使用共享访问签名 (SAS) 授予对 Azure 存储资源的受限访问权限Grant limited access to Azure Storage resources using shared access signatures (SAS)

使用共享访问签名 (SAS) 可以安全委托对存储帐户中的资源的访问权限,而不会损害数据的安全性。A shared access signature (SAS) provides secure delegated access to resources in your storage account without compromising the security of your data. 使用 SAS 可以精细控制客户端访问数据的方式。With a SAS, you have granular control over how a client can access your data. 你可以控制客户端可以访问哪些资源、客户端对这些资源拥有哪些权限、SAS 的有效期,以及其他参数。You can control what resources the client may access, what permissions they have on those resources, and how long the SAS is valid, among other parameters.

共享访问签名的类型Types of shared access signatures

Azure 存储支持三种类型的共享访问签名:Azure Storage supports three types of shared access signatures:

  • 服务 SAS。Service SAS. 使用存储帐户密钥保护的服务 SAS。A service SAS is secured with the storage account key. 一个服务 SAS 只会委托对一个 Azure 存储服务中的资源的访问权限:Blob 存储、队列存储、表存储或 Azure 文件。A service SAS delegates access to a resource in only one of the Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files.

    有关服务 SAS 的详细信息,请参阅创建服务 SAS (REST API)For more information about the service SAS, see Create a service SAS (REST API).

  • 帐户 SAS。Account SAS. 帐户 SAS 使用存储帐户密钥进行保护。An account SAS is secured with the storage account key. 帐户 SAS 可委派对一个或多个存储服务中的资源的访问权限。An account SAS delegates access to resources in one or more of the storage services. 通过服务 SAS 提供的所有操作也可以通过帐户 SAS 提供。All of the operations available via a service SAS are also available via an account SAS. 此外,使用帐户 SAS 还可以委托对在服务级别应用的操作(例如“获取/设置服务属性”和“获取服务统计信息”操作)的访问权限。 Additionally, with the account SAS, you can delegate access to operations that apply at the level of the service, such as Get/Set Service Properties and Get Service Stats operations. 还可以委派对 blob 容器、表、队列和文件共享执行读取、写入和删除操作的访问权限,而这是服务 SAS 所不允许的。You can also delegate access to read, write, and delete operations on blob containers, tables, queues, and file shares that are not permitted with a service SAS.

    有关帐户 SAS 的详细信息,请参阅创建帐户 SAS (REST API)For more information about the account SAS, Create an account SAS (REST API).

备注

作为安全最佳做法,Azure 建议尽可能地使用 Azure AD 凭据,而不要使用更容易透露的帐户密钥。Azure recommends that you use Azure AD credentials when possible as a security best practice, rather than using the account key, which can be more easily compromised.

共享访问签名可以采取以下两种形式的一种:A shared access signature can take one of two forms:

  • 临时 SAS: 创建临时 SAS 时,该 SAS 的开始时间、过期时间和权限都在 SAS URI 中指定(如果省略开始时间,则以隐含方式指定)。Ad hoc SAS: When you create an ad hoc SAS, the start time, expiry time, and permissions for the SAS are all specified in the SAS URI (or implied, if start time is omitted). 任何类型的 SAS 都可以用作临时 SAS。Any type of SAS can be an ad hoc SAS.
  • 具有存储访问策略的服务 SAS: 存储访问策略是针对资源容器(可以是 Blob 容器、表、队列或文件共享)定义的。Service SAS with stored access policy: A stored access policy is defined on a resource container, which can be a blob container, table, queue, or file share. 可以使用存储访问策略来管理一个或多个服务共享访问签名的约束。The stored access policy can be used to manage constraints for one or more service shared access signatures. 将某个服务 SAS 与某个存储访问策略关联时,该 SAS 将继承对该存储访问策略定义的约束 — 开始时间、过期时间和权限。When you associate a service SAS with a stored access policy, the SAS inherits the constraints—the start time, expiry time, and permissions—defined for the stored access policy.

