你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn。
本文介绍管理存储任务分配所需的最低特权内置 Azure 角色或 RBAC 操作。
管理存储任务分配的权限
若要创建分配,你的标识必须拥有存储 Blob 数据所有者角色,或包含以下 RBAC 操作的自定义角色:
- Microsoft.Authorization/roleAssignments/write
- Microsoft.Authorization/roleAssignments/delete
- Microsoft.Storage/storageAccounts/reports/read
- Microsoft.Storage/storageAccounts/read
- Microsoft.Storage/storageAccounts/blobServices/read
- Microsoft.Storage/storageAccounts/storageTaskAssignments/read
- Microsoft.Storage/storageAccounts/storageTaskAssignments/write
- Microsoft.Storage/storageAccounts/storageTaskAssignments/delete
- Microsoft.Storage/storageAccounts/storageTaskAssignments/reports/read
若要了解如何创建自定义角色的说明,请参阅 Azure 自定义角色。
任务执行操作的权限
创建分配时,必须选择具有对目标存储帐户或存储帐户容器执行指定作所需的权限的 Azure 内置或自定义角色。 该角色将分配给存储任务的托管标识。 只能选择分配给用户标识的角色。
存储 Blob 数据所有者角色提供执行存储任务所有数据操作所需的全部权限。 如果想要使用自定义角色,必须确保角色包含执行操作所需的 RBAC 操作。 下表显示了每个操作所需的 RBAC 操作。
| 许可 | 自定义角色的 RBAC 操作 |
|---|---|
| SetBlobTier | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write |
| SetBlobExpiry | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write |
| SetBlobTags | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write |
| SetBlobImmutabilityPolicy | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write Microsoft.Storage/storageAccounts/blobServices/containers/write |
| SetBlobLegalHold | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write Microsoft.Storage/storageAccounts/blobServices/containers/write |
| 删除Blob | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete |
| UndeleteBlob | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write Microsoft.Storage/storageAccounts/blobServices/containers/write |