选择如何在 Azure 门户中授予对队列数据的访问权限Choose how to authorize access to queue data in the Azure portal

使用 Azure 门户访问队列数据时,门户会在后台对 Azure 存储发出请求。When you access queue data using the Azure portal, the portal makes requests to Azure Storage under the covers. 可以使用 Azure AD 帐户或存储帐户访问密钥对 Azure 存储请求进行授权。A request to Azure Storage can be authorized using either your Azure AD account or the storage account access key. 门户会指示使用的是哪种方法,如果你有相应的权限,则门户还允许在这两种方法之间切换。The portal indicates which method you are using, and enables you to switch between the two if you have the appropriate permissions.

访问队列数据所需的权限Permissions needed to access queue data

视你要如何在 Azure 门户中授予对队列数据的访问权限而定,你将需要特定权限。Depending on how you want to authorize access to queue data in the Azure portal, you'll need specific permissions. 在大多数情况下,这些权限是通过 Azure 基于角色的访问控制 (Azure RBAC) 提供的。In most cases, these permissions are provided via Azure role-based access control (Azure RBAC). 有关 Azure RBAC 的详细信息,请参阅什么是 Azure 基于角色的访问控制 (Azure RBAC)?For more information about Azure RBAC, see What is Azure role-based access control (Azure RBAC)?.

使用帐户访问密钥Use the account access key

若要使用帐户访问密钥访问队列数据,你必须已分配到一个 Azure 角色,此角色包含 Azure RBAC 操作 Microsoft.Storage/storageAccounts/listkeys/actionTo access queue data with the account access key, you must have an Azure role assigned to you that includes the Azure RBAC action Microsoft.Storage/storageAccounts/listkeys/action. 此 Azure 角色可以是内置角色,也可以是自定义角色。This Azure role may be a built-in or a custom role. 支持 Microsoft.Storage/storageAccounts/listkeys/action 的内置角色包括:Built-in roles that support Microsoft.Storage/storageAccounts/listkeys/action include:

尝试在 Azure 门户中访问队列数据时,门户首先会检查你是否被分配了一个包含 Microsoft.Storage/storageAccounts/listkeys/action 的角色。When you attempt to access queue data in the Azure portal, the portal first checks whether you have been assigned a role with Microsoft.Storage/storageAccounts/listkeys/action. 如果你被分配了包含此操作的角色,则门户将使用帐户密钥来访问队列数据。If you have been assigned a role with this action, then the portal uses the account key for accessing queue data. 如果你不拥有包含此操作的角色,则门户会尝试使用你的 Azure AD 帐户访问数据。If you have not been assigned a role with this action, then the portal attempts to access data using your Azure AD account.

备注

经典订阅管理员角色“服务管理员”和“共同管理员”具有 Azure 资源管理器所有者角色的等效权限。The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager Owner role. “所有者”角色包含所有操作,其中包括 Microsoft.Storage/storageAccounts/listkeys/action,因此,拥有其中一种管理角色的用户也可以使用帐户密钥访问队列数据。The Owner role includes all actions, including the Microsoft.Storage/storageAccounts/listkeys/action, so a user with one of these administrative roles can also access queue data with the account key. 有关详细信息,请参阅经典订阅管理员角色、Azure 角色和 Azure AD 管理员角色For more information, see Classic subscription administrator roles, Azure roles, and Azure AD administrator roles.

使用 Azure AD 帐户Use your Azure AD account

若要使用 Azure AD 帐户从 Azure 门户访问队列数据,必须符合以下条件:To access queue data from the Azure portal using your Azure AD account, both of the following statements must be true for you:

  • 至少拥有 Azure 资源管理器读取者角色,该角色的权限范围为存储帐户或更高级别。You have been assigned the Azure Resource Manager Reader role, at a minimum, scoped to the level of the storage account or higher. “读取者”角色授予限制性最高的权限,但也接受可授予存储帐户管理资源访问权限的其他 Azure 资源管理器角色。The Reader role grants the most restricted permissions, but another Azure Resource Manager role that grants access to storage account management resources is also acceptable.
  • 拥有一个可提供队列数据访问权限的内置角色或自定义角色。You have been assigned either a built-in or custom role that provides access to queue data.

必须提供“读取者”角色分配或其他 Azure 资源管理器角色分配,使用户能够在 Azure 门户中查看和导航存储帐户管理资源。The Reader role assignment or another Azure Resource Manager role assignment is necessary so that the user can view and navigate storage account management resources in the Azure portal. 授予队列数据访问权限的 Azure 角色不会授予存储帐户管理资源访问权限。The Azure roles that grant access to queue data do not grant access to storage account management resources. 若要在门户中访问队列数据,用户需要有权在存储帐户资源中导航。To access queue data in the portal, the user needs permissions to navigate storage account resources. 有关此要求的详细信息,请参阅分配“读取者”角色以访问门户For more information about this requirement, see Assign the Reader role for portal access.

