使用 .NET 定义存储访问策略Define a stored access policy with .NET

存储访问策略对服务器端的服务级别共享访问签名 (SAS) 提供另一级别的控制。A stored access policy provides an additional level of control over service-level shared access signatures (SAS) on the server side. 定义存储访问策略可以将共享访问签名分组到一起,并为通过策略绑定的共享访问签名提供其他限制。Defining a stored access policy serves to group shared access signatures and to provide additional restrictions for shared access signatures that are bound by the policy. 可以使用存储访问策略更改 SAS 的开始时间、到期时间或权限,或者在颁发 SAS 后将其吊销。You can use a stored access policy to change the start time, expiry time, or permissions for a SAS, or to revoke it after it has been issued.

以下存储资源支持存储访问策略:The following storage resources support stored access policies:

  • Blob 容器Blob containers
  • 文件共享File shares
  • 队列Queues
  • Tables

Note

容器上的存储访问策略可以与共享访问签名相关联,后者授予对容器本身的权限,或对它包含的 Blob 的权限。A stored access policy on a container can be associated with a shared access signature granting permissions to the container itself or to the blobs it contains. 类似地,文件共享上的存储访问策略可以与共享访问签名相关联,后者授予对共享本身的权限,或对它包含的文件的权限。Similarly, a stored access policy on a file share can be associated with a shared access signature granting permissions to the share itself or to the files it contains.

仅服务 SAS 支持存储访问策略。Stored access policies are supported for a service SAS only. 帐户 SAS 不支持存储访问策略。Stored access policies are not supported for account SAS.

创建存储访问策略Create a stored access policy

下面的代码在容器上创建存储访问策略。The following code creates a stored access policy on a container. 可以使用访问策略指定对容器或其 Blob 上的服务 SAS 的约束。You can use the access policy to specify constraints for a service SAS on the container or its blobs.

private static async Task CreateStoredAccessPolicyAsync(CloudBlobContainer container, string policyName)
{
    // Create a new stored access policy and define its constraints.
    // The access policy provides create, write, read, list, and delete permissions.
    SharedAccessBlobPolicy sharedPolicy = new SharedAccessBlobPolicy()
    {
        // When the start time for the SAS is omitted, the start time is assumed to be the time when Azure Storage receives the request.
        SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),
        Permissions = SharedAccessBlobPermissions.Read | SharedAccessBlobPermissions.List |
            SharedAccessBlobPermissions.Write | SharedAccessBlobPermissions.Create | SharedAccessBlobPermissions.Delete
    };

    // Get the container's existing permissions.
    BlobContainerPermissions permissions = await container.GetPermissionsAsync();

    // Add the new policy to the container's permissions, and set the container's permissions.
    permissions.SharedAccessPolicies.Add(policyName, sharedPolicy);
    await container.SetPermissionsAsync(permissions);
}

另请参阅See also