如何将 Azure 资源托管标识用于 Azure 虚拟机How managed identities for Azure resources work with Azure virtual machines

Azure 资源的托管标识在 Azure Active Directory 中为 Azure 服务提供了一个自动托管标识。Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. 此标识可用于通过支持 Azure AD 身份验证的任何服务的身份验证,这样就无需在代码中插入凭据了。You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

本文介绍如何将托管标识用于 Azure 虚拟机 (VM)。In this article, you learn how managed identities work with Azure virtual machines (VMs).

工作原理How it works

在内部,托管标识是特殊类型的服务主体,它们只能与 Azure 资源配合使用。Internally, managed identities are service principals of a special type, which can only be used with Azure resources. 删除托管标识时,相应的服务主体也会自动删除。When the managed identity is deleted, the corresponding service principal is automatically removed. 此外,在创建用户分配的标识或系统分配的标识时,托管标识资源提供程序 (MSRP) 会在内部向该标识颁发证书。Also, when a User-Assigned or System-Assigned Identity is created, the Managed Identity Resource Provider (MSRP) issues a certificate internally to that identity.

代码可以使用托管标识来请求支持 Azure AD 身份验证的服务的访问令牌。Your code can use a managed identity to request access tokens for services that support Azure AD authentication. Azure 负责滚动更新服务实例使用的凭据。Azure takes care of rolling the credentials that are used by the service instance.

下图演示了托管服务标识如何与 Azure 虚拟机 (VM) 协同工作:The following diagram shows how managed service identities work with Azure virtual machines (VMs):

托管服务标识和 Azure VM

propertiesProperty 系统分配的托管标识System-assigned managed identity 用户分配的托管标识User-assigned managed identity
创建Creation 作为 Azure 资源(例如 Azure 虚拟机或 Azure 应用服务)的一部分创建。Created as part of an Azure resource (for example, an Azure virtual machine or Azure App Service). 作为独立 Azure 资源创建。Created as a stand-alone Azure resource.
生命周期Life cycle 与用于创建托管标识的 Azure 资源共享生命周期。Shared life cycle with the Azure resource that the managed identity is created with.
删除父资源时,也会删除托管标识。When the parent resource is deleted, the managed identity is deleted as well.
独立生命周期。Independent life cycle.
必须显式删除。Must be explicitly deleted.
在 Azure 资源之间共享Sharing across Azure resources 无法共享。Cannot be shared.
只能与单个 Azure 资源相关联。It can only be associated with a single Azure resource.
可以共享。Can be shared.
用户分配的同一个托管标识可以关联到多个 Azure 资源。The same user-assigned managed identity can be associated with more than one Azure resource.
常见用例Common use cases 包含在单个 Azure 资源中的工作负载。Workloads that are contained within a single Azure resource.
需要独立标识的工作负荷。Workloads for which you need independent identities.
例如,在单个虚拟机上运行的应用程序For example, an application that runs on a single virtual machine
在多个资源上运行的并可以共享单个标识的工作负荷。Workloads that run on multiple resources and which can share a single identity.
需要在预配流程中预先对安全资源授权的工作负荷。Workloads that need pre-authorization to a secure resource as part of a provisioning flow.
其资源经常回收,但权限应保持一致的工作负荷。Workloads where resources are recycled frequently, but permissions should stay consistent.
例如,其中的多个虚拟机需要访问同一资源的工作负荷For example, a workload where multiple virtual machines need to access the same resource

系统分配的托管标识System-assigned managed identity

  1. Azure 资源管理器收到请求,要求在 VM 上启用系统分配托管标识。Azure Resource Manager receives a request to enable the system-assigned managed identity on a VM.

  2. Azure 资源管理器在 Azure AD 中创建与 VM 标识相对应的服务主体。Azure Resource Manager creates a service principal in Azure AD for the identity of the VM. 服务主体在此订阅信任的 Azure AD 租户中创建。The service principal is created in the Azure AD tenant that's trusted by the subscription.

  3. Azure 资源管理器通过使用服务主体客户端 ID 和证书更新 Azure 实例元数据服务标识终结点来配置 VM 上的标识。Azure Resource Manager configures the identity on the VM by updating the Azure Instance Metadata Service identity endpoint with the service principal client ID and certificate.

  4. VM 有了标识以后,请根据服务主体信息向 VM 授予对 Azure 资源的访问权限。After the VM has an identity, use the service principal information to grant the VM access to Azure resources. 要调用 Azure 资源管理器,请使用 Azure 基于角色的访问控制 (Azure RBAC) 向 VM 服务主体分配相应的角色。To call Azure Resource Manager, use Azure role-based access control (Azure RBAC) to assign the appropriate role to the VM service principal. 若要调用 Key Vault,请授予代码对 Key Vault 中特定机密或密钥的访问权限。To call Key Vault, grant your code access to the specific secret or key in Key Vault.

