什么是 Azure 资源的托管标识?What are managed identities for Azure resources?

Azure 资源的托管标识是 Azure Active Directory 的一项功能。Managed identities for Azure resources is a feature of Azure Active Directory. 支持 Azure 资源的托管标识的每个 Azure 服务都受其自己的时间线限制。Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. 在开始之前,请务必查看资源的托管标识的可用性状态以及已知问题Make sure you review the availability status of managed identities for your resource and known issues before you begin.

作为一名云开发人员,你可能正在寻找在代码中访问 Azure 资源的最简单、最安全的方法。As a cloud developer, you are probably looking for the simplest and most secure method to access Azure resources in your code.

Azure 资源托管标识可帮助你满足此需求,因为托管标识可以:The managed identities for Azure resources can help you with this requirement because managed identities:

  • 消除代码中对凭据的需要。Eliminate the need for credentials in your code.
  • 自动轮换凭据。Rotate credentials automatically.
  • 将你参与标识管理的程度降至最低。Reduce your involvement in managing identities to a minimum.

工作原理How it works

所有支持托管标识的 Azure 资源都可以获取令牌来交换数据,而无需在代码中包含凭据。All Azure resources that support managed identities can obtain tokens to exchange data without having credentials in the code. 此过程包括以下步骤:The process consists of the following steps:

  1. 启用 - 为资源创建托管标识。Enable - Create the Managed Identity for the resource.
  2. 授予访问权限 - 允许使用 Azure RBAC 访问资源。Grant access - Allow access to resources with Azure RBAC.
  3. 访问 - 执行允许的操作。Access - Perform the allowed actions.
  4. 禁用 - 删除托管标识。Disable - Delete the Managed Identity.

托管标识类型Managed identity types

托管标识分为两种类型:There are two types of managed identities:

  • 系统分配的托管标识System-assigned managed identity

  • 用户分配的托管标识User-assigned managed identity

对于独立的 Azure 资源,可以启用系统分配的托管标识。For stand-alone Azure resources, you can enable system-assigned managed identities. 从标识管理的角度来看,系统分配的托管标识提供了最便捷的支持。System-assigned managed identities provide the most convenient support from the identity management perspective. 只需单击一次,即可为资源启用标识的自动化生命周期管理。With just one click, you can enable the automated life cycle management of an identity for your resource.

系统分配的托管标识

虽然系统分配的托管标识为独立资源提供了最方便的解决方案,但是如果你需要为同一任务管理一组 Azure 资源,则情况会有所不同。While system-assigned managed identities provide the most convenient solution for stand-alone resources, things look different if you need to manage a group of Azure resources for the same task. 在这种情况下,最好手动创建标识,并将此主标识分配给需要进行分组的所有 Azure 资源。In this scenario, you are better of creating an identity manually and assigning this master identity to all Azure resources you need to group. 此分配称为用户分配的托管标识。This assignment is known as user-assigned managed identity. 什么是好示例?What is a good example?

支持的服务Supported services

可使用 Azure 资源托管标识向支持 Azure AD 身份验证的服务验证身份。You can use managed identities for Azure resources to authenticate to services that support Azure AD authentication. 如需支持 Azure 资源托管标识功能的 Azure 服务的列表,请参阅支持 Azure 资源托管标识的服务For a list of Azure services that support the managed identities for Azure resources feature, see Services that support managed identities for Azure resources.

后续步骤Next steps

请参阅以下快速入门,开始使用 Azure 资源托管标识功能:Get started with the managed identities for Azure resources feature with the following quickstarts: