我是Azure的新手,在Azure中学习技术。
存储帐户身份验证: - 存储访问密钥共享访问签名(SAS)
在SAS中,我看到SAS有两种类型,例如Account和Service SAS。
我在Azure门户中生成了SAS令牌。 请参考这里
如何使用SAS令牌,Blob服务SAS URL,文件服务SAS URL,表服务SAS URL,队列服务SAS URL?
我无法通过上面的屏幕截图了解我在哪里可以找到或如何生成或使用帐户和服务SAS。
请举例说明一下。
I am new to Azure and learning the technologies in Azure.
Storage Account Authentications:- Storage Access Keys Shared Access Signature (SAS)
In SAS, I see there are 2 types for SAS such as Account and Service SAS.
I have generated SAS token in Azure Portal. Refer here
How can I use SAS token, Blob service SAS URL, File service SAS URL, Table service SAS URL, Queue service SAS URL ?
I am not able to understand where I can find or how do I generate or use Account and Service SAS by above screen shot.
Kindly provide me example to understand it.
最满意答案
Azure存储帐户有两种形式:标准帐户,提供对Azure存储服务的访问,例如表,队列,文件,blob和磁盘; 和blob存储帐户,它们针对blob存储进行了优化。 但无论您选择哪种帐户类型,都会使用主密钥授予管理员权限。
但是,如果您想授予有限或临时访问权限,那么放弃存储帐户密钥并不是最好的选择。 为解决此问题,Azure使用共享访问签名(SAS)安全地委派对存储中对象的访问。 共享访问签名是统一资源标识符(URI),其中包括有关要授予访问权限的资源的所有信息,以及令牌形式的相关权限。
更多SAS用例请参考此链接 。
@Gaurav Mantri说,你也可以从链接中学习。
您可以从Azure门户获取SAS。
更新:
从版本2015-04-05开始,Azure存储支持两种类型的共享访问签名(SAS):
本主题中描述的服务级SAS。 服务SAS仅在一个存储服务中委派对资源的访问:Blob,Queue,Table或File服务。
2015-04-05版本中引入的帐户级SAS。 帐户SAS委派对一个或多个存储服务中的资源的访问权限。 通过服务SAS提供的所有操作也可通过帐户SAS获得。
更多信息请参考此链接 。
@Karan
对于帐户级别SAS,单击所有允许的服务和资源类型。 由您决定他们拥有哪些权限以及何时希望SAS工作和过期。
要创建服务级别SAS,您只需取消选择您不想要的允许服务。 例如,如果我想创建Blob服务SAS,我会选择Blob ..
要通过使用您生成的令牌来理解差异,只需尝试访问/更新SAS令牌中不允许的内容[允许所有内容(帐户SAS)与仅允许一个(服务SAS)服务和资源]
Azure storage accounts come in two flavors: standard accounts, which provide access to Azure Storage services such as tables, queues, files, blobs, and disks; and blob storage accounts, which are optimized for blob storage. But whichever account type you choose, a master key is used to grant administrative access.
But if you want to grant limited or temporary access, giving away your storage account key isn’t the best idea. To solve this problem, Azure uses Shared Access Signatures (SAS) for safely delegating access to objects in storage. A Shared Access Signature is a Uniform Resource Identifier (URI) that includes all the information about the resources to which you want to grant access, and relevant permissions in the form of a token.
More SAS Use Cases please refer to this link.
@Gaurav Mantri said, you also could learn from the link.
You could get SAS from Azure Portal.
Update:
Beginning with version 2015-04-05, Azure Storage supports two types of shared access signatures (SAS):
A service-level SAS, described in this topic. The service SAS delegates access to a resource in just one of the storage services: the Blob, Queue, Table, or File service.
An account-level SAS, introduced with version 2015-04-05. The account SAS delegates access to resources in one or more of the storage services. All of the operations available via a service SAS are also available via an account SAS.
More information please refer to this link.
@Karan
For an Account level SAS click all the allowed services & resource types. It is up to you decide what permissions they have and when you want the SAS to work and expire.
To create a Service Level SAS you would just deselect the Allowed Services you don’t want. For instance if I wanted to create a Blob Service SAS I would just select Blob..
To understand the diff by the using the token you have generated, simply try accessing/updating something which you have NOT allowed in your SAS token [allow everything (Account SAS) vs allow only one (Service SAS) service &resource]
更多推荐
发布评论