使用 Azure CLI 在虚拟机规模集上配置 Azure 资源托管标识Configure managed identities for Azure resources on a virtual machine scale set using Azure CLI

Azure 资源的托管标识是 Azure Active Directory 的一项功能。Managed identities for Azure resources is a feature of Azure Active Directory. 支持 Azure 资源的托管标识的每个 Azure 服务都受其自己的时间线限制。Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. 在开始之前,请务必查看资源的托管标识的可用性状态以及已知问题Make sure you review the availability status of managed identities for your resource and known issues before you begin.

Azure 资源的托管标识在 Azure Active Directory 中为 Azure 服务提供了一个自动托管标识。Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. 此标识可用于通过支持 Azure AD 身份验证的任何服务的身份验证,这样就无需在代码中插入凭据了。You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

本文介绍如何使用 Azure CLI 在 Azure 虚拟机规模集上执行以下 Azure 资源托管标识操作:In this article, you learn how to perform the following managed identities for Azure resources operations on an Azure virtual machine scale set, using the Azure CLI:

  • 在 Azure 虚拟机规模集上启用和禁用系统分配托管标识Enable and disable the system-assigned managed identity on an Azure virtual machine scale set
  • 在 Azure 虚拟机规模集上添加和删除用户分配托管标识Add and remove a user-assigned managed identity on an Azure virtual machine scale set

如果还没有 Azure 帐户,请先注册试用帐户,然后再继续。If you don't already have an Azure account, sign up for a Trial before continuing.

必备条件Prerequisites

  • 如果你不熟悉 Azure 资源托管标识,请参阅什么是 Azure 资源托管标识?If you're unfamiliar with managed identities for Azure resources, see What are managed identities for Azure resources?. 若要了解系统分配的托管标识和用户分配的托管标识类型,请参阅托管标识类型To learn about system-assigned and user-assigned managed identity types, see Managed identity types.

  • 若要执行本文中的管理操作,帐户需要以下基于 Azure 角色的访问控制分配:To perform the management operations in this article, your account needs the following Azure role-based access control assignments:

    备注

    无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments required.

  • 如果需要,请安装 Azure CLI 来运行 CLI 参考命令。If you prefer, install the Azure CLI to run CLI reference commands.
    • 如果使用的是本地安装,请通过 Azure CLI 使用 az login 命令登录。If you're using a local install, sign in with Azure CLI by using the az login command. 若要完成身份验证过程,请遵循终端中显示的步骤。To finish the authentication process, follow the steps displayed in your terminal. 有关其他登录选项,请参阅使用 Azure CLI 登录See Sign in with Azure CLI for additional sign-in options.
    • 出现提示时,请在首次使用时安装 Azure CLI 扩展。When you're prompted, install Azure CLI extensions on first use. 有关扩展详细信息,请参阅使用 Azure CLI 的扩展For more information about extensions, see Use extensions with Azure CLI.
    • 运行 az version 以查找安装的版本和依赖库。Run az version to find the version and dependent libraries that are installed. 若要升级到最新版本,请运行 az upgradeTo upgrade to the latest version, run az upgrade.

系统分配的托管标识System-assigned managed identity

本部分介绍如何使用 Azure CLI 为 Azure 虚拟机规模集启用和禁用系统分配托管标识。In this section, you learn how to enable and disable the system-assigned managed identity for an Azure virtual machine scale set using Azure CLI.

