使用 Azure CLI 在 Azure VM 上配置 Azure 资源托管标识Configure managed identities for Azure resources on an Azure VM using Azure CLI

Azure 资源的托管标识是 Azure Active Directory 的一项功能。Managed identities for Azure resources is a feature of Azure Active Directory. 支持 Azure 资源的托管标识的每个 Azure 服务都受其自己的时间线限制。Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. 在开始之前,请务必查看资源的托管标识的可用性状态以及已知问题Make sure you review the availability status of managed identities for your resource and known issues before you begin.

Azure 资源的托管标识在 Azure Active Directory 中为 Azure 服务提供了一个自动托管标识。Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. 此标识可用于通过支持 Azure AD 身份验证的任何服务的身份验证,这样就无需在代码中插入凭据了。You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

本文介绍如何使用 Azure CLI 在 Azure VM 上执行以下 Azure 资源托管标识操作:In this article, using the Azure CLI, you learn how to perform the following managed identities for Azure resources operations on an Azure VM:

  • 在 Azure VM 上启用和禁用系统分配托管标识Enable and disable the system-assigned managed identity on an Azure VM
  • 在 Azure VM 上添加和删除用户分配托管标识Add and remove a user-assigned managed identity on an Azure VM

先决条件Prerequisites

系统分配的托管标识System-assigned managed identity

本部分介绍如何使用 Azure CLI 在 Azure VM 上启用和禁用系统分配托管标识。In this section, you learn how to enable and disable the system-assigned managed identity on an Azure VM using Azure CLI.

在创建 Azure VM 的过程中启用系统分配托管标识Enable system-assigned managed identity during creation of an Azure VM

若要创建启用了系统分配的托管标识的 Azure VM,你的帐户需要虚拟机参与者角色分配。To create an Azure VM with the system-assigned managed identity enabled, your account needs the Virtual Machine Contributor role assignment. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.

  1. 运行 az group create,创建用于容纳和部署 VM 及其相关资源的资源组Create a resource group for containment and deployment of your VM and its related resources, using az group create. 如果已有要改用的资源组,可以跳过这一步:You can skip this step if you already have resource group you would like to use instead:

    az group create --name myResourceGroup --location chinanorth
    
  2. 运行 az vm create 创建 VM。Create a VM using az vm create. 以下示例按 --assign-identity 参数的要求,创建名为 myVM 且已启用系统分配托管标识的 VM。The following example creates a VM named myVM with a system-assigned managed identity, as requested by the --assign-identity parameter. --admin-username--admin-password 参数指定用于登录虚拟机的管理用户名和密码帐户。The --admin-username and --admin-password parameters specify the administrative user name and password account for virtual machine sign-in. 针对自己的环境相应地更新这些值:Update these values as appropriate for your environment:

    az vm create --resource-group myResourceGroup --name myVM --image win2016datacenter --generate-ssh-keys --assign-identity --admin-username azureuser --admin-password myPassword12
    

在现有 Azure VM 上启用系统分配托管标识Enable system-assigned managed identity on an existing Azure VM

若要在 VM 上启用系统分配的托管标识,你的帐户需要虚拟机参与者角色分配。To enable system-assigned managed identity on a VM, your account needs the Virtual Machine Contributor role assignment. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.

  1. 如果在本地控制台中使用 Azure CLI,首先请使用 az login 登录到 Azure。If you're using the Azure CLI in a local console, first sign in to Azure using az login. 使用与包含 VM 的 Azure 订阅关联的帐户。Use an account that is associated with the Azure subscription that contains the VM.

    az login
    
  2. az vm identity assignidentity assign 命令配合使用,为现有 VM 启用系统分配标识:Use az vm identity assign with the identity assign command enable the system-assigned identity to an existing VM:

    az vm identity assign -g myResourceGroup -n myVm
    

从 Azure VM 中禁用系统分配标识Disable system-assigned identity from an Azure VM

若要在 VM 上禁用系统分配的托管标识,你的帐户需要虚拟机参与者角色分配。To disable system-assigned managed identity on a VM, your account needs the Virtual Machine Contributor role assignment. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.

如果某个虚拟机不再需要系统分配的标识,但仍需要用户分配的标识,请使用以下命令:If you have a Virtual Machine that no longer needs the system-assigned identity, but still needs user-assigned identities, use the following command:

az vm update -n myVM -g myResourceGroup --set identity.type='UserAssigned' 

如果某个虚拟机不再需要系统分配的标识,且没有用户分配的标识,请使用以下命令:If you have a virtual machine that no longer needs system-assigned identity and it has no user-assigned identities, use the following command:

备注

none 区分大小写。The value none is case sensitive. 它必须为小写。It must be lowercase.

az vm update -n myVM -g myResourceGroup --set identity.type="none"