  5. 在 VM 上运行的代码可以从只能从 VM 中访问的 Azure 实例元数据服务终结点请求令牌:http://169.254.169.254/metadata/identity/oauth2/tokenYour code that's running on the VM can request a token from the Azure Instance Metadata service endpoint, accessible only from within the VM: http://169.254.169.254/metadata/identity/oauth2/token

    • resource 参数指定了要向其发送令牌的服务。The resource parameter specifies the service to which the token is sent. 若要向 Azure 资源管理器进行身份验证,请使用 resource=https://management.chinacloudapi.cn/To authenticate to Azure Resource Manager, use resource=https://management.chinacloudapi.cn/.
    • API 版本参数指定 IMDS 版本,请使用 api-version=2018-02-01 或更高版本。API version parameter specifies the IMDS version, use api-version=2018-02-01 or greater.
  6. 调用了 Azure AD,以便使用在步骤 3 中配置的客户端 ID 和证书请求访问令牌(在步骤 5 中指定)。A call is made to Azure AD to request an access token (as specified in step 5) by using the client ID and certificate configured in step 3. Azure AD 返回 JSON Web 令牌 (JWT) 访问令牌。Azure AD returns a JSON Web Token (JWT) access token.

  7. 代码在调用支持 Azure AD 身份验证的服务时发送访问令牌。Your code sends the access token on a call to a service that supports Azure AD authentication.

用户分配的托管标识User-assigned managed identity

  1. Azure 资源管理器收到请求,要求创建用户分配托管标识。Azure Resource Manager receives a request to create a user-assigned managed identity.

  2. Azure 资源管理器在 Azure AD 中创建与用户分配托管标识相对应的服务主体。Azure Resource Manager creates a service principal in Azure AD for the user-assigned managed identity. 服务主体在此订阅信任的 Azure AD 租户中创建。The service principal is created in the Azure AD tenant that's trusted by the subscription.

  3. Azure 资源管理器收到在 VM 上配置用户分配的托管标识的请求,并使用用户分配的托管标识服务主体客户端 ID 和证书更新 Azure 实例元数据服务标识终结点。Azure Resource Manager receives a request to configure the user-assigned managed identity on a VM and updates the Azure Instance Metadata Service identity endpoint with the user-assigned managed identity service principal client ID and certificate.

  4. 创建用户分配托管标识以后,请根据服务主体信息向标识授予对 Azure 资源的访问权限。After the user-assigned managed identity is created, use the service principal information to grant the identity access to Azure resources. 要调用 Azure 资源管理器,请使用 Azure RBAC 向用户分配的标识的服务主体分配相应角色。To call Azure Resource Manager, use Azure RBAC to assign the appropriate role to the service principal of the user-assigned identity. 若要调用 Key Vault,请授予代码对 Key Vault 中特定机密或密钥的访问权限。To call Key Vault, grant your code access to the specific secret or key in Key Vault.

    备注

    也可在步骤 3 之前执行此步骤。You can also do this step before step 3.

  5. 在 VM 上运行的代码可以从只能从 VM 中访问的 Azure 实例元数据服务标识终结点请求令牌:http://169.254.169.254/metadata/identity/oauth2/tokenYour code that's running on the VM can request a token from the Azure Instance Metadata Service identity endpoint, accessible only from within the VM: http://169.254.169.254/metadata/identity/oauth2/token

    • resource 参数指定了要向其发送令牌的服务。The resource parameter specifies the service to which the token is sent. 若要向 Azure 资源管理器进行身份验证,请使用 resource=https://management.chinacloudapi.cn/To authenticate to Azure Resource Manager, use resource=https://management.chinacloudapi.cn/.
    • 客户端 ID 参数指定为其请求令牌的标识。The client ID parameter specifies the identity for which the token is requested. 当单台 VM 上有多个用户分配的标识时,此值是消除歧义所必需的。This value is required for disambiguation when more than one user-assigned identity is on a single VM.
    • API 版本参数指定 Azure 实例元数据服务版本。The API version parameter specifies the Azure Instance Metadata Service version. 请使用 api-version=2018-02-01 或指定更高的版本。Use api-version=2018-02-01 or higher.
  6. 调用了 Azure AD,以便使用在步骤 3 中配置的客户端 ID 和证书请求访问令牌(在步骤 5 中指定)。A call is made to Azure AD to request an access token (as specified in step 5) by using the client ID and certificate configured in step 3. Azure AD 返回 JSON Web 令牌 (JWT) 访问令牌。Azure AD returns a JSON Web Token (JWT) access token.

  7. 代码在调用支持 Azure AD 身份验证的服务时发送访问令牌。Your code sends the access token on a call to a service that supports Azure AD authentication.

后续步骤Next steps

请参阅以下快速入门,开始使用 Azure 资源托管标识功能:Get started with the managed identities for Azure resources feature with the following quickstarts: