如何在 Azure VM 上使用 Azure 资源的托管标识进行登录How to use managed identities for Azure resources on an Azure VM for sign-in
Azure 资源的托管标识是 Azure Active Directory 的一项功能。Managed identities for Azure resources is a feature of Azure Active Directory. 支持 Azure 资源的托管标识的每个 Azure 服务都受其自己的时间线限制。Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. 在开始之前,请务必查看资源的托管标识的可用性状态以及已知问题。Make sure you review the availability status of managed identities for your resource and known issues before you begin.
本文提供有关使用 Azure 资源服务主体的托管标识进行登录的 PowerShell 和 CLI 脚本示例,以及有关错误处理等重要主题的指导。This article provides PowerShell and CLI script examples for sign-in using managed identities for Azure resources service principal, and guidance on important topics such as error handling.
备注
本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介。To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShell。For Az module installation instructions, see Install Azure PowerShell.
先决条件Prerequisites
- 如果不熟悉 Azure 资源功能的托管标识,请参阅此概述。If you're not familiar with the managed identities for Azure resources feature, see this overview. 如果没有 Azure 帐户,请先注册试用版,然后再继续。If you don't have an Azure account, sign up for a Trial before you continue.
如果打算使用本文中的 Azure PowerShell 或 Azure CLI 示例,请务必安装最新版本的 Azure PowerShell 或 Azure CLI。If you plan to use the Azure PowerShell or Azure CLI examples in this article, be sure to install the latest version of Azure PowerShell or Azure CLI.
重要
- 本文中的所有示例脚本均假设命令行客户端在已启用 Azure 资源的托管标识的 VM 上运行。All sample script in this article assumes the command-line client is running on a VM with managed identities for Azure resources enabled. 在 Azure 门户中使用 VM 的“连接”功能远程连接到 VM。Use the VM "Connect" feature in the Azure portal, to remotely connect to your VM. 有关在 VM 上启用 Azure 资源的托管标识的详细信息,请参阅使用 Azure 门户在 VM 上配置 Azure 资源的托管标识,或有关在不同工具(使用 PowerShell、CLI、模板或 Azure SDK)中执行此操作的文章之一。For details on enabling managed identities for Azure resources on a VM, see Configure managed identities for Azure resources on a VM using the Azure portal, or one of the variant articles (using PowerShell, CLI, a template, or an Azure SDK).
- 为了防止访问资源期间出错,必须在相应的范围(VM 或更高)至少为 VM 的托管标识授予“读取者”的访问权限,从而能够在 VM 上执行 Azure 资源管理器操作。To prevent errors during resource access, the VM's managed identity must be given at least "Reader" access at the appropriate scope (the VM or higher) to allow Azure Resource Manager operations on the VM. 有关详细信息,请参阅使用 Azure 门户授予 Azure 资源的托管标识对资源的访问权限。See Assign managed identities for Azure resources access to a resource using the Azure portal for details.
概述Overview
Azure 资源的托管标识提供一个服务主体对象,此对象是在 VM 上启用 Azure 资源的托管标识时创建的。Managed identities for Azure resources provide a service principal object , which is created upon enabling managed identities for Azure resources on the VM. 可向此服务主体授予对 Azure 资源的访问权限;脚本/命令行客户端可将此服务主体用作标识进行登录和资源访问。The service principal can be given access to Azure resources, and used as an identity by script/command-line clients for sign-in and resource access. 传统上,若要使用自身的标识访问受保护资源,脚本客户端需要:Traditionally, in order to access secured resources under its own identity, a script client would need to:
- 注册到 Azure AD,并同意将 Azure AD 用作机密/Web 客户端应用程序be registered and consented with Azure AD as a confidential/web client application
- 使用应用的凭据(可能会嵌入在脚本中)以自身的服务主体登录sign in under its service principal, using the app's credentials (which are likely embedded in the script)
凭借 Azure 资源的托管标识,脚本客户端无需再执行任何操作,因为它可以通过 Azure 资源服务主体的托管标识进行登录。With managed identities for Azure resources, your script client no longer needs to do either, as it can sign in under the managed identities for Azure resources service principal.