在创建 Azure 虚拟机规模集的过程中启用系统分配托管标识Enable system-assigned managed identity during creation of an Azure virtual machine scale set

要创建启用了系统分配托管标识的虚拟机规模集,请执行以下操作:To create a virtual machine scale set with the system-assigned managed identity enabled:

  1. 使用 az group create,创建用于容纳和部署虚拟机规模集及其相关资源的资源组Create a resource group for containment and deployment of your virtual machine scale set and its related resources, using az group create. 如果已有要改用的资源组,则可以跳过此步骤:You can skip this step if you already have a resource group you would like to use instead:

    az group create --name myResourceGroup --location chinanorth
    
  2. 创建虚拟机规模集。Create a virtual machine scale set. 以下示例创建名为 myVMSS 且已启用系统分配托管标识的虚拟机规模集(应 --assign-identity 参数的要求)。The following example creates a virtual machine scale set named myVMSS with a system-assigned managed identity, as requested by the --assign-identity parameter. --admin-username--admin-password 参数指定用于登录虚拟机的管理用户名和密码帐户。The --admin-username and --admin-password parameters specify the administrative user name and password account for virtual machine sign-in. 针对自己的环境相应地更新这些值:Update these values as appropriate for your environment:

    az vmss create --resource-group myResourceGroup --name myVMSS --image win2016datacenter --upgrade-policy-mode automatic --custom-data cloud-init.txt --admin-username azureuser --admin-password myPassword12 --assign-identity --generate-ssh-keys
    

在现有 Azure 虚拟机规模集上启用系统分配的托管标识Enable system-assigned managed identity on an existing Azure virtual machine scale set

如果需要在现有 Azure 虚拟机规模集上启用系统分配托管标识,请执行以下操作:If you need to Enable the system-assigned managed identity on an existing Azure virtual machine scale set:

az vmss identity assign -g myResourceGroup -n myVMSS

从 Azure 虚拟机规模集中禁用系统分配托管标识Disable system-assigned managed identity from an Azure virtual machine scale set

如果某个虚拟机规模集不再需要系统分配托管标识,但仍需要用户分配托管标识,请使用以下命令:If you have a virtual machine scale set that no longer needs the system-assigned managed identity, but still needs user-assigned managed identities, use the following command:

az vmss update -n myVM -g myResourceGroup --set identity.type='UserAssigned' 

如果某个虚拟机不再需要系统分配托管标识,且没有用户分配托管标识,请使用以下命令:If you have a virtual machine that no longer needs system-assigned managed identity and it has no user-assigned managed identities, use the following command:

备注

none 区分大小写。The value none is case sensitive. 它必须为小写。It must be lowercase.

az vmss update -n myVM -g myResourceGroup --set identity.type="none"

用户分配的托管标识User-assigned managed identity

本部分介绍如何使用 Azure CLI 启用和删除用户分配托管标识。In this section, you learn how to enable and remove a user-assigned managed identity using Azure CLI.

在创建虚拟机规模集的过程中分配用户分配托管标识Assign a user-assigned managed identity during the creation of a virtual machine scale set

本部分介绍如何创建虚拟机规模集以及向虚拟机规模集分配用户分配托管标识。This section walks you through creation of a virtual machine scale set and assignment of a user-assigned managed identity to the virtual machine scale set. 如果已有要使用的虚拟机规模集,请跳过此部分,转到下一部分。If you already have a virtual machine scale set you want to use, skip this section and proceed to the next.

  1. 如果已有要使用的资源组,可跳过此步骤。You can skip this step if you already have a resource group you would like to use. 使用 az group create 创建用于包含和部署用户分配托管标识的资源组Create a resource group for containment and deployment of your user-assigned managed identity, using az group create. 请务必将 <RESOURCE GROUP><LOCATION> 参数值替换为自己的值。Be sure to replace the <RESOURCE GROUP> and <LOCATION> parameter values with your own values. ::

    az group create --name <RESOURCE GROUP> --location <LOCATION>
    
  2. 使用 az identity create 创建用户分配托管标识。Create a user-assigned managed identity using az identity create. -g 参数指定要创建用户分配托管标识的资源组,-n 参数指定其名称。The -g parameter specifies the resource group where the user-assigned managed identity is created, and the -n parameter specifies its name. 请务必将 <RESOURCE GROUP><USER ASSIGNED IDENTITY NAME> 参数值替换为自己的值:Be sure to replace the <RESOURCE GROUP> and <USER ASSIGNED IDENTITY NAME> parameter values with your own values:

