分析监视应用程序。Use Storage Analytics to monitor your application. 可以使用日志记录和指标来观察由于 SAS 提供程序服务中断或无意中删除存储访问策略而导致身份验证失败的任何高发情形。You can use logging and metrics to observe any spike in authentication failures due to an outage in your SAS provider service or to the inadvertent removal of a stored access policy. 有关其他信息,请参阅 Azure 存储团队博客See the Azure Storage Team Blog for additional information.

SAS 示例SAS examples

下面是两种类型的共享访问签名(帐户 SAS 和服务 SAS)的一些示例。Below are some examples of both types of shared access signatures, account SAS and service SAS.

若要运行这些 C# 示例,需要在项目中引用以下 NuGet 包:To run these C# examples, you need to reference the following NuGet packages in your project:

有关演示如何创建和测试 SAS 的其他示例,请参阅存储的 Azure 代码示例For additional examples that show how to create and test a SAS, see Azure Code Samples for Storage.

示例:创建并使用帐户 SASExample: Create and use an account SAS

以下代码示例创建一个帐户 SAS,该 SAS 对 Blob 和文件服务是有效的,并授予客户端读取、写入和列表权限,使其能够访问服务级别 API。The following code example creates an account SAS that is valid for the Blob and File services, and gives the client permissions read, write, and list permissions to access service-level APIs. 帐户 SAS 将协议限制为 HTTPS,因此请求必须使用 HTTPS 发出。The account SAS restricts the protocol to HTTPS, so the request must be made with HTTPS.

static string GetAccountSASToken()
    // To create the account SAS, you need to use your shared key credentials. Modify for your account.
    const string ConnectionString = "DefaultEndpointsProtocol=https;AccountName=account-name;AccountKey=account-key;EndpointSuffix=core.chinacloudapi.cn";
    CloudStorageAccount storageAccount = CloudStorageAccount.Parse(ConnectionString);

    // Create a new access policy for the account.
    SharedAccessAccountPolicy policy = new SharedAccessAccountPolicy()
            Permissions = SharedAccessAccountPermissions.Read | SharedAccessAccountPermissions.Write | SharedAccessAccountPermissions.List,
            Services = SharedAccessAccountServices.Blob | SharedAccessAccountServices.File,
            ResourceTypes = SharedAccessAccountResourceTypes.Service,
            SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),
            Protocols = SharedAccessProtocol.HttpsOnly

    // Return the SAS token.
    return storageAccount.GetSharedAccessSignature(policy);

若要使用帐户 SAS 访问 Blob 服务的服务级别 API,请使用 SAS 和存储帐户的 Blob 存储终结点构造 Blob 客户端对象。To use the account SAS to access service-level APIs for the Blob service, construct a Blob client object using the SAS and the Blob storage endpoint for your storage account.

static void UseAccountSAS(string sasToken)
    // Create new storage credentials using the SAS token.
    StorageCredentials accountSAS = new StorageCredentials(sasToken);
    // Use these credentials and the account name to create a Blob service client.
    CloudStorageAccount accountWithSAS = new CloudStorageAccount(accountSAS, "account-name", endpointSuffix: null, useHttps: true);
    CloudBlobClient blobClientWithSAS = accountWithSAS.CreateCloudBlobClient();

    // Now set the service properties for the Blob client created with the SAS.
    blobClientWithSAS.SetServiceProperties(new ServiceProperties()
        HourMetrics = new MetricsProperties()
            MetricsLevel = MetricsLevel.ServiceAndApi,
            RetentionDays = 7,
            Version = "1.0"
        MinuteMetrics = new MetricsProperties()
            MetricsLevel = MetricsLevel.ServiceAndApi,
            RetentionDays = 7,
            Version = "1.0"
        Logging = new LoggingProperties()
            LoggingOperations = LoggingOperations.All,
            RetentionDays = 14,
            Version = "1.0"

    // The permissions granted by the account SAS also permit you to retrieve service properties.
    ServiceProperties serviceProperties = blobClientWithSAS.GetServiceProperties();

示例:创建存储访问策略Example: Create a stored access policy

下面的代码在容器上创建存储访问策略。The following code creates a stored access policy on a container. 可以使用访问策略指定对容器或其 Blob 上的服务 SAS 的约束。You can use the access policy to specify constraints for a service SAS on the container or its blobs.

private static async Task CreateSharedAccessPolicyAsync(CloudBlobContainer container, string policyName)
    // Create a new shared access policy and define its constraints.
    // The access policy provides create, write, read, list, and delete permissions.
    SharedAccessBlobPolicy sharedPolicy = new SharedAccessBlobPolicy()
        // When the start time for the SAS is omitted, the start time is assumed to be the time when the storage service receives the request.
        // Omitting the start time for a SAS that is effective immediately helps to avoid clock skew.
        SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),
        Permissions = SharedAccessBlobPermissions.Read | SharedAccessBlobPermissions.List |
            SharedAccessBlobPermissions.Write | SharedAccessBlobPermissions.Create | SharedAccessBlobPermissions.Delete

    // Get the container's existing permissions.
    BlobContainerPermissions permissions = await container.GetPermissionsAsync();

    // Add the new policy to the container's permissions, and set the container's permissions.
    permissions.SharedAccessPolicies.Add(policyName, sharedPolicy);
    await container.SetPermissionsAsync(permissions);

示例:在容器上创建服务 SASExample: Create a service SAS on a container

下面的代码在容器上创建 SAS。The following code creates a SAS on a container. 如果提供现有存储访问策略的名称,则该策略与 SAS 关联。If the name of an existing stored access policy is provided, that policy is associated with the SAS. 如果未提供存储访问策略,则代码会在容器上创建一个临时 SAS。If no stored access policy is provided, then the code creates an ad hoc SAS on the container.

private static string GetContainerSasUri(CloudBlobContainer container, string storedPolicyName = null)
    string sasContainerToken;

    // If no stored policy is specified, create a new access policy and define its constraints.
    if (storedPolicyName == null)
        // Note that the SharedAccessBlobPolicy class is used both to define the parameters of an ad hoc SAS, and
        // to construct a shared access policy that is saved to the container's shared access policies.
        SharedAccessBlobPolicy adHocPolicy = new SharedAccessBlobPolicy()
            // When the start time for the SAS is omitted, the start time is assumed to be the time when the storage service receives the request.
            // Omitting the start time for a SAS that is effective immediately helps to avoid clock skew.
            SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),
            Permissions = SharedAccessBlobPermissions.Write | SharedAccessBlobPermissions.List

        // Generate the shared access signature on the container, setting the constraints directly on the signature.
        sasContainerToken = container.GetSharedAccessSignature(adHocPolicy, null);

        Console.WriteLine("SAS for blob container (ad hoc): {0}", sasContainerToken);
        // Generate the shared access signature on the container. In this case, all of the constraints for the
        // shared access signature are specified on the stored access policy, which is provided by name.
        // It is also possible to specify some constraints on an ad hoc SAS and others on the stored access policy.
        sasContainerToken = container.GetSharedAccessSignature(null, storedPolicyName);

        Console.WriteLine("SAS for blob container (stored access policy): {0}", sasContainerToken);

    // Return the URI string for the container, including the SAS token.
    return container.Uri + sasContainerToken;

示例:在 Blob 上创建服务 SASExample: Create a service SAS on a blob

下面的代码在 Blob 上创建 SAS。The following code creates a SAS on a blob. 如果提供现有存储访问策略的名称,则该策略与 SAS 关联。If the name of an existing stored access policy is provided, that policy is associated with the SAS. 如果未提供存储访问策略,则代码会在 Blob 上创建一个临时 SAS。If no stored access policy is provided, then the code creates an ad hoc SAS on the blob.

private static string GetBlobSasUri(CloudBlobContainer container, string blobName, string policyName = null)
    string sasBlobToken;

    // Get a reference to a blob within the container.
    // Note that the blob may not exist yet, but a SAS can still be created for it.
    CloudBlockBlob blob = container.GetBlockBlobReference(blobName);

    if (policyName == null)
        // Create a new access policy and define its constraints.
        // Note that the SharedAccessBlobPolicy class is used both to define the parameters of an ad hoc SAS, and
        // to construct a shared access policy that is saved to the container's shared access policies.
        SharedAccessBlobPolicy adHocSAS = new SharedAccessBlobPolicy()
            // When the start time for the SAS is omitted, the start time is assumed to be the time when the storage service receives the request.
            // Omitting the start time for a SAS that is effective immediately helps to avoid clock skew.
            SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),
            Permissions = SharedAccessBlobPermissions.Read | SharedAccessBlobPermissions.Write | SharedAccessBlobPermissions.Create

        // Generate the shared access signature on the blob, setting the constraints directly on the signature.
        sasBlobToken = blob.GetSharedAccessSignature(adHocSAS);

        Console.WriteLine("SAS for blob (ad hoc): {0}", sasBlobToken);
        // Generate the shared access signature on the blob. In this case, all of the constraints for the
        // shared access signature are specified on the container's stored access policy.
        sasBlobToken = blob.GetSharedAccessSignature(null, policyName);

        Console.WriteLine("SAS for blob (stored access policy): {0}", sasBlobToken);

    // Return the URI string for the container, including the SAS token.
    return blob.Uri + sasBlobToken;


共享访问签名用于将存储帐户的受限权限提供给不应具有帐户密钥的客户端。Shared access signatures are useful for providing limited permissions to your storage account to clients that should not have the account key. 因此,它们是安全模型的重要环节,适合使用 Azure 存储的任何应用程序。As such, they are a vital part of the security model for any application using Azure Storage. 如果按照本文中介绍的最佳实践执行,则可以使用 SAS 更灵活地访问存储帐户中的资源,且不会影响应用程序的安全性。If you follow the best practices listed here, you can use SAS to provide greater flexibility of access to resources in your storage account, without compromising the security of your application.

后续步骤Next Steps