如何在 Azure VM 上使用 Azure 资源的托管标识进行登录How to use managed identities for Azure resources on an Azure VM for sign-in

Azure 资源的托管标识是 Azure Active Directory 的一项功能。Managed identities for Azure resources is a feature of Azure Active Directory. 支持 Azure 资源的托管标识的每个 Azure 服务都受其自己的时间线限制。Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. 在开始之前,请务必查看资源的托管标识的可用性状态以及已知问题Make sure you review the availability status of managed identities for your resource and known issues before you begin.

本文提供有关使用 Azure 资源服务主体的托管标识进行登录的 PowerShell 和 CLI 脚本示例,以及有关错误处理等重要主题的指导。This article provides PowerShell and CLI script examples for sign-in using managed identities for Azure resources service principal, and guidance on important topics such as error handling.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

先决条件Prerequisites

  • 如果不熟悉 Azure 资源功能的托管标识,请参阅此概述If you're not familiar with the managed identities for Azure resources feature, see this overview.

如果打算使用本文中的 Azure PowerShell 或 Azure CLI 示例,请务必安装最新版本的 Azure PowerShellAzure CLIIf you plan to use the Azure PowerShell or Azure CLI examples in this article, be sure to install the latest version of Azure PowerShell or Azure CLI.

重要

概述Overview

Azure 资源的托管标识提供一个服务主体对象,此对象是在 VM 上启用 Azure 资源的托管标识时创建的Managed identities for Azure resources provide a service principal object , which is created upon enabling managed identities for Azure resources on the VM. 可向此服务主体授予对 Azure 资源的访问权限;脚本/命令行客户端可将此服务主体用作标识进行登录和资源访问。The service principal can be given access to Azure resources, and used as an identity by script/command-line clients for sign-in and resource access. 传统上,若要使用自身的标识访问受保护资源,脚本客户端需要:Traditionally, in order to access secured resources under its own identity, a script client would need to:

  • 注册到 Azure AD,并同意将 Azure AD 用作机密/Web 客户端应用程序be registered and consented with Azure AD as a confidential/web client application
  • 使用应用的凭据(可能会嵌入在脚本中)以自身的服务主体登录sign in under its service principal, using the app's credentials (which are likely embedded in the script)

凭借 Azure 资源的托管标识,脚本客户端无需再执行任何操作,因为它可以通过 Azure 资源服务主体的托管标识进行登录。With managed identities for Azure resources, your script client no longer needs to do either, as it can sign in under the managed identities for Azure resources service principal.

Azure CLIAzure CLI

以下脚本演示如何:The following script demonstrates how to:

  1. 通过 VM 的 Azure 资源服务主体的托管标识登录 Azure ADSign in to Azure AD under the VM's managed identity for Azure resources service principal

  2. 调用 Azure 资源管理器并获取 VM 的服务主体 ID。Call Azure Resource Manager and get the VM's service principal ID. CLI 负责自动管理令牌的获取和使用。CLI takes care of managing token acquisition/use for you automatically. 请务必将 <VM-NAME> 替换为自己的虚拟机名称。Be sure to substitute your virtual machine name for <VM-NAME>.

    az login --identity
    
    spID=$(az resource list -n <VM-NAME> --query [*].identity.principalId --out tsv)
    echo The managed identity for Azure resources service principal ID is $spID
    

Azure PowerShellAzure PowerShell

以下脚本演示如何:The following script demonstrates how to:

  1. 通过 VM 的 Azure 资源服务主体的托管标识登录 Azure ADSign in to Azure AD under the VM's managed identity for Azure resources service principal

  2. 调用 Azure 资源管理器 cmdlet 获取有关 VM 的信息。Call an Azure Resource Manager cmdlet to get information about the VM. PowerShell 负责自动管理令牌的使用。PowerShell takes care of managing token use for you automatically.

    Add-AzAccount -identity
    
    # Call Azure Resource Manager to get the service principal ID for the VM's managed identity for Azure resources. 
    $vmInfoPs = Get-AzVM -ResourceGroupName <RESOURCE-GROUP> -Name <VM-NAME>
    $spID = $vmInfoPs.Identity.PrincipalId
    echo "The managed identity for Azure resources service principal ID is $spID"
    

Azure 服务的资源 IDResource IDs for Azure services

有关支持 Azure AD 且已使用 Azure 资源的托管标识进行测试的资源列表及其相应资源 ID,请参阅支持 Azure AD 身份验证的 Azure 服务See Azure services that support Azure AD authentication for a list of resources that support Azure AD and have been tested with managed identities for Azure resources, and their respective resource IDs.

有关错误处理的指导Error handling guidance

如下所示的响应可能表示未正确配置 VM 的 Azure 资源的托管标识:Responses such as the following may indicate that the VM's managed identity for Azure resources has not been correctly configured:

  • PowerShell:Invoke-WebRequest:无法连接到远程服务器PowerShell: Invoke-WebRequest : Unable to connect to the remote server
  • CLI:MSI:无法从 http://localhost:50342/oauth2/token 检索令牌,出现错误 HTTPConnectionPool (主机='localhost',端口=50342)CLI: MSI: Failed to retrieve a token from http://localhost:50342/oauth2/token with an error of 'HTTPConnectionPool(host='localhost', port=50342)

如果收到以下错误之一,请在 Azure 门户中返回到 Azure VM 并执行以下操作:If you receive one of these errors, return to the Azure VM in the Azure portal and:

  • 转到“标识”页面,确保“系统分配的”已设置为“是” 。Go to the Identity page and ensure System assigned is set to "Yes."
  • 转到“扩展”页面,确保已成功部署 Azure 资源扩展的托管标识(计划在 2019 年 1 月弃用) 。Go to the Extensions page and ensure the managed identities for Azure resources extension (planned for deprecation in January 2019) deployed successfully.

如果有任何一项不正确,可能都需要在资源上再次重新部署 Azure 资源的托管标识,或排查部署故障。If either is incorrect, you may need to redeploy the managed identities for Azure resources on your resource again, or troubleshoot the deployment failure. 如需 VM 配置方面的帮助,请参阅使用 Azure 门户在 VM 上配置 Azure 资源的托管标识See Configure Managed identities for Azure resources on a VM using the Azure portal if you need assistance with VM configuration.

后续步骤Next steps