使用 Azure PowerShell 创建、列出和删除用户分配托管标识Create, list, or delete a user-assigned managed identity using Azure PowerShell

用户分配的托管标识是 Azure Active Directory 的预览版功能。User assigned managed identities are a preview feature of Azure Active Directory. 在开始之前,请确保已查看已知问题Make sure you review the known issues before you begin.

Azure 资源的托管标识在 Azure Active Directory 中为 Azure 服务提供了一个托管标识。Managed identities for Azure resources provide Azure services with a managed identity in Azure Active Directory. 此标识可用于向支持 Azure AD 身份验证的服务进行身份验证,这样就无需在代码中输入凭据了。You can use this identity to authenticate to services that support Azure AD authentication, without needing credentials in your code.

本文将介绍如何使用 Azure PowerShell 创建、列出和删除用户分配托管标识。In this article, you learn how to create, list, and delete a user-assigned managed identity using Azure PowerShell.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

先决条件Prerequisites

  • 如果不熟悉 Azure 资源的托管标识,请查阅概述部分If you're unfamiliar with managed identities for Azure resources, check out the overview section. 请务必了解系统分配的托管标识与用户分配的托管标识之间的差异Be sure to review the difference between a system-assigned and user-assigned managed identity.
  • 如果还没有 Azure 帐户,请先注册试用帐户,然后再继续。If you don't already have an Azure account, sign up for a Trial before continuing.
  • 安装最新版本的 Azure PowerShell(如果尚未安装)。Install the latest version of Azure PowerShell if you haven't already.
  • 如果在本地运行 PowerShell,则还需要:If you are running PowerShell locally, you also need to:
    • 运行 Connect-AzAccount -Environment AzureChinaCloud,创建与 Azure 的连接。Run Connect-AzAccount -Environment AzureChinaCloud to create a connection with Azure.
    • 安装最新版本的 PowerShellGetInstall the latest version of PowerShellGet.
    • 运行 Install-Module -Name PowerShellGet -AllowPrerelease 以获得 PowerShellGet 模块的预发布版本(运行此命令安装 Az.ManagedServiceIdentity 模块后,可能需要从当前 PowerShell 会话中退出Exit)。Run Install-Module -Name PowerShellGet -AllowPrerelease to get the pre-release version of the PowerShellGet module (you may need to Exit out of the current PowerShell session after you run this command to install the Az.ManagedServiceIdentity module).
    • 运行 Install-Module -Name Az.ManagedServiceIdentity -AllowPrerelease 来安装 Az.ManagedServiceIdentity 模块的预发布版本,以执行本文中用户分配托管标识操作。Run Install-Module -Name Az.ManagedServiceIdentity -AllowPrerelease to install the prerelease version of the Az.ManagedServiceIdentity module to perform the user-assigned managed identity operations in this article.

创建用户分配的托管标识Create a user-assigned managed identity

若要创建用户分配的托管标识,你的帐户需要托管标识参与者角色分配。To create a user-assigned managed identity, your account needs the Managed Identity Contributor role assignment.

若要创建用户分配的托管标识,请使用 New-AzUserAssignedIdentity 命令。To create a user-assigned managed identity, use the New-AzUserAssignedIdentity command. ResourceGroupName 参数指定要从中创建用户分配的托管标识的资源组,-Name 参数指定其名称。The ResourceGroupName parameter specifies the resource group where to create the user-assigned managed identity, and the -Name parameter specifies its name. <RESOURCE GROUP><USER ASSIGNED IDENTITY NAME> 参数值替换为自己的值:Replace the <RESOURCE GROUP> and <USER ASSIGNED IDENTITY NAME> parameter values with your own values:

重要

创建用户分配标识时,只能使用字母数字字符(0-9、a-z、A-Z)、下划线 (_) 和连字符 (-)。When creating user assigned identities, only alphanumeric characters (0-9, a-z, A-Z), the underscore (_) and the hyphen (-) are supported. 另外,为了确保能够正常分配给 VM/VMSS,名称长度应该为 3 到 128 个字符。Additionally, the name should be atleast 3 characters and up to 128 characters in length for the assignment to VM/VMSS to work properly. 请关注后续更新。Check back for updates. 有关详细信息,请参阅 FAQ 和已知问题For more information, see FAQs and known issues.

New-AzUserAssignedIdentity -ResourceGroupName <RESOURCEGROUP> -Name <USER ASSIGNED IDENTITY NAME>

列出用户分配的托管标识List user-assigned managed identities

若要列出/读取用户分配的托管标识,你的帐户需要托管标识操作员托管标识参与者角色分配。To list/read a user-assigned managed identity, your account needs the Managed Identity Operator or Managed Identity Contributor role assignment.

要列出用户分配的托管标识,请使用 [Get-AzUserAssigned] 命令。To list user-assigned managed identities, use the [Get-AzUserAssigned] command. -ResourceGroupName 参数指定创建了用户分配托管标识的资源组。The -ResourceGroupName parameter specifies the resource group where the user-assigned managed identity was created. <RESOURCE GROUP> 替换为自己的值:Replace the <RESOURCE GROUP> with your own value:

Get-AzUserAssignedIdentity -ResourceGroupName <RESOURCE GROUP>

在响应中,用户分配托管标识为 Type 键返回 "Microsoft.ManagedIdentity/userAssignedIdentities" 值。In the response, user-assigned managed identities have "Microsoft.ManagedIdentity/userAssignedIdentities" value returned for key, Type.

Type :Microsoft.ManagedIdentity/userAssignedIdentities

删除用户分配的托管标识Delete a user-assigned managed identity

若要删除用户分配的托管标识,你的帐户需要托管标识参与者角色分配。To delete a user-assigned managed identity, your account needs the Managed Identity Contributor role assignment.

若要删除用户分配的托管标识,请使用 Remove-AzUserAssignedIdentity 命令。To delete a user-assigned managed identity, use the Remove-AzUserAssignedIdentity command. -ResourceGroupName 参数指定从中已创建用户分配标识的资源组,-Name 参数指定其名称。The -ResourceGroupName parameter specifies the resource group where the user-assigned identity was created and the -Name parameter specifies its name. <RESOURCE GROUP><USER ASSIGNED IDENTITY NAME> 参数值替换为自己的值:Replace the <RESOURCE GROUP> and the <USER ASSIGNED IDENTITY NAME> parameters values with your own values:

Remove-AzUserAssignedIdentity -ResourceGroupName <RESOURCE GROUP> -Name <USER ASSIGNED IDENTITY NAME>

备注

删除用户分配的托管标识不会从将其分配到的任何资源中删除引用。Deleting a user-assigned managed identity will not remove the reference, from any resource it was assigned to. 标识分配需要单独移除。Identity assignments need to be removed separately.

后续步骤Next steps

有关 Azure 资源的 Azure PowerShell 托管标识命令的完整列表和详细信息,请参阅 Az.ManagedServiceIdentityFor a full list and more details of the Azure PowerShell managed identities for Azure resources commands, see Az.ManagedServiceIdentity.