如何在 Azure SDK 中撤销共享访问签名 [英] how to revoke Shared Access Signature in Azure SDK

问题描述

我找不到任何用于撤销在 blob 上创建的共享访问签名访问权限的代码示例，任何人都可以向我提供链接或参考以删除之前创建的共享访问签名访问权限.

I could not find any code sample for revoking the created Shared Access Signature access on blob, can anyone provide me link or reference for removing the Shared Access Signature access created earlier.

推荐答案

即使共享访问签名 (SAS) 基于存储访问策略 (SAP)，您也只能撤销 SAP，不能撤销单个 SAS.

Even if shared access signature (SAS) is based on a stored access policy (SAP), you can only revoke SAP, not individual SAS.

Azure 存储安全指南有很好的细节:https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide#revocation

Azure Storage security guide has good details: https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide#revocation

SAS 不基于 SAP - 无法撤销:

SAS not based on SAP - can't be revoked:

如果您使用的是临时 URI，您有三个选项.您可以颁发具有短期到期策略的 SAS 令牌并等待 SAS 到期.您可以重命名或删除资源(假设令牌范围为单个对象).您可以更改存储帐户密钥.最后一个选项可能会产生重大影响，具体取决于使用该存储帐户的服务数量，如果没有一些计划，您可能不想这样做.

If you are using ad hoc URIs, you have three options. You can issue SAS tokens with short expiration policies and wait for the SAS to expire. You can rename or delete the resource (assuming the token was scoped to a single object). You can change the storage account keys. This last option can have a significant impact, depending on how many services are using that storage account, and probably isn't something you want to do without some planning.

基于 SAP 的 SAS - 可以通过撤销 SAP 来撤销:

SAS based on SAP - can be revoked by revoking SAP:

如果您使用的是从存储访问策略派生的 SAS，您可以通过撤销存储访问策略来删除访问权限 - 您可以更改它使其已经过期，或者您可以完全删除它.这会立即生效，并使使用该存储访问策略创建的每个 SAS 无效.更新或删除存储访问策略可能会影响人们通过 SAS 访问该特定容器、文件共享、表或队列，但如果客户端被写入以便他们在旧的 SAS 失效时请求新的 SAS，这会正常工作.

If you are using a SAS derived from a Stored Access Policy, you can remove access by revoking the Stored Access Policy – you can just change it so it has already expired, or you can remove it altogether. This takes effect immediately, and invalidates every SAS created using that Stored Access Policy. Updating or removing the Stored Access Policy may impact people accessing that specific container, file share, table, or queue via SAS, but if the clients are written so they request a new SAS when the old one becomes invalid, this will work fine.

最佳做法:

因为使用派生自存储访问策略的 SAS 使您能够立即撤销该 SAS，所以建议的最佳做法是尽可能始终使用存储访问策略.

Because using a SAS derived from a Stored Access Policy gives you the ability to revoke that SAS immediately, it is the recommended best practice to always use Stored Access Policies when possible.

这篇关于如何在 Azure SDK 中撤销共享访问签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！