用户分配的托管标识User-assigned managed identity

本部分介绍如何使用 Azure CLI 在 Azure VM 中添加和删除用户分配托管标识。In this section, you will learn how to add and remove a user-assigned managed identity from an Azure VM using Azure CLI. 如果在不同于你的 VM 的 RG 中创建用户分配的托管标识。If you create your user-assigned managed identity in a different RG than your VM. 必须使用托管标识的 URL 将其分配给 VM。You'll have to use the URL of your managed identity to assign it to your VM. 即 --identities "/subscriptions//resourcegroups//providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER_ASSIGNED_ID_NAME>"i.e. --identities "/subscriptions//resourcegroups//providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER_ASSIGNED_ID_NAME>"

在创建 Azure VM 的过程中分配用户分配托管标识Assign a user-assigned managed identity during the creation of an Azure VM

若要在 VM 创建期间将用户分配的标识分配给 VM,你的帐户需要虚拟机参与者托管标识操作员角色分配。To assign a user-assigned identity to a VM during its creation, your account needs the Virtual Machine Contributor and Managed Identity Operator role assignments. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.

  1. 如果已有要使用的资源组,可跳过此步骤。You can skip this step if you already have a resource group you would like to use. 使用 az group create 创建用于包含和部署用户分配托管标识的资源组Create a resource group for containment and deployment of your user-assigned managed identity, using az group create. 请务必将 <RESOURCE GROUP><LOCATION> 参数值替换为自己的值。Be sure to replace the <RESOURCE GROUP> and <LOCATION> parameter values with your own values. ::

    az group create --name <RESOURCE GROUP> --location <LOCATION>
    
  2. 使用 az identity create 创建用户分配托管标识。Create a user-assigned managed identity using az identity create. -g 参数指定要创建用户分配托管标识的资源组,-n 参数指定其名称。The -g parameter specifies the resource group where the user-assigned managed identity is created, and the -n parameter specifies its name.

    重要

    创建用户分配标识时,只能使用字母数字字符(0-9、a-z、A-Z)、下划线 (_) 和连字符 (-)。When creating user assigned identities, only alphanumeric characters (0-9, a-z, A-Z), the underscore (_) and the hyphen (-) are supported. 另外,为了确保能够正常分配给 VM/VMSS,名称长度应该为 3 到 128 个字符。Additionally, the name should be atleast 3 characters and up to 128 characters in length for the assignment to VM/VMSS to work properly. 请关注后续更新。Check back for updates. 有关详细信息,请参阅 FAQ 和已知问题For more information, see FAQs and known issues.

    az identity create -g myResourceGroup -n myUserAssignedIdentity
    

    响应包含所创建的用户分配托管标识的详细信息,与以下示例类似。The response contains details for the user-assigned managed identity created, similar to the following. 下一步会用到分配给用户分配托管标识的资源 ID 值。The resource ID value assigned to the user-assigned managed identity is used in the following step.

    {
        "clientId": "73444643-8088-4d70-9532-c3a0fdc190fz",
        "clientSecretUrl": "https://control-chinanorth.identity.chinacloudapi.cn/subscriptions/<SUBSCRIPTON ID>/resourcegroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<myUserAssignedIdentity>/credentials?tid=5678&oid=9012&aid=73444643-8088-4d70-9532-c3a0fdc190fz",
        "id": "/subscriptions/<SUBSCRIPTON ID>/resourcegroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>",
        "location": "chinanorth",
        "name": "<USER ASSIGNED IDENTITY NAME>",
        "principalId": "e5fdfdc1-ed84-4d48-8551-fe9fb9dedfll",
        "resourceGroup": "<RESOURCE GROUP>",
        "tags": {},
        "tenantId": "733a8f0e-ec41-4e69-8ad8-971fc4b533bl",
        "type": "Microsoft.ManagedIdentity/userAssignedIdentities"    
    }
    
  3. 运行 az vm create 创建 VM。Create a VM using az vm create. 以下示例创建与新用户分配标识关联的 VM,用 --assign-identity 参数指定。The following example creates a VM associated with the new user-assigned identity, as specified by the --assign-identity parameter. 请务必将 <RESOURCE GROUP><VM NAME><USER NAME><PASSWORD><USER ASSIGNED IDENTITY NAME> 参数值替换为你自己的值。Be sure to replace the <RESOURCE GROUP>, <VM NAME>, <USER NAME>, <PASSWORD>, and <USER ASSIGNED IDENTITY NAME> parameter values with your own values.

    az vm create --resource-group <RESOURCE GROUP> --name <VM NAME> --image UbuntuLTS --admin-username <USER NAME> --admin-password <PASSWORD> --assign-identity <USER ASSIGNED IDENTITY NAME>
    

向现有 Azure VM 分配用户分配托管标识Assign a user-assigned managed identity to an existing Azure VM

若要将用户分配的标识分配给 VM,你的帐户需要虚拟机参与者托管标识操作员角色分配。To assign a user-assigned identity to a VM, your account needs the Virtual Machine Contributor and Managed Identity Operator role assignments. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.

