使用 Azure PowerShell 创建、列出和删除用户分配托管标识Create, list, or delete a user-assigned managed identity using Azure PowerShell

用户分配的托管标识是 Azure Active Directory 的预览版功能。User assigned managed identities are a preview feature of Azure Active Directory. 在开始之前,请确保已查看已知问题Make sure you review the known issues before you begin. 有关预览版的详细信息,请参阅 Azure 预览版补充使用条款For more information about previews, see Supplemental Terms of Use for Azure Previews.

Azure 资源的托管标识在 Azure Active Directory 中为 Azure 服务提供了一个托管标识。Managed identities for Azure resources provide Azure services with a managed identity in Azure Active Directory. 此标识可用于向支持 Azure AD 身份验证的服务进行身份验证,这样就无需在代码中输入凭据了。You can use this identity to authenticate to services that support Azure AD authentication, without needing credentials in your code.

本文将介绍如何使用 Azure PowerShell 创建、列出和删除用户分配托管标识。In this article, you learn how to create, list, and delete a user-assigned managed identity using Azure PowerShell.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

先决条件Prerequisites

在本地配置 Azure PowerShellConfigure Azure PowerShell locally

若要在本文情景中本地使用 Azure PowerShell,请完成以下步骤:To use Azure PowerShell locally for this article, complete the following steps:

  1. 安装最新版本的 Azure PowerShell(如果尚未安装)。Install the latest version of Azure PowerShell if you haven't already.

  2. 登录 Azure:Sign in to Azure:

    Connect-AzAccount -Environment AzureChinaCloud
    
  3. 安装最新版本的 PowerShellGetInstall the latest version of PowerShellGet.

    Install-Module -Name PowerShellGet -AllowPrerelease
    

    在下一步运行此命令后,可能需要 Exit 退出当前 PowerShell 会话。You may need to Exit out of the current PowerShell session after you run this command for the next step.

  4. 安装 Az.ManagedServiceIdentity 模块的预发布版本,以执行本文中用户分配托管标识操作:Install the prerelease version of the Az.ManagedServiceIdentity module to perform the user-assigned managed identity operations in this article:

    Install-Module -Name Az.ManagedServiceIdentity -AllowPrerelease
    

创建用户分配的托管标识Create a user-assigned managed identity

若要创建用户分配的托管标识,你的帐户需要托管标识参与者角色分配。To create a user-assigned managed identity, your account needs the Managed Identity Contributor role assignment.

若要创建用户分配的托管标识,请使用 New-AzUserAssignedIdentity 命令。To create a user-assigned managed identity, use the New-AzUserAssignedIdentity command. ResourceGroupName 参数指定要从中创建用户分配的托管标识的资源组,-Name 参数指定其名称。The ResourceGroupName parameter specifies the resource group where to create the user-assigned managed identity, and the -Name parameter specifies its name. <RESOURCE GROUP><USER ASSIGNED IDENTITY NAME> 参数值替换为自己的值:Replace the <RESOURCE GROUP> and <USER ASSIGNED IDENTITY NAME> parameter values with your own values:

重要

创建用户分配标识时,只能使用字母数字字符(0-9、a-z、A-Z)、下划线 (_) 和连字符 (-)。When creating user assigned identities, only alphanumeric characters (0-9, a-z, A-Z), the underscore (_) and the hyphen (-) are supported. 另外,为了确保能够正常分配给 VM/VMSS,名称长度应该为 3 到 128 个字符。Additionally, the name should be atleast 3 characters and up to 128 characters in length for the assignment to VM/VMSS to work properly. 请关注后续更新。Check back for updates. 有关详细信息,请参阅 FAQ 和已知问题For more information, see FAQs and known issues.

New-AzUserAssignedIdentity -ResourceGroupName <RESOURCEGROUP> -Name <USER ASSIGNED IDENTITY NAME>

列出用户分配的托管标识List user-assigned managed identities

若要列出/读取用户分配的托管标识,你的帐户需要托管标识操作员托管标识参与者角色分配。To list/read a user-assigned managed identity, your account needs the Managed Identity Operator or Managed Identity Contributor role assignment.

要列出用户分配的托管标识,请使用 [Get-AzUserAssigned] 命令。To list user-assigned managed identities, use the [Get-AzUserAssigned] command. -ResourceGroupName 参数指定创建了用户分配托管标识的资源组。The -ResourceGroupName parameter specifies the resource group where the user-assigned managed identity was created. <RESOURCE GROUP> 替换为自己的值:Replace the <RESOURCE GROUP> with your own value:

Get-AzUserAssignedIdentity -ResourceGroupName <RESOURCE GROUP>

在响应中,用户分配托管标识为 Type 键返回 "Microsoft.ManagedIdentity/userAssignedIdentities" 值。In the response, user-assigned managed identities have "Microsoft.ManagedIdentity/userAssignedIdentities" value returned for key, Type.

Type :Microsoft.ManagedIdentity/userAssignedIdentities

删除用户分配的托管标识Delete a user-assigned managed identity

若要删除用户分配的托管标识,你的帐户需要托管标识参与者角色分配。To delete a user-assigned managed identity, your account needs the Managed Identity Contributor role assignment.

若要删除用户分配的托管标识,请使用 Remove-AzUserAssignedIdentity 命令。To delete a user-assigned managed identity, use the Remove-AzUserAssignedIdentity command. -ResourceGroupName 参数指定从中已创建用户分配标识的资源组,-Name 参数指定其名称。The -ResourceGroupName parameter specifies the resource group where the user-assigned identity was created and the -Name parameter specifies its name. <RESOURCE GROUP><USER ASSIGNED IDENTITY NAME> 参数值替换为自己的值:Replace the <RESOURCE GROUP> and the <USER ASSIGNED IDENTITY NAME> parameters values with your own values:

Remove-AzUserAssignedIdentity -ResourceGroupName <RESOURCE GROUP> -Name <USER ASSIGNED IDENTITY NAME>

备注

删除用户分配的托管标识不会从将其分配到的任何资源中删除引用。Deleting a user-assigned managed identity will not remove the reference, from any resource it was assigned to. 标识分配需要单独移除。Identity assignments need to be removed separately.

后续步骤Next steps

有关 Azure 资源的 Azure PowerShell 托管标识命令的完整列表和详细信息,请参阅 Az.ManagedServiceIdentityFor a full list and more details of the Azure PowerShell managed identities for Azure resources commands, see Az.ManagedServiceIdentity.