使用 Azure AD 凭据运行 PowerShell 命令以访问队列数据Run PowerShell commands with Azure AD credentials to access queue data

Azure 存储为 PowerShell 提供扩展,使用户可使用 Azure Active Directory (Azure AD) 凭据登录并运行脚本命令。Azure Storage provides extensions for PowerShell that enable you to sign in and run scripting commands with Azure Active Directory (Azure AD) credentials. 使用 Azure AD 凭据登录 PowerShell 时,会返回 OAuth 2.0 访问令牌。When you sign in to PowerShell with Azure AD credentials, an OAuth 2.0 access token is returned. PowerShell 会自动使用该令牌针对队列存储进行后续数据操作授权。That token is automatically used by PowerShell to authorize subsequent data operations against Queue Storage. 对于支持的操作,无需再通过命令传递帐户密钥或 SAS 令牌。For supported operations, you no longer need to pass an account key or SAS token with the command.

可通过 Azure 基于角色的访问控制 (Azure RBAC) 向 Azure AD 安全主体分配对队列数据的权限。You can assign permissions to queue data to an Azure AD security principal via Azure role-based access control (Azure RBAC). 有关 Azure 存储中 Azure 角色的详细信息,请参阅通过 Azure RBAC 管理 Azure 存储数据访问权限For more information about Azure roles in Azure Storage, see Manage access rights to Azure Storage data with Azure RBAC.

支持的操作Supported operations

Azure 存储扩展支持针对队列数据的操作。The Azure Storage extensions are supported for operations on queue data. 可调用的操作取决于向 Azure AD 安全主体授予的权限,此安全主体用于登录 PowerShell。Which operations you may call depends on the permissions granted to the Azure AD security principal with which you sign in to PowerShell. 对队列的权限通过 Azure RBAC 进行分配。Permissions to queues are assigned via Azure RBAC. 例如,如果为你分配了“队列数据读取者”角色,你可以运行从队列读取数据的脚本命令。For example, if you have been assigned the Queue Data Reader role, then you can run scripting commands that read data from a queue. 如果为你分配了“队列数据参与者”角色,你可以运行脚本命令来读取、写入或删除队列或其中所含数据。If you have been assigned the Queue Data Contributor role, then you can run scripting commands that read, write, or delete a queue or the data they contain.

若要详细了解针对队列的每个 Azure 存储操作所需的权限,请参阅使用 OAuth 令牌调用存储操作For details about the permissions required for each Azure Storage operation on a queue, see Call storage operations with OAuth tokens.

重要

在使用 Azure 资源管理器 ReadOnly 锁锁定了某个存储帐户时,不允许为该存储帐户执行列出密钥操作。When a storage account is locked with an Azure Resource Manager ReadOnly lock, the List Keys operation is not permitted for that storage account. 列出密钥是 POST 操作,并且在为该帐户配置了 ReadOnly 锁时,所有 POST 操作都会被阻止 。List Keys is a POST operation, and all POST operations are prevented when a ReadOnly lock is configured for the account. 因此,当帐户被 ReadOnly 锁锁定时,还没有帐户密钥的用户必须使用 Azure AD 凭据来访问队列数据。For this reason, when the account is locked with a ReadOnly lock, users users who do not already possess the account keys must use Azure AD credentials to access queue data. 在 PowerShell 中,包含 -UseConnectedAccount 参数,以使用 Azure AD 凭据创建 AzureStorageContext 对象。In PowerShell, include the -UseConnectedAccount parameter to create an AzureStorageContext object with your Azure AD credentials.

使用 Azure AD 凭据调用 PowerShell 命令Call PowerShell commands using Azure AD credentials

备注

本文已经过更新,以便使用 Azure Az PowerShell 模块。This article has been updated to use the Azure Az PowerShell module. 若要与 Azure 交互,建议使用的 PowerShell 模块是 Az PowerShell 模块。The Az PowerShell module is the recommended PowerShell module for interacting with Azure. 若要开始使用 Az PowerShell 模块,请参阅安装 Azure PowerShellTo get started with the Az PowerShell module, see Install Azure PowerShell. 若要了解如何迁移到 Az PowerShell 模块,请参阅 将 Azure PowerShell 从 AzureRM 迁移到 AzTo learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

若要使用 Azure PowerShell 登录并使用 Azure AD 凭据针对 Azure 存储运行后续操作,请创建一个存储上下文用于引用存储帐户,并包含 -UseConnectedAccount 参数。To use Azure PowerShell to sign in and run subsequent operations against Azure Storage using Azure AD credentials, create a storage context to reference the storage account, and include the -UseConnectedAccount parameter.

以下示例演示如何在 Azure PowerShell 中使用 Azure AD 凭据在新的存储帐户中创建一个队列。The following example shows how to create a queue in a new storage account from Azure PowerShell using your Azure AD credentials. 请务必将尖括号中的占位符值替换为你自己的值:Remember to replace placeholder values in angle brackets with your own values:

  1. 使用 Connect-AzAccount 命令登录到 Azure 帐户。Sign in to your Azure account with the Connect-AzAccount command:

    Connect-AzAccount -Environment AzureChinaCloud
    

    若要详细了解如何使用 PowerShell 登录 Azure,请参阅使用 Azure PowerShell 登录For more information about signing into Azure with PowerShell, see Sign in with Azure PowerShell.

  2. 调用 New-AzResourceGroup 创建 Azure 资源组。Create an Azure resource group by calling New-AzResourceGroup.

    $resourceGroup = "sample-resource-group-ps"
    $location = "chinaeast2"
    New-AzResourceGroup -Name $resourceGroup -Location $location
    
  3. 调用 New-AzStorageAccount 创建存储帐户。Create a storage account by calling New-AzStorageAccount.

    $storageAccount = New-AzStorageAccount -ResourceGroupName $resourceGroup `
      -Name "<storage-account>" `
      -SkuName Standard_LRS `
      -Location $location `
    
  4. 调用 New-AzStorageContext 获取用于指定新存储帐户的存储帐户上下文。Get the storage account context that specifies the new storage account by calling New-AzStorageContext. 对存储帐户执行操作时,可以引用上下文而不是重复传入凭据。When acting on a storage account, you can reference the context instead of repeatedly passing in the credentials. 包含 -UseConnectedAccount 参数,以使用 Azure AD 凭据调用任何后续数据操作:Include the -UseConnectedAccount parameter to call any subsequent data operations using your Azure AD credentials:

    $ctx = New-AzStorageContext -StorageAccountName "<storage-account>" -UseConnectedAccount
    
  5. 创建队列之前,请为自己分配存储队列数据参与者角色。Before you create the queue, assign the Storage Queue Data Contributor role to yourself. 即使你是帐户所有者,也需要显式权限才能针对存储帐户执行数据操作。Even though you are the account owner, you need explicit permissions to perform data operations against the storage account. 有关分配 Azure 角色的详细信息,请参阅使用 Azure 门户分配用于访问 blob 和队列数据的 Azure 角色For more information about assigning Azure roles, see Use the Azure portal to assign an Azure role for access to blob and queue data.

    重要

    传播 Azure 角色分配可能需要花费几分钟时间。Azure role assignments may take a few minutes to propagate.

  6. 通过调用 New-AzStorageQueue 来创建队列。Create a queue by calling New-AzStorageQueue. 由于此调用使用在前面步骤中创建的上下文,因此将使用你的 Azure AD 凭据创建队列。Because this call uses the context created in the previous steps, the queue is created using your Azure AD credentials.

    $queueName = "sample-queue"
    New-AzStorageQueue -Name $queueName -Context $ctx
    

后续步骤Next steps