Azure CLIAzure CLI
以下脚本演示如何:The following script demonstrates how to:
通过 VM 的 Azure 资源服务主体的托管标识登录 Azure ADSign in to Azure AD under the VM's managed identity for Azure resources service principal
调用 Azure 资源管理器并获取 VM 的服务主体 ID。Call Azure Resource Manager and get the VM's service principal ID. CLI 负责自动管理令牌的获取和使用。CLI takes care of managing token acquisition/use for you automatically. 请务必将
<VM-NAME>
替换为自己的虚拟机名称。Be sure to substitute your virtual machine name for<VM-NAME>
.az login --identity spID=$(az resource list -n <VM-NAME> --query [*].identity.principalId --out tsv) echo The managed identity for Azure resources service principal ID is $spID
Azure PowerShellAzure PowerShell
以下脚本演示如何:The following script demonstrates how to:
通过 VM 的 Azure 资源服务主体的托管标识登录 Azure ADSign in to Azure AD under the VM's managed identity for Azure resources service principal
调用 Azure 资源管理器 cmdlet 获取有关 VM 的信息。Call an Azure Resource Manager cmdlet to get information about the VM. PowerShell 负责自动管理令牌的使用。PowerShell takes care of managing token use for you automatically.
Add-AzAccount -identity # Call Azure Resource Manager to get the service principal ID for the VM's managed identity for Azure resources. $vmInfoPs = Get-AzVM -ResourceGroupName <RESOURCE-GROUP> -Name <VM-NAME> $spID = $vmInfoPs.Identity.PrincipalId echo "The managed identity for Azure resources service principal ID is $spID"
Azure 服务的资源 IDResource IDs for Azure services
有关支持 Azure AD 且已使用 Azure 资源的托管标识进行测试的资源列表及其相应资源 ID,请参阅支持 Azure AD 身份验证的 Azure 服务。See Azure services that support Azure AD authentication for a list of resources that support Azure AD and have been tested with managed identities for Azure resources, and their respective resource IDs.
有关错误处理的指导Error handling guidance
如下所示的响应可能表示未正确配置 VM 的 Azure 资源的托管标识:Responses such as the following may indicate that the VM's managed identity for Azure resources has not been correctly configured:
- PowerShell:Invoke-WebRequest:无法连接到远程服务器PowerShell: Invoke-WebRequest : Unable to connect to the remote server
- CLI:MSI:无法从
http://localhost:50342/oauth2/token
检索令牌,出现错误 HTTPConnectionPool (主机='localhost',端口=50342)CLI: MSI: Failed to retrieve a token fromhttp://localhost:50342/oauth2/token
with an error of 'HTTPConnectionPool(host='localhost', port=50342)
如果收到以下错误之一,请在 Azure 门户中返回到 Azure VM 并执行以下操作:If you receive one of these errors, return to the Azure VM in the Azure portal and:
- 转到“标识”页面,确保“系统分配的”已设置为“是” 。Go to the Identity page and ensure System assigned is set to "Yes."
- 转到“扩展”页面,确保已成功部署 Azure 资源扩展的托管标识(计划在 2019 年 1 月弃用) 。Go to the Extensions page and ensure the managed identities for Azure resources extension (planned for deprecation in January 2019) deployed successfully.
如果有任何一项不正确,可能都需要在资源上再次重新部署 Azure 资源的托管标识,或排查部署故障。If either is incorrect, you may need to redeploy the managed identities for Azure resources on your resource again, or troubleshoot the deployment failure. 如需 VM 配置方面的帮助,请参阅使用 Azure 门户在 VM 上配置 Azure 资源的托管标识。See Configure Managed identities for Azure resources on a VM using the Azure portal if you need assistance with VM configuration.
后续步骤Next steps
- 若要在 Azure VM 上启用 Azure 资源的托管标识,请参阅使用 PowerShell 在 Azure VM 上配置 Azure 资源的托管标识或使用 Azure CLI 在 Azure VM 上配置 Azure 资源的托管标识To enable managed identities for Azure resources on an Azure VM, see Configure managed identities for Azure resources on an Azure VM using PowerShell, or Configure managed identities for Azure resources on an Azure VM using Azure CLI