支持访问队列数据的内置角色包括:The built-in roles that support access to your queue data include:

自定义角色能够支持内置角色所提供的相同权限的不同组合。Custom roles can support different combinations of the same permissions provided by the built-in roles. 若要详细了解如何创建 Azure 自定义角色,请参阅 Azure 自定义角色了解 Azure 资源的角色定义For more information about creating Azure custom roles, see Azure custom roles and Understand role definitions for Azure resources.

不支持使用经典订阅管理员角色列出队列。Listing queues with a classic subscription administrator role is not supported. 若要列出队列,用户必须拥有 Azure 资源管理器“读取者”角色、“存储队列数据读取者”角色或“存储队列数据参与者”角色。 To list queues, a user must have assigned to them the Azure Resource Manager Reader role, the Storage Queue Data Reader role, or the Storage Queue Data Contributor role.

重要

Azure 门户中存储资源管理器的预览版不支持使用 Azure AD 凭据来查看和修改队列数据。The preview version of Storage Explorer in the Azure portal does not support using Azure AD credentials to view and modify queue data. Azure 门户中的存储资源管理器始终使用帐户密钥来访问数据。Storage Explorer in the Azure portal always uses the account keys to access data. 若要在 Azure 门户中使用存储资源管理器,你必须被分配一个包含 Microsoft.Storage/storageAccounts/listkeys/action 的角色。To use Storage Explorer in the Azure portal, you must be assigned a role that includes Microsoft.Storage/storageAccounts/listkeys/action.

若要在门户中查看队列数据,请导航到存储帐户的“概述”,然后单击“队列”对应的链接。 To view queue data in the portal, navigate to the Overview for your storage account, and click on the links for Queues. 或者,可以在菜单中导航到“队列服务”部分。Alternatively you can navigate to the Queue service sections in the menu.

显示如何在 Azure 门户中导航到队列数据的屏幕截图

确定当前的身份验证方法Determine the current authentication method

导航到队列时,Azure 门户会指示当前是使用帐户访问密钥还是使用 Azure AD 帐户进行身份验证。When you navigate to a queue, the Azure portal indicates whether you are currently using the account access key or your Azure AD account to authenticate.

使用帐户访问密钥进行身份验证Authenticate with the account access key

如果使用帐户访问密钥进行身份验证,则会在门户中看到“访问密钥”已指定为身份验证方法:If you are authenticating using the account access key, you'll see Access Key specified as the authentication method in the portal:

显示用户当前正在使用帐户密钥访问队列的屏幕截图

若要改用 Azure AD 帐户,请单击图中突出显示的链接。To switch to using Azure AD account, click the link highlighted in the image. 如果你通过分配给你的 Azure 角色获得了相应的权限,则可以继续访问。If you have the appropriate permissions via the Azure roles that are assigned to you, you'll be able to proceed. 但是,如果你缺少相应的权限,则会看到如下所示的错误消息:However, if you lack the right permissions, you'll see an error message like the following one:

Azure AD 帐户不支持访问时显示的错误

请注意,如果你的 Azure AD 帐户缺少队列查看权限,则列表中不会显示任何队列。Notice that no queues appear in the list if your Azure AD account lacks permissions to view them. 单击“切换为访问密钥”链接,以再次使用访问密钥进行身份验证。Click on the Switch to access key link to use the access key for authentication again.

使用 Azure AD 帐户进行身份验证Authenticate with your Azure AD account

如果使用 Azure AD 帐户进行身份验证,则会在门户中看到“Azure AD 用户帐户”已指定为身份验证方法:If you are authenticating using your Azure AD account, you'll see Azure AD User Account specified as the authentication method in the portal:

显示用户当前正在使用 Azure AD 访问队列的屏幕截图

若要改用帐户访问密钥,请单击图中突出显示的链接。To switch to using the account access key, click the link highlighted in the image. 如果你有权访问帐户密钥,则可以继续访问。If you have access to the account key, then you'll be able to proceed. 但是,如果你缺少帐户密钥的访问权限,则 Azure 门户会显示一条错误消息。However, if you lack access to the account key, the Azure portal displays an error message.

如果你无权访问帐户密钥,则门户中不会列出队列。Queues are not listed in the portal if you do not have access to the account keys. 单击“切换为 Azure AD 用户帐户”链接,以再次使用 Azure AD 帐户进行身份验证。Click on the Switch to Azure AD User Account link to use your Azure AD account for authentication again.

后续步骤Next steps