  1. 使用 az identity create 创建用户分配标识。Create a user-assigned identity using az identity create. -g 参数指定要创建用户分配标识的资源组,-n 参数指定其名称。The -g parameter specifies the resource group where the user-assigned identity is created, and the -n parameter specifies its name. 请务必将 <RESOURCE GROUP><USER ASSIGNED IDENTITY NAME> 参数值替换为自己的值:Be sure to replace the <RESOURCE GROUP> and <USER ASSIGNED IDENTITY NAME> parameter values with your own values:

    重要

    目前不支持创建名称中具有特殊字符(即下划线)的用户分配托管标识。Creating user-assigned managed identities with special characters (i.e. underscore) in the name is not currently supported. 请使用字母数字字符。Please use alphanumeric characters. 请关注后续更新。Check back for updates. 有关详细信息,请参阅 FAQ 和已知问题For more information, see FAQs and known issues

    az identity create -g <RESOURCE GROUP> -n <USER ASSIGNED IDENTITY NAME>
    

    响应包含所创建的用户分配托管标识的详细信息,与以下示例类似。The response contains details for the user-assigned managed identity created, similar to the following.

    {
         "clientId": "73444643-8088-4d70-9532-c3a0fdc190fz",
         "clientSecretUrl": "https://control-chinanorth.identity.chinacloudapi.cn/subscriptions/<SUBSCRIPTON ID>/resourcegroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>/credentials?tid=5678&oid=9012&aid=73444643-8088-4d70-9532-c3a0fdc190fz",
         "id": "/subscriptions/<SUBSCRIPTON ID>/resourcegroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>",
         "location": "chinanorth",
         "name": "<USER ASSIGNED IDENTITY NAME>",
         "principalId": "e5fdfdc1-ed84-4d48-8551-fe9fb9dedfll",
         "resourceGroup": "<RESOURCE GROUP>",
         "tags": {},
         "tenantId": "733a8f0e-ec41-4e69-8ad8-971fc4b533bl",
         "type": "Microsoft.ManagedIdentity/userAssignedIdentities"    
    }
    
  2. 使用 az vm identity assign 将用户分配标识分配给 VM。Assign the user-assigned identity to your VM using az vm identity assign. 请务必将 <RESOURCE GROUP><VM NAME> 参数值替换为自己的值。Be sure to replace the <RESOURCE GROUP> and <VM NAME> parameter values with your own values. <USER ASSIGNED IDENTITY NAME> 为上一步创建的用户分配托管标识的资源 name 属性。The <USER ASSIGNED IDENTITY NAME> is the user-assigned managed identity's resource name property, as created in the previous step. 如果已在不同于你的 VM 的 RG 中创建用户分配的托管标识。If you created your user-assigned managed identity in a different RG than your VM. 必须使用托管标识的 URL。You'll have to use the URL of your managed identity.

    az vm identity assign -g <RESOURCE GROUP> -n <VM NAME> --identities <USER ASSIGNED IDENTITY>
    

从 Azure VM 中删除用户分配的托管标识Remove a user-assigned managed identity from an Azure VM

若要从 VM 中删除用户分配的标识,你的帐户需要虚拟机参与者角色分配。To remove a user-assigned identity to a VM, your account needs the Virtual Machine Contributor role assignment.

如果这是分配给虚拟机的唯一用户分配托管标识,则 UserAssigned 将从标识类型值中删除。If this is the only user-assigned managed identity assigned to the virtual machine, UserAssigned will be removed from the identity type value. 请务必将 <RESOURCE GROUP><VM NAME> 参数值替换为自己的值。Be sure to replace the <RESOURCE GROUP> and <VM NAME> parameter values with your own values. <USER ASSIGNED IDENTITY> 将为用户分配标识的 name 属性,可通过 az vm identity show 在虚拟机的标识部分中找到:The <USER ASSIGNED IDENTITY> will be the user-assigned identity's name property, which can be found in the identity section of the virtual machine using az vm identity show:

az vm identity remove -g <RESOURCE GROUP> -n <VM NAME> --identities <USER ASSIGNED IDENTITY>

如果 VM 没有系统分配托管标识,并且你希望从中删除所有用户分配标识,请使用以下命令:If your VM does not have a system-assigned managed identity and you want to remove all user-assigned identities from it, use the following command:

备注

none 区分大小写。The value none is case sensitive. 它必须为小写。It must be lowercase.

az vm update -n myVM -g myResourceGroup --set identity.type="none" identity.userAssignedIdentities=null

如果 VM 同时具有系统分配标识和用户分配标识,则可以切换为仅使用系统分配标识,从而删除所有用户分配标识。If your VM has both system-assigned and user-assigned identities, you can remove all the user-assigned identities by switching to use only system-assigned. 请使用以下命令:Use the following command:

az vm update -n myVM -g myResourceGroup --set identity.type='SystemAssigned' identity.userAssignedIdentities=null 

后续步骤Next steps