使用 .NET 创建存储访问策略Create a stored access policy with .NET

存储访问策略对服务器端的服务级别共享访问签名 (SAS) 提供另一级别的控制。A stored access policy provides an additional level of control over service-level shared access signatures (SAS) on the server side. 定义存储访问策略可以将共享访问签名分组到一起,并为通过策略绑定的共享访问签名提供其他限制。Defining a stored access policy serves to group shared access signatures and to provide additional restrictions for shared access signatures that are bound by the policy. 可以使用存储访问策略更改 SAS 的开始时间、到期时间或权限,或者在颁发 SAS 后将其吊销。You can use a stored access policy to change the start time, expiry time, or permissions for a SAS, or to revoke it after it has been issued.

以下 Azure 存储资源支持存储访问策略:The following Azure Storage resources support stored access policies:

  • Blob 容器Blob containers
  • 文件共享File shares
  • 队列Queues
  • Tables

备注

容器上的存储访问策略可以与共享访问签名相关联,后者授予对容器本身的权限,或对它包含的 Blob 的权限。A stored access policy on a container can be associated with a shared access signature granting permissions to the container itself or to the blobs it contains. 类似地,文件共享上的存储访问策略可以与共享访问签名相关联,后者授予对共享本身的权限,或对它包含的文件的权限。Similarly, a stored access policy on a file share can be associated with a shared access signature granting permissions to the share itself or to the files it contains.

仅服务 SAS 支持存储访问策略。Stored access policies are supported for a service SAS only. 帐户 SAS 不支持存储访问策略。Stored access policies are not supported for account SAS.

有关存储访问策略的更多信息,请参阅定义存储访问策略For more information about stored access policies, see Define a stored access policy.

创建存储访问策略Create a stored access policy

创建存储访问策略的基础 REST 操作是设置容器 ACLThe underlying REST operation to create a stored access policy is Set Container ACL. 你必须通过使用连接字符串中的帐户访问密钥,授权该操作通过共享密钥创建存储访问策略。You must authorize the operation to create a stored access policy via Shared Key by using the account access keys in a connection string. 不支持使用 Azure AD 凭据授权“设置容器 ACL”操作。Authorizing the Set Container ACL operation with Azure AD credentials is not supported. 有关详细信息,请参阅调用 blob 和队列数据操作的权限For more information, see Permissions for calling blob and queue data operations.

以下代码示例会在容器上创建存储访问策略。The following code examples create a stored access policy on a container. 可以使用访问策略指定对容器或其 Blob 上的服务 SAS 的约束。You can use the access policy to specify constraints for a service SAS on the container or its blobs.

若要使用适用于 Azure 存储的 .NET 客户端库版本 12 在容器上创建存储访问策略,请调用以下方法之一:To create a stored access policy on a container with version 12 of the .NET client library for Azure Storage, call one of the following methods:

以下示例创建一个有效期为一天并授予读/写权限的存储访问策略:The following example creates a stored access policy that is in effect for one day and that grants read/write permissions:

async static Task CreateStoredAccessPolicyAsync(string containerName)
{
    string connectionString = "";

    // Use the connection string to authorize the operation to create the access policy.
    // Azure AD does not support the Set Container ACL operation that creates the policy.
    BlobContainerClient containerClient = new BlobContainerClient(connectionString, containerName);

    try
    {
        await containerClient.CreateIfNotExistsAsync();

        // Create one or more stored access policies.
        List<BlobSignedIdentifier> signedIdentifiers = new List<BlobSignedIdentifier>
        {
            new BlobSignedIdentifier
            {
                Id = "mysignedidentifier",
                AccessPolicy = new BlobAccessPolicy
                {
                    StartsOn = DateTimeOffset.UtcNow.AddHours(-1),
                    ExpiresOn = DateTimeOffset.UtcNow.AddDays(1),
                    Permissions = "rw"
                }
            }
        };
        // Set the container's access policy.
        await containerClient.SetAccessPolicyAsync(permissions: signedIdentifiers);
    }
    catch (RequestFailedException e)
    {
        Console.WriteLine(e.ErrorCode);
        Console.WriteLine(e.Message);
    }
    finally
    {
        await containerClient.DeleteAsync();
    }
}

另请参阅See also