用户委托密钥与帐户密钥 - 安全性?

User delegation key vs account key - security?

在 Microsoft 的用户委托密钥文档中,它说:

A SAS token for access to a container, directory, or blob may be secured by using either Azure AD credentials or an account key. A SAS secured with Azure AD credentials is called a user delegation SAS. Microsoft recommends that you use Azure AD credentials when possible as a security best practice, rather than using the account key, which can be more easily compromised. When your application design requires shared access signatures, use Azure AD credentials to create a user delegation SAS for superior security.

为什么这种方法提供“高级安全性”?我想 SAS 令牌都是安全的?那么,为什么一种方法比另一种方法更安全呢?如果您使用存储访问策略,您还可以在帐户密钥出现问题时撤销 SAS 令牌。

用户委托 SAS 令牌更安全,因为它不依赖于仅包含在 SAS 令牌中的权限。它还考虑了创建此 SAS 令牌的用户的 RBAC 权限。使用共享访问密钥创建的 SAS 令牌只考虑 SAS 令牌中包含的权限。

例如,假设创建用户委派 SAS 的用户仅对 blob 容器具有 Read 权限(即,他们只能列出或下载 blob 容器中的 blob)。现在假设用户创建了一个具有 Write 权限的 SAS 令牌。当此 SAS 令牌用于上传 blob 时,操作将失败,因为用户对该 blob 容器没有 Write 权限,而如果使用共享访问密钥创建 SAS 令牌,则上传操作会成功。

可以找到更多关于此的信息here(强调我的):

When a client accesses a Blob storage resource with a user delegation SAS, the request to Azure Storage is authorized with the Azure AD credentials that were used to create the SAS. The role-based access control (RBAC) permissions granted for that Azure AD account, together with the permissions explicitly granted on the SAS, determine the client's access to the resource. This approach provides an additional level of security and avoids the need to store your account access key with your application code. For these reasons, creating a SAS using Azure AD credentials is a security best practice.

The permissions granted to a client who possesses the SAS are the intersection of the permissions granted to the security principal that requested the user delegation key and the permissions granted to the resource on the SAS token using the signedPermissions (sp) field. If a permission granted to the security principal via RBAC is not also granted on the SAS token, then that permission is not granted to the client who attempts to use the SAS to access the resource. When creating a user delegation SAS, make sure that the permissions granted via RBAC and the permissions granted via the SAS token both align to the level of access required by the client.