备注

帐户 SAS 必须是临时 SAS。An account SAS must be an ad hoc SAS. 帐户 SAS 不支持存储访问策略。Stored access policies are not supported for the account SAS.

共享访问签名的工作方式How a shared access signature works

共享访问签名是一种签名 URI,它指向一个或多个存储资源并且包括包含一组特定的查询参数的令牌。A shared access signature is a signed URI that points to one or more storage resources and includes a token that contains a special set of query parameters. 该令牌指示客户端可以如何访问资源。The token indicates how the resources may be accessed by the client. 作为一个查询参数,签名是基于 SAS 参数构造的,已通过用来创建该 SAS 的密钥签名。One of the query parameters, the signature, is constructed from the SAS parameters and signed with the key that was used to create the SAS. Azure 存储使用该签名授予对存储资源的访问权限。This signature is used by Azure Storage to authorize access to the storage resource.

SAS 签名SAS signature

可通过以下方式为 SAS 签名:You can sign a SAS in the way:

使用存储帐户密钥。With the storage account key. 服务 SAS 和帐户 SAS 都是使用存储帐户密钥签名的。Both a service SAS and an account SAS are signed with the storage account key. 若要创建使用帐户密钥签名的 SAS,应用程序必须有权访问该帐户密钥。To create a SAS that is signed with the account key, an application must have access to the account key.

SAS 令牌SAS token

SAS 令牌是在客户端生成的字符串,例如,使用某个 Azure 存储客户端库生成。The SAS token is a string that you generate on the client side, for example by using one of the Azure Storage client libraries. Azure 存储不会以任何方式跟踪 SAS 令牌。The SAS token is not tracked by Azure Storage in any way. 可以在客户端上创建不限数量的 SAS 令牌。You can create an unlimited number of SAS tokens on the client side. 创建 SAS 后,可将其分发到需要访问存储帐户中的资源的客户端应用程序。After you create a SAS, you can distribute it to client applications that require access to resources in your storage account.

当客户端应用程序提供 Azure 存储的 SAS URI 作为请求的一部分时,服务将检查 SAS 参数和签名,以验证该 SAS 是否可用于授权请求。When a client application provides a SAS URI to Azure Storage as part of a request, the service checks the SAS parameters and signature to verify that it is valid for authorizing the request. 如果服务确认签名有效,则请求获得授权。If the service verifies that the signature is valid, then the request is authorized. 否则,请求被拒绝,错误代码为 403(禁止访问)。Otherwise, the request is declined with error code 403 (Forbidden).

下面是服务 SAS URI 的一个示例,其中显示了资源 URI 和 SAS 令牌:Here's an example of a service SAS URI, showing the resource URI and the SAS token:

服务 SAS URI 的组成部分

何时使用共享访问签名When to use a shared access signature

若要为任何客户端提供对存储帐户中的资源的安全访问权限(否则该客户端无权访问这些资源),请使用 SAS。Use a SAS when you want to provide secure access to resources in your storage account to any client who does not otherwise have permissions to those resources.

SAS 通常适用于用户需要在存储帐户中读取和写入其数据的服务情形。A common scenario where a SAS is useful is a service where users read and write their own data to your storage account. 在存储帐户存储用户数据的情形中,有两种典型的设计模式:In a scenario where a storage account stores user data, there are two typical design patterns:

  1. 客户端通过执行身份验证的前端代理服务上传和下载数据。Clients upload and download data via a front-end proxy service, which performs authentication. 此前端代理服务的优势在于允许验证业务规则,但对于大量数据或大量事务,创建可扩展以匹配需求的服务可能成本高昂或十分困难。This front-end proxy service has the advantage of allowing validation of business rules, but for large amounts of data or high-volume transactions, creating a service that can scale to match demand may be expensive or difficult.