    重要

    创建用户分配标识时,只能使用字母数字字符(0-9、a-z、A-Z)、下划线 (_) 和连字符 (-)。When creating user assigned identities, only alphanumeric characters (0-9, a-z, A-Z), the underscore (_) and the hyphen (-) are supported. 另外,为了确保能够正常分配给 VM/VMSS,名称长度应该为 3 到 128 个字符。Additionally, the name should be atleast 3 characters and up to 128 characters in length for the assignment to VM/VMSS to work properly. 请关注后续更新。Check back for updates. 有关详细信息,请参阅 FAQ 和已知问题For more information, see FAQs and known issues.

    az identity create -g <RESOURCE GROUP> -n <USER ASSIGNED IDENTITY NAME>
    

    响应包含所创建的用户分配托管标识的详细信息,与以下示例类似。The response contains details for the user-assigned managed identity created, similar to the following. 下一步会用到分配给用户分配托管标识的资源 id 值。The resource id value assigned to the user-assigned managed identity is used in the following step.

    {
         "clientId": "73444643-8088-4d70-9532-c3a0fdc190fz",
         "clientSecretUrl": "https://control-chinanorth.identity.chinacloudapi.cn/subscriptions/<SUBSCRIPTON ID>/resourcegroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>/credentials?tid=5678&oid=9012&aid=73444643-8088-4d70-9532-c3a0fdc190fz",
         "id": "/subscriptions/<SUBSCRIPTON ID>/resourcegroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>",
         "location": "chinanorth",
         "name": "<USER ASSIGNED IDENTITY NAME>",
         "principalId": "e5fdfdc1-ed84-4d48-8551-fe9fb9dedfll",
         "resourceGroup": "<RESOURCE GROUP>",
         "tags": {},
         "tenantId": "733a8f0e-ec41-4e69-8ad8-971fc4b533bl",
         "type": "Microsoft.ManagedIdentity/userAssignedIdentities"    
    }
    
  3. 创建虚拟机规模集。Create a virtual machine scale set. 以下示例创建与新用户分配托管标识关联的虚拟机规模集,用 --assign-identity 参数指定。The following example creates a virtual machine scale set associated with the new user-assigned managed identity, as specified by the --assign-identity parameter. 请务必将 <RESOURCE GROUP><VMSS NAME><USER NAME><PASSWORD><USER ASSIGNED IDENTITY> 参数值替换为你自己的值。Be sure to replace the <RESOURCE GROUP>, <VMSS NAME>, <USER NAME>, <PASSWORD>, and <USER ASSIGNED IDENTITY> parameter values with your own values.

    az vmss create --resource-group <RESOURCE GROUP> --name <VMSS NAME> --image UbuntuLTS --admin-username <USER NAME> --admin-password <PASSWORD> --assign-identity <USER ASSIGNED IDENTITY>
    

将用户分配托管标识分配到现有虚拟机规模集Assign a user-assigned managed identity to an existing virtual machine scale set

  1. 使用 az identity create 创建用户分配托管标识。Create a user-assigned managed identity using az identity create. -g 参数指定要创建用户分配托管标识的资源组,-n 参数指定其名称。The -g parameter specifies the resource group where the user-assigned managed identity is created, and the -n parameter specifies its name. 请务必将 <RESOURCE GROUP><USER ASSIGNED IDENTITY NAME> 参数值替换为自己的值:Be sure to replace the <RESOURCE GROUP> and <USER ASSIGNED IDENTITY NAME> parameter values with your own values:

    az identity create -g <RESOURCE GROUP> -n <USER ASSIGNED IDENTITY NAME>
    

    响应包含所创建的用户分配托管标识的详细信息,与以下示例类似。The response contains details for the user-assigned managed identity created, similar to the following.

    {
         "clientId": "73444643-8088-4d70-9532-c3a0fdc190fz",
         "clientSecretUrl": "https://control-chinanorth.identity.chinacloudapi.cn/subscriptions/<SUBSCRIPTON ID>/resourcegroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY >/credentials?tid=5678&oid=9012&aid=73444643-8088-4d70-9532-c3a0fdc190fz",
         "id": "/subscriptions/<SUBSCRIPTON ID>/resourcegroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY>",
         "location": "chinanorth",
         "name": "<USER ASSIGNED IDENTITY>",
         "principalId": "e5fdfdc1-ed84-4d48-8551-fe9fb9dedfll",
         "resourceGroup": "<RESOURCE GROUP>",
         "tags": {},
         "tenantId": "733a8f0e-ec41-4e69-8ad8-971fc4b533bl",
         "type": "Microsoft.ManagedIdentity/userAssignedIdentities"    
    }
    
  2. 将用户分配的托管标识分配给虚拟机规模集。Assign the user-assigned managed identity to your virtual machine scale set. 请务必将 <RESOURCE GROUP><VIRTUAL MACHINE SCALE SET NAME> 参数值替换为自己的值。Be sure to replace the <RESOURCE GROUP> and <VIRTUAL MACHINE SCALE SET NAME> parameter values with your own values. <USER ASSIGNED IDENTITY> 为上一步创建的用户分配标识的资源 name 属性:The <USER ASSIGNED IDENTITY> is the user-assigned identity's resource name property, as created in the previous step:

    az vmss identity assign -g <RESOURCE GROUP> -n <VIRTUAL MACHINE SCALE SET NAME> --identities <USER ASSIGNED IDENTITY>
    

从 Azure 虚拟机规模集删除用户分配的托管标识Remove a user-assigned managed identity from an Azure virtual machine scale set

若要从虚拟机规模集中删除用户分配的托管标识,请使用 az vmss identity removeTo remove a user-assigned managed identity from a virtual machine scale set use az vmss identity remove. 如果这是用户分配给虚拟机规模集的唯一托管标识,则 UserAssigned 将从标识类型值中删除。If this is the only user-assigned managed identity assigned to the virtual machine scale set, UserAssigned will be removed from the identity type value. 请务必将 <RESOURCE GROUP><VIRTUAL MACHINE SCALE SET NAME> 参数值替换为自己的值。Be sure to replace the <RESOURCE GROUP> and <VIRTUAL MACHINE SCALE SET NAME> parameter values with your own values. <USER ASSIGNED IDENTITY> 将为用户分配托管标识的 name 属性,可通过 az vmss identity show 在虚拟机规模集的标识部分中找到:The <USER ASSIGNED IDENTITY> will be the user-assigned managed identity's name property, which can be found in the identity section of the virtual machine scale set using az vmss identity show:

az vmss identity remove -g <RESOURCE GROUP> -n <VIRTUAL MACHINE SCALE SET NAME> --identities <USER ASSIGNED IDENTITY>

如果虚拟机规模集没有系统分配的托管标识,并且你想要从中删除所有用户分配的托管标识,请使用以下命令:If your virtual machine scale set does not have a system-assigned managed identity and you want to remove all user-assigned managed identities from it, use the following command:

备注

none 区分大小写。The value none is case sensitive. 它必须为小写。It must be lowercase.

az vmss update -n myVMSS -g myResourceGroup --set identity.type="none" identity.userAssignedIdentities=null

如果虚拟机规模集同时具有系统分配托管标识和用户分配托管标识,则可通过切换为仅使用系统分配托管标识,删除所有用户分配标识。If your virtual machine scale set has both system-assigned and user-assigned managed identities, you can remove all the user-assigned identities by switching to use only system-assigned managed identity. 请使用以下命令:Use the following command:

az vmss update -n myVMSS -g myResourceGroup --set identity.type='SystemAssigned' identity.userAssignedIdentities=null 

后续步骤Next steps