更新答案:
既然你有多个集装箱,帐户SAS是一个不错的选择。你需要一个管理员和一个用户。
这里的管理员SAS如何创建一个实例:
// Create a new access policy for the account.
SharedAccessAccountPolicy policy = new SharedAccessAccountPolicy()
{
// SAS for Blob service only.
Services = SharedAccessAccountServices.Blob,
// Admin has read, write, list, and delete permissions on all containers.
// In order to write blobs, Object resource type must also be specified.
ResourceTypes = SharedAccessAccountResourceTypes.Container | SharedAccessAccountResourceTypes.Object,
Permissions = SharedAccessAccountPermissions.Read |
SharedAccessAccountPermissions.Write |
SharedAccessAccountPermissions.Create |
SharedAccessAccountPermissions.List |
SharedAccessAccountPermissions.Delete,
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),
Protocols = SharedAccessProtocol.HttpsOnly
};
而这里的用户SAS如何创建一个实例:
// Create a new access policy for the account.
SharedAccessAccountPolicy policy = new SharedAccessAccountPolicy()
{
// SAS for Blob service only.
Services = SharedAccessAccountServices.Blob,
// User has create, read, write, and delete permissions on blobs.
ResourceTypes = SharedAccessAccountResourceTypes.Object,
Permissions = SharedAccessAccountPermissions.Read |
SharedAccessAccountPermissions.Write |
SharedAccessAccountPermissions.Create |
SharedAccessAccountPermissions.Delete,
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),
Protocols = SharedAccessProtocol.HttpsOnly
};
原来的答复:
你肯定需要为管理SAS使用一个帐户SAS,但是您应该能够在容器上为用户SAS使用服务SAS,除非您需要一个帐户SAS,从你的问题中解脱出来。尽可能使用服务SAS可能会更好,以便您可以使用最简单的权限。另外,您可以在服务SAS中使用存储的访问策略,我们建议将其作为最佳实践,以便在SAS损坏时很容易撤消它。
使用服务SAS,您不需要限制容器创建的权限,因为服务SAS不允许您首先创建容器。
这里的代码容器,包括存储的访问策略上创建服务SAS:
// Create the storage account with the connection string.
CloudStorageAccount storageAccount = CloudStorageAccount.Parse(CloudConfigurationManager.GetSetting("StorageConnectionString"));
// Create the blob client object.
CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();
// Get a reference to the container for which shared access signature will be created.
CloudBlobContainer container = blobClient.GetContainerReference("mycontainer");
container.CreateIfNotExists();
// Create blob container permissions, consisting of a shared access policy
// and a public access setting.
BlobContainerPermissions containerPermissions = container.GetPermissions();
// Clear the container's shared access policies to avoid naming conflicts if you run this method more than once.
//blobPermissions.SharedAccessPolicies.Clear();
// The shared access policy provides
// read/write access to the container for 24 hours.
containerPermissions.SharedAccessPolicies.Add("mypolicy", new SharedAccessBlobPolicy()
{
// To ensure SAS is valid immediately, don’t set start time.
// This way, you can avoid failures caused by small clock differences.
// Note that the Create permission allows the user to create a new blob, as does Write.
SharedAccessExpiryTime = DateTime.UtcNow.AddHours(24),
Permissions = SharedAccessBlobPermissions.Write |
SharedAccessBlobPermissions.Read | SharedAccessBlobPermissions.Create | SharedAccessBlobPermissions.Delete
});
// The public access setting explicitly specifies that
// the container is private, so that it can't be accessed anonymously.
containerPermissions.PublicAccess = BlobContainerPublicAccessType.Off;
// Set the permission policy on the container.
container.SetPermissions(containerPermissions);
// Get the shared access signature to share with users.
string sasToken =
container.GetSharedAccessSignature(null, "mypolicy");
看看这里显示的例子:https://azure.microsoft.com/en-us/documentation/articles/storage-dotnet-shared-access-signature-part-1/#examples-create-and-use-shared-access-signatures。
另见https://msdn.microsoft.com/en-us/library/azure/dn140255.aspx和https://msdn.microsoft.com/en-us/library/azure/mt584140.aspx。
让我们知道您是否有任何其他问题。
您是否还可以在帐户SAS中包含您希望拥有的权限? –
我有两个webapi管理员和一个普通用户。 我有一个存储帐户,可以为许多用户包含许多不同的容器,即每个用户都有一个容器。我需要以下权限: 权限管理:创建,删除容器 \t \t \t \t \t列表斑点在容器 \t \t \t \t \t 权限的用户:读,写,删除斑点各自的容器, 限制容器创建 \t \t \t \t \t \t \t \t \t \t 我试着创建两个单独的帐户SAS来实现上述目的?这是正确的方法吗? –