    方案示意图:前端代理服务

  2. 轻型服务按需对客户端进行身份验证,并生成 SAS。A lightweight service authenticates the client as needed and then generates a SAS. 客户端应用程序收到 SAS 后,可以直接使用 SAS 定义的权限根据 SAS 允许的间隔访问存储帐户资源。Once the client application receives the SAS, they can access storage account resources directly with the permissions defined by the SAS and for the interval allowed by the SAS. SAS 减少了通过前端代理服务路由所有数据的需要。The SAS mitigates the need for routing all data through the front-end proxy service.

    方案示意图:SAS 提供程序服务

许多实际服务可能会混合使用这两种方法。Many real-world services may use a hybrid of these two approaches. 例如,可能通过前端代理对某些数据进行处理和验证,同时使用 SAS 直接保存和/或读取其他数据。For example, some data might be processed and validated via the front-end proxy, while other data is saved and/or read directly using SAS.

此外,在某些方案的复制操作中,需要使用 SAS 来授权访问源对象:Additionally, a SAS is required to authorize access to the source object in a copy operation in certain scenarios:

  • 将一个 Blob 复制到驻留在其他存储帐户中的另一个 Blob 时,必须使用 SAS 授予对源 Blob 的访问权限。When you copy a blob to another blob that resides in a different storage account, you must use a SAS to authorize access to the source blob. 还可以选择使用 SAS 授予对目标 Blob 的访问权限。You can optionally use a SAS to authorize access to the destination blob as well.
  • 将一个文件复制到驻留在其他存储帐户中的另一个文件时,必须使用 SAS 授予对源文件的访问权限。When you copy a file to another file that resides in a different storage account, you must use a SAS to authorize access to the source file. 还可以选择使用 SAS 授予对目标文件的访问权限。You can optionally use a SAS to authorize access to the destination file as well.
  • 将一个 Blob 复制到一个文件,或将一个文件复制到一个 Blob 时,必须使用 SAS 授予对源对象的访问权限,即使源对象和目标对象驻留在同一存储帐户中。When you copy a blob to a file, or a file to a blob, you must use a SAS to authorize access to the source object, even if the source and destination objects reside within the same storage account.

使用 SAS 的最佳实践Best practices when using SAS

在应用程序中使用共享访问签名时,需要知道以下两个可能的风险:When you use shared access signatures in your applications, you need to be aware of two potential risks:

  • 如果 SAS 泄露,则获取它的任何人都可以使用它,这可能会损害存储帐户。If a SAS is leaked, it can be used by anyone who obtains it, which can potentially compromise your storage account.
  • 如果提供给客户端应用程序的 SAS 到期并且应用程序无法从服务检索新 SAS,则可能会影响该应用程序的功能。If a SAS provided to a client application expires and the application is unable to retrieve a new SAS from your service, then the application's functionality may be hindered.

下面这些针对使用共享访问签名的建议可帮助降低这些风险:The following recommendations for using shared access signatures can help mitigate these risks:

