Azure 资源托管标识的 FAQ 和已知问题FAQs and known issues with managed identities for Azure resources

Azure 资源的托管标识是 Azure Active Directory 的一项功能。Managed identities for Azure resources is a feature of Azure Active Directory. 支持 Azure 资源的托管标识的每个 Azure 服务都受其自己的时间线限制。Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. 在开始之前,请务必查看资源的托管标识的可用性状态以及已知问题Make sure you review the availability status of managed identities for your resource and known issues before you begin.

常见问题解答 (FAQ)Frequently Asked Questions (FAQs)

备注

Azure 资源托管标识是以前称为托管服务标识 (MSI) 的服务的新名称。Managed identities for Azure resources is the new name for the service formerly known as Managed Service Identity (MSI).

Azure 资源托管标识可以用于 Azure 云服务吗?Does managed identities for Azure resources work with Azure Cloud Services?

否,Azure 云服务中没有支持 Azure 资源托管标识的计划。No, there are no plans to support managed identities for Azure resources in Azure Cloud Services.

Azure 资源托管标识能否用于 Active Directory 身份验证库 (ADAL) 或 Microsoft 身份验证库 (MSAL)?Does managed identities for Azure resources work with the Active Directory Authentication Library (ADAL) or the Microsoft Authentication Library (MSAL)?

否,Azure 资源托管标识尚未与 ADAL 或 MSAL 集成。No, managed identities for Azure resources is not yet integrated with ADAL or MSAL. 有关使用 REST 终结点获取 Azure 资源托管标识的令牌的详细信息,请参阅如何在 Azure VM 上使用 Azure 资源托管标识来获取访问令牌For details on acquiring a token for managed identities for Azure resources using the REST endpoint, see How to use managed identities for Azure resources on an Azure VM to acquire an access token.

什么是 Azure 资源托管标识的安全边界?What is the security boundary of managed identities for Azure resources?

标识的安全边界是标识所附加到的资源。The security boundary of the identity is the resource to which it is attached to. 例如,启用了 Azure 资源托管标识的虚拟机的安全边界是虚拟机。For example, the security boundary for a Virtual Machine with managed identities for Azure resources enabled, is the Virtual Machine. 在该 VM 上运行的任何代码都可以调用 Azure 资源托管标识终结点和请求令牌。Any code running on that VM, is able to call the managed identities for Azure resources endpoint and request tokens. 使用支持 Azure 资源托管标识的其他资源也具有类似体验。It is the similar experience with other resources that support managed identities for Azure resources.

如果没有在请求中指定标识,IMDS 将默认采用什么标识?What identity will IMDS default to if don't specify the identity in the request?

  • 如果启用了系统分配的托管标识并且没有在请求中指定标识,则 IMDS 将默认采用系统分配的托管标识。If system assigned managed identity is enabled and no identity is specified in the request, IMDS will default to the system assigned managed identity.
  • 如果未启用系统分配的托管标识并且仅存在一个用户分配的托管标识,则 IMDS 将默认采用该单一用户分配的托管标识。If system assigned managed identity is not enabled, and only one user assigned managed identity exists, IMDS will default to that single user assigned managed identity.
  • 如果未启用系统分配的托管的标识,并且存在多个用户分配的托管标识,则必须在请求中指定一个托管标识。If system assigned managed identity is not enabled, and multiple user assigned managed identities exist, then specifying a managed identity in the request is required.

如果我将订阅移动到另一个目录中,是否会自动重新创建托管标识?Will managed identities be recreated automatically if I move a subscription to another directory?

否。No. 如果你将订阅移动到另一个目录中,则必须手动重新创建标识并重新向它们授予 Azure RBAC 角色分配。If you move a subscription to another directory, you will have to manually re-create them and grant Azure RBAC role assignments again.

  • 对于系统分配的托管标识:禁用并重新启用。For system assigned managed identities: disable and re-enable.
  • 对于用户分配的托管标识:删除、重新创建并重新将其附加到所需的资源(例如虚拟机)For user assigned managed identities: delete, re-create and attach them again to the necessary resources (e.g. virtual machines)

是否可以使用托管标识来访问不同目录/租户中的资源?Can I use a managed identity to access a resource in a different directory/tenant?

否。No. 托管标识当前不支持跨目录方案。Managed identities do not currently support cross-directory scenarios.

在资源上进行标识托管需要什么 Azure RBAC 权限?What Azure RBAC permissions are required to managed identity on a resource?

  • 系统分配的托管标识:需要针对资源的写入权限。System-assigned managed identity: You need write permissions over the resource. 例如,对于虚拟机,你需要 Microsoft.Compute/virtualMachines/write。For example, for virtual machines you need Microsoft.Compute/virtualMachines/write. 此操作包含在特定于资源的内置角色(如虚拟机参与者)中。This action is included in resource specific built-in roles like Virtual Machine Contributor.
  • 用户分配的托管标识:需要对资源的写入权限。User-assigned managed identity: You need write permissions over the resource. 例如,对于虚拟机,你需要 Microsoft.Compute/virtualMachines/write。For example, for virtual machines you need Microsoft.Compute/virtualMachines/write. 除了针对托管标识分配的托管标识操作员角色外。In addition to Managed Identity Operator role assignment over the managed identity.

已知问题Known issues

尝试 Azure 资源托管标识扩展的架构导出功能时,“自动化脚本”失败"Automation script" fails when attempting schema export for managed identities for Azure resources extension

如果在 VM 上启用了 Azure 资源托管标识,当尝试将“自动化脚本”功能用于 VM 或其资源组时,将显示以下错误:When managed identities for Azure resources is enabled on a VM, the following error is shown when attempting to use the “Automation script” feature for the VM, or its resource group:

Azure 资源托管标识自动化脚本导出错误

Azure 资源托管标识 VM 扩展(计划在 2019 年 1 月弃用)当前不支持将其架构导出到资源组模板的功能。The managed identities for Azure resources VM extension (planned for deprecation in January 2019) does not currently support the ability to export its schema to a resource group template. 因此,生成的模板不显示用于在资源上启用 Azure 资源托管标识的配置参数。As a result, the generated template does not show configuration parameters to enable managed identities for Azure resources on the resource. 按照使用模板在 Azure VM 上配置 Azure 资源托管标识中的示例,可以手动添加这些部分。These sections can be added manually by following the examples in Configure managed identities for Azure resources on an Azure VM using a templates.

当架构导出功能可用于 Azure 资源托管标识 VM 扩展(计划在 2019 年 1 月弃用)时,它将在导出包含 VM 扩展的资源组中列出。When the schema export functionality becomes available for the managed identities for Azure resources VM extension (planned for deprecation in January 2019), it will be listed in Exporting Resource Groups that contain VM extensions.

从资源组或订阅迁移后无法启动 VMVM fails to start after being moved from resource group or subscription

如果迁移处于运行状态的 VM,它将在迁移期间继续运行。If you move a VM in the running state, it continues to run during the move. 不过,如果在迁移后停止并重启 VM,那么它将无法启动。However, after the move, if the VM is stopped and restarted, it will fail to start. 导致此问题发生的原因是,VM 未更新对 Azure 资源托管标识的标识的引用,仍然继续指向旧资源组中的标识。This issue happens because the VM is not updating the reference to the managed identities for Azure resources identity and continues to point to it in the old resource group.

解决方法Workaround

在 VM 上触发更新,以便它可以获取正确的 Azure 资源托管标识的值。Trigger an update on the VM so it can get correct values for the managed identities for Azure resources. 可以更改 VM 属性,从而更新对 Azure 资源托管标识的标识的引用。You can do a VM property change to update the reference to the managed identities for Azure resources identity. 例如,可以运行下列命令,在 VM 上设置新的标记值:For example, you can set a new tag value on the VM with the following command:

 az  vm update -n <VM Name> -g <Resource Group> --set tags.fixVM=1

此命令在 VM 上设置值为 1 的新标记“fixVM”。This command sets a new tag "fixVM" with a value of 1 on the VM.

通过设置此属性,VM 可以更新包含正确的 Azure 资源托管标识资源 URI,然后就应该能启动 VM 了。By setting this property, the VM updates with the correct managed identities for Azure resources resource URI, and then you should be able to start the VM.

在 VM 启动后,便可以运行下列命令,从而删除此标记:Once the VM is started, the tag can be removed by using following command:

az vm update -n <VM Name> -g <Resource Group> --remove tags.fixVM

在 Azure AD 目录之间转移订阅Transferring a subscription between Azure AD directories

将订阅移动/转移到另一个目录时,托管标识不会更新。Managed identities do not get updated when a subscription is moved/transferred to another directory. 因此,任何现存的系统分配的或用户分配的托管标识将被破坏。As a result, any existent system-assigned or user-assigned managed identities will be broken.

对于已移到另一目录的订阅中的托管标识,解决方法是:Workaround for managed identities in a subscription that has been moved to another directory:

  • 对于系统分配的托管标识:禁用并重新启用。For system assigned managed identities: disable and re-enable.
  • 对于用户分配的托管标识:删除、重新创建并重新将其附加到所需的资源(例如虚拟机)For user assigned managed identities: delete, re-create and attach them again to the necessary resources (e.g. virtual machines)

将用户分配的托管标识移动到其他资源组/订阅Moving a user-assigned managed identity to a different resource group/subscription

不支持将用户分配的托管标识移动到其他资源组。Moving a user-assigned managed identity to a different resource group is not supported.