什么是 Azure 资源的托管标识?What are managed identities for Azure resources?

开发人员面临的一个共同挑战是如何管理密码和凭据,以确保不同服务之间的通信安全。A common challenge for developers is the management of secrets and credentials to secure communication between different services. 在 Azure 上,托管标识可为 Azure AD 中的 Azure 资源提供标识并使用它来获取 Azure Active Directory (Azure AD) 令牌,从而使开发人员无需管理凭据。On Azure, managed identities eliminate the need for developers having to manage credentials by providing an identity for the Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens. 这也有助于访问 Azure Key Vault,开发人员可在其中安全地存储凭据。This also helps accessing Azure Key Vault where developers can store credentials in a secure manner. Azure 资源的托管标识通过在 Azure AD 中为 Azure 服务提供一个自动托管标识来解决此问题。Managed identities for Azure resources solves this problem by providing Azure services with an automatically managed identity in Azure AD.

下面是使用托管标识的一些好处:Here are some of the benefits of using Managed identities:

  • 你无需管理凭据,You don't need to manage credentials. 而且你甚至可能都无法访问凭据。Credentials are not even accessible to you.
  • 可以使用托管标识向支持 Azure AD 身份验证的任何 Azure 服务(包括 Azure Key Vault)进行身份验证。You can use managed identities to authenticate to any Azure service that supports Azure AD authentication including Azure Key Vault.
  • 无需额外付费也可使用托管标识。Managed identities can be used without any additional cost.

备注

Azure 资源托管标识是以前称为托管服务标识 (MSI) 的服务的新名称。Managed identities for Azure resources is the new name for the service formerly known as Managed Service Identity (MSI).

托管标识类型Managed identity types

托管标识分为两种类型:There are two types of managed identities:

  • 系统分配 :某些 Azure 服务允许你直接在服务实例上启用托管标识。System-assigned Some Azure services allow you to enable a managed identity directly on a service instance. 启用系统分配的托管标识后,系统会在 Azure AD 中创建一个与该服务实例的生命周期相关联的标识。When you enable a system-assigned managed identity an identity is created in Azure AD that is tied to the lifecycle of that service instance. 因此,资源被删除时,Azure 会自动删除标识。So when the resource is deleted, Azure automatically deletes the identity for you. 按照设计,只有该 Azure 资源可以使用此标识从 Azure AD 请求令牌。By design, only that Azure resource can use this identity to request tokens from Azure AD.
  • 用户分配 :你也可以将托管标识创建为独立的 Azure 资源。User-assigned You may also create a managed identity as a standalone Azure resource. 你可以创建用户分配的托管标识,并将其分配给一个或多个 Azure 服务实例。You can create a user-assigned managed identity and assign it to one or more instances of an Azure service. 对于用户分配的托管标识,标识与使用它的资源分开管理。In the case of user-assigned managed identities, the identity is managed separately from the resources that use it.

下表显示了这两种托管标识之间的差异。The table below shows the differences between the two types of managed identities.

属性Property 系统分配的托管标识System-assigned managed identity 用户分配的托管标识User-assigned managed identity
创建Creation 作为 Azure 资源(例如 Azure 虚拟机或 Azure 应用服务)的一部分创建Created as part of an Azure resource (for example, an Azure virtual machine or Azure App Service) 作为独立 Azure 资源创建Created as a stand-alone Azure resource
生命周期Life cycle 与用于创建托管标识的 Azure 资源共享生命周期。Shared life cycle with the Azure resource that the managed identity is created with.
删除父资源时,也会删除托管标识。When the parent resource is deleted, the managed identity is deleted as well.
独立生命周期。Independent life cycle.
必须显式删除。Must be explicitly deleted.
在 Azure 资源之间共享Sharing across Azure resources 无法共享。Cannot be shared.
只能与单个 Azure 资源相关联。It can only be associated with a single Azure resource.
可以共享Can be shared
用户分配的同一个托管标识可以关联到多个 Azure 资源。The same user-assigned managed identity can be associated with more than one Azure resource.
常见用例Common use cases 包含在单个 Azure 资源中的工作负荷Workloads that are contained within a single Azure resource
需要独立标识的工作负荷。Workloads for which you need independent identities.
例如,在单个虚拟机上运行的应用程序For example, an application that runs on a single virtual machine
在多个资源上运行的并可以共享单个标识的工作负荷。Workloads that run on multiple resources and which can share a single identity.
需要在预配流程中预先对安全资源授权的工作负荷。Workloads that need pre-authorization to a secure resource as part of a provisioning flow.
其资源经常回收,但权限应保持一致的工作负荷。Workloads where resources are recycled frequently, but permissions should stay consistent.
例如,其中的多个虚拟机需要访问同一资源的工作负荷For example, a workload where multiple virtual machines need to access the same resource

重要

无论选择哪种标识,托管标识都是一种只能用于 Azure 资源的特殊类型的服务主体。Regardless of the type of identity chosen a managed identity is a service principal of a special type that may only be used with Azure resources. 删除托管标识时,相应的服务主体也会自动删除。When the managed identity is deleted, the corresponding service principal is automatically removed.

如何使用 Azure 资源的托管标识?How can I use managed identities for Azure resources?

开发人员如何使用托管标识从其代码访问资源而不管理身份验证信息的一些示例

哪些 Azure 服务支持此功能?What Azure services support the feature?

Azure 资源的托管标识可以用来向支持 Azure AD 身份验证的服务证明身份。Managed identities for Azure resources can be used to authenticate to services that support Azure AD authentication. 如需支持 Azure 资源托管标识功能的 Azure 服务的列表,请参阅支持 Azure 资源托管标识的服务For a list of Azure services that support the managed identities for Azure resources feature, see Services that support managed identities for Azure resources.

后续步骤Next steps