  • 始终使用 HTTPS 创建或分发 SAS。Always use HTTPS to create or distribute a SAS. 如果某一 SAS 通过 HTTP 传递并且被截取,则执行中间人攻击的攻击者将能够读取 SAS、并使用它,就像目标用户本可执行的操作一样,这可能会暴露敏感数据或者使恶意用户能够损坏数据。If a SAS is passed over HTTP and intercepted, an attacker performing a man-in-the-middle attack is able to read the SAS and then use it just as the intended user could have, potentially compromising sensitive data or allowing for data corruption by the malicious user.
  • 为 SAS 准备好吊销计划。Have a revocation plan in place for a SAS. 确保已做好在 SAS 透露时的应对准备。Make sure you are prepared to respond if a SAS is compromised.
  • 定义服务 SAS 的存储访问策略。Define a stored access policy for a service SAS. 存储访问策略可让你选择撤消服务 SAS 的权限,且无需重新生成存储帐户密钥。Stored access policies give you the option to revoke permissions for a service SAS without having to regenerate the storage account keys. 将针对 SAS 的到期时间设置为很久之后的某一时间(或者无限远),并且确保定期对其进行更新以便将到期时间移到将来的更远时间。Set the expiration on these very far in the future (or infinite) and make sure it's regularly updated to move it farther into the future.
  • 对临时 SAS 服务 SAS 或帐户 SAS 使用短期过期时间。Use near-term expiration times on an ad hoc SAS service SAS or account SAS. 这样,即使某一 SAS 泄露,它也只会在短期内有效。In this way, even if a SAS is compromised, it's valid only for a short time. 如果无法参照某一存储访问策略,该行为尤其重要。This practice is especially important if you cannot reference a stored access policy. 临时到期时间还通过限制可用于上传到它的时间来限制可以写入 Blob 的数据量。Near-term expiration times also limit the amount of data that can be written to a blob by limiting the time available to upload to it.
  • 如果需要,让客户端自动续订 SAS。Have clients automatically renew the SAS if necessary. 客户端应在到期时间之前很久就续订 SAS,这样,即使提供 SAS 的服务不可用,客户端也有时间重试。Clients should renew the SAS well before the expiration, in order to allow time for retries if the service providing the SAS is unavailable. 如果 SAS 旨在用于少量即时的短期操作,这些操作应在到期时间内完成,则上述做法可能是不必要的,因为不应续订 SAS。If your SAS is meant to be used for a small number of immediate, short-lived operations that are expected to be completed within the expiration period, then this may be unnecessary as the SAS is not expected to be renewed. 但是,如果客户端定期通过 SAS 发出请求,则有效期可能就会起作用。However, if you have client that is routinely making requests via SAS, then the possibility of expiration comes into play. 需要考虑的主要方面就是在以下两者间进行权衡:对短期 SAS 的需求(如前文所述)以及确保客户端尽早请求续订(以免在成功续订前因 SAS 到期而中断)。The key consideration is to balance the need for the SAS to be short-lived (as previously stated) with the need to ensure that the client is requesting renewal early enough (to avoid disruption due to the SAS expiring prior to successful renewal).
  • 要注意 SAS 开始时间。 Be careful with SAS start time. 如果将 SAS 的开始时间设置为“现在” ,则由于时钟偏移(根据不同计算机,当前时间的差异),在前几分钟将会间歇地观察到失败。If you set the start time for a SAS to now, then due to clock skew (differences in current time according to different machines), failures may be observed intermittently for the first few minutes. 通常,将开始时间至少设置为 15 分钟前。In general, set the start time to be at least 15 minutes in the past. 或者根本不设置,这会使它在所有情况下都立即生效。Or, don't set it at all, which will make it valid immediately in all cases. 同样原则也适用于到期时间 - 请记住,对于任何请求,在任一方向可能会观察到最多 15 分钟的时钟偏移。The same generally applies to expiry time as well--remember that you may observe up to 15 minutes of clock skew in either direction on any request. 对于使用 2012-02-12 之前的 REST 版本的客户端,未参照某一存储访问策略的 SAS 的最大持续时间是 1 小时,指定超过 1 小时持续时间的任何策略都会失败。For clients using a REST version prior to 2012-02-12, the maximum duration for a SAS that does not reference a stored access policy is 1 hour, and any policies specifying longer term than that will fail.
  • 请注意 SAS 日期/时间格式。Be careful with SAS datetime format. 如果为 SAS 设置了开始时间和/或到期时间,则对于某些实用程序(例如,命令行实用程序 AzCopy),需要将日期/时间格式设置为“+%Y-%m-%dT%H:%M:%SZ”,特别是包括秒数,以便它使用 SAS 令牌工作。If you set the start time and/or expiry for a SAS, for some utilities (for example for the command-line utility AzCopy) you need the datetime format to be '+%Y-%m-%dT%H:%M:%SZ', specifically including the seconds in order for it to work using the SAS token.
  • 对要访问的资源要具体。Be specific with the resource to be accessed. 一种安全性最佳做法是向用户提供所需最小权限。A security best practice is to provide a user with the minimum required privileges. 如果某一用户仅需要对单个实体的读取访问权限,则向该用户授予对该单个实体的读取访问权限,而不要授予针对所有实体的读取/写入/删除访问权限。If a user only needs read access to a single entity, then grant them read access to that single entity, and not read/write/delete access to all entities. 如果 SAS 泄露,这也有助于降低损失,因为攻击者手中掌握的 SAS 的权限较为有限。This also helps lessen the damage if a SAS is compromised because the SAS has less power in the hands of an attacker.
  • 知道每次使用都会对帐户收费,包括通过 SAS 使用。Understand that your account will be billed for any usage, including via a SAS. 如果你提供某个 Blob 的写入访问权限,则用户可以选择上传 200 GB 的 Blob。If you provide write access to a blob, a user may choose to upload a 200 GB blob. 如果还向用户提供了对 Blob 的读访问权限,他们可能会选择下载 Blob 10 次,对你产生 2 TB 的传出费用。If you've given them read access as well, they may choose to download it 10 times, incurring 2 TB in egress costs for you. 此外,提供受限权限,帮助降低恶意用户的潜在操作威胁。Again, provide limited permissions to help mitigate the potential actions of malicious users. 使用短期 SAS 以便减少这一威胁(但要注意结束时间上的时钟偏移)。Use short-lived SAS to reduce this threat (but be mindful of clock skew on the end time).
  • 验证使用 SAS 写入的数据。Validate data written using a SAS. 在某一客户端应用程序将数据写入存储帐户时,请记住对于这些数据可能存在问题。When a client application writes data to your storage account, keep in mind that there can be problems with that data. 如果应用程序要求在数据可供使用前对数据进行验证或授权,应该在写入数据后、但在应用程序使用这些数据前执行此验证。If your application requires that data be validated or authorized before it is ready to use, you should perform this validation after the data is written and before it is used by your application. 这一实践还有助于防止损坏的数据或恶意数据写入帐户,这些数据可能是正常要求 SAS 的用户写入的,也可能是利用泄露的 SAS 的用户写入的。This practice also protects against corrupt or malicious data being written to your account, either by a user who properly acquired the SAS, or by a user exploiting a leaked SAS.
  • 知道何时不使用 SAS。Know when not to use a SAS. 有时,针对存储帐户执行特定操作所带来的风险超过了 SAS 所带来的好处。Sometimes the risks associated with a particular operation against your storage account outweigh the benefits of using a SAS. 对于此类操作,应创建一个中间层服务,该服务在执行业务规则验证、身份验证和审核后写入存储帐户。For such operations, create a middle-tier service that writes to your storage account after performing business rule validation, authentication, and auditing. 此外,有时候以其他方式管理访问会更简单。Also, sometimes it's simpler to manage access in other ways. 例如,如果想要使某一容器中的所有 Blob 都可以公开读取,则可以使该容器成为公共的,而不是为每个客户端都提供 SAS 来进行访问。For example, if you want to make all blobs in a container publicly readable, you can make the container Public, rather than providing a SAS to every client for access.
  • 使用 Azure Monitor 和 Azure 存储日志来监视应用程序。Use Azure Monitor and Azure Storage logs to monitor your application. 可以使用 Azure Monitor 和存储分析日志记录来观察由于 SAS 提供程序服务中断或无意中删除存储访问策略而导致授权失败的任何高发情形。You can use Azure Monitor and storage analytics logging to observe any spike in authorization failures due to an outage in your SAS provider service or to the inadvertent removal of a stored access policy. 有关详细信息,请参阅 Azure Monitor 中的 Azure 存储指标Azure 存储分析日志记录For more information, see Azure Storage metrics in Azure Monitor and Azure Storage Analytics logging.

开始使用 SASGet started with SAS

若要开始使用共享访问签名,请参阅以下适用于每种 SAS 类型的文章。To get started with shared access signatures, see the following articles for each SAS type.

服务 SASService SAS

帐户 SASAccount SAS

后续步骤Next steps