使用 Azure CLI 在虚拟机规模集上配置 Azure 资源托管标识Configure managed identities for Azure resources on a virtual machine scale set using Azure CLI

Azure 资源的托管标识是 Azure Active Directory 的一项功能。Managed identities for Azure resources is a feature of Azure Active Directory. 支持 Azure 资源的托管标识的每个 Azure 服务都受其自己的时间线限制。Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. 在开始之前,请务必查看资源的托管标识的可用性状态以及已知问题Make sure you review the availability status of managed identities for your resource and known issues before you begin.

Azure 资源的托管标识在 Azure Active Directory 中为 Azure 服务提供了一个自动托管标识。Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. 此标识可用于通过支持 Azure AD 身份验证的任何服务的身份验证,这样就无需在代码中插入凭据了。You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

本文介绍如何使用 Azure CLI 在 Azure 虚拟机规模集上执行以下 Azure 资源托管标识操作:In this article, you learn how to perform the following managed identities for Azure resources operations on an Azure virtual machine scale set, using the Azure CLI:

  • 在 Azure 虚拟机规模集上启用和禁用系统分配托管标识Enable and disable the system-assigned managed identity on an Azure virtual machine scale set
  • 在 Azure 虚拟机规模集上添加和删除用户分配托管标识Add and remove a user-assigned managed identity on an Azure virtual machine scale set

先决条件Prerequisites

系统分配的托管标识System-assigned managed identity

本部分介绍如何使用 Azure CLI 为 Azure 虚拟机规模集启用和禁用系统分配托管标识。In this section, you learn how to enable and disable the system-assigned managed identity for an Azure virtual machine scale set using Azure CLI.

在创建 Azure 虚拟机规模集的过程中启用系统分配托管标识Enable system-assigned managed identity during creation of an Azure virtual machine scale set

要创建启用了系统分配托管标识的虚拟机规模集,请执行以下操作:To create a virtual machine scale set with the system-assigned managed identity enabled:

  1. 如果在本地控制台中使用 Azure CLI,首先请使用 az login 登录到 Azure。If you're using the Azure CLI in a local console, first sign in to Azure using az login. 使用与要在其下部署虚拟机规模集的 Azure 订阅关联的帐户:Use an account that is associated with the Azure subscription under which you would like to deploy the virtual machine scale set:

    az login
    
  2. 使用 az group create,创建用于容纳和部署虚拟机规模集及其相关资源的资源组Create a resource group for containment and deployment of your virtual machine scale set and its related resources, using az group create. 如果已有要改用的资源组,则可以跳过此步骤:You can skip this step if you already have a resource group you would like to use instead:

    az group create --name myResourceGroup --location chinanorth
    
  3. 创建虚拟机规模集。Create a virtual machine scale set. 以下示例创建名为 myVMSS 且已启用系统分配托管标识的虚拟机规模集(应 --assign-identity 参数的要求)。The following example creates a virtual machine scale set named myVMSS with a system-assigned managed identity, as requested by the --assign-identity parameter. --admin-username--admin-password 参数指定用于登录虚拟机的管理用户名和密码帐户。The --admin-username and --admin-password parameters specify the administrative user name and password account for virtual machine sign-in. 针对自己的环境相应地更新这些值:Update these values as appropriate for your environment:

    az vmss create --resource-group myResourceGroup --name myVMSS --image win2016datacenter --upgrade-policy-mode automatic --custom-data cloud-init.txt --admin-username azureuser --admin-password myPassword12 --assign-identity --generate-ssh-keys
    

在现有 Azure 虚拟机规模集上启用系统分配的托管标识Enable system-assigned managed identity on an existing Azure virtual machine scale set

如果需要在现有 Azure 虚拟机规模集上启用系统分配托管标识,请执行以下操作:If you need to enable the system-assigned managed identity on an existing Azure virtual machine scale set:

  1. 如果在本地控制台中使用 Azure CLI,首先请使用 az login 登录到 Azure。If you're using the Azure CLI in a local console, first sign in to Azure using az login. 使用与包含虚拟机规模集的 Azure 订阅关联的帐户。Use an account that is associated with the Azure subscription that contains the virtual machine scale set.

    az login
    
  2. 在现有 VM 上启用系统分配的托管标识:Enable a system-assigned managed identity to an existing VM:

    az vmss identity assign -g myResourceGroup -n myVMSS
    

从 Azure 虚拟机规模集中禁用系统分配托管标识Disable system-assigned managed identity from an Azure virtual machine scale set

如果某个虚拟机规模集不再需要系统分配托管标识,但仍需要用户分配托管标识,请使用以下命令:If you have a virtual machine scale set that no longer needs the system-assigned managed identity, but still needs user-assigned managed identities, use the following command:

az vmss update -n myVM -g myResourceGroup --set identity.type='UserAssigned' 

如果某个虚拟机不再需要系统分配托管标识,且没有用户分配托管标识,请使用以下命令:If you have a virtual machine that no longer needs system-assigned managed identity and it has no user-assigned managed identities, use the following command:

备注

none 区分大小写。The value none is case sensitive. 它必须为小写。It must be lowercase.

az vmss update -n myVM -g myResourceGroup --set identity.type="none"

用户分配的托管标识user-assigned managed identity

本部分介绍如何使用 Azure CLI 启用和删除用户分配托管标识。In this section, you learn how to enable and remove a user-assigned managed identity using Azure CLI.

在创建虚拟机规模集的过程中分配用户分配托管标识Assign a user-assigned managed identity during the creation of a virtual machine scale set

本部分介绍如何创建虚拟机规模集以及向虚拟机规模集分配用户分配托管标识。This section walks you through creation of a virtual machine scale set and assignment of a user-assigned managed identity to the virtual machine scale set. 如果已有要使用的虚拟机规模集,请跳过此部分,转到下一部分。If you already have a virtual machine scale set you want to use, skip this section and proceed to the next.

  1. 如果已有要使用的资源组,可跳过此步骤。You can skip this step if you already have a resource group you would like to use. 使用 az group create 创建用于包含和部署用户分配托管标识的资源组Create a resource group for containment and deployment of your user-assigned managed identity, using az group create. 请务必将 <RESOURCE GROUP><LOCATION> 参数值替换为自己的值。Be sure to replace the <RESOURCE GROUP> and <LOCATION> parameter values with your own values. 解码的字符::

    az group create --name <RESOURCE GROUP> --location <LOCATION>
    
  2. 使用 az identity create 创建用户分配托管标识。Create a user-assigned managed identity using az identity create. -g 参数指定要创建用户分配托管标识的资源组,-n 参数指定其名称。The -g parameter specifies the resource group where the user-assigned managed identity is created, and the -n parameter specifies its name. 请务必将 <RESOURCE GROUP><USER ASSIGNED IDENTITY NAME> 参数值替换为自己的值:Be sure to replace the <RESOURCE GROUP> and <USER ASSIGNED IDENTITY NAME> parameter values with your own values:

    重要

    创建用户分配标识时,只能使用字母数字字符(0-9、a-z、A-Z)、下划线 (_) 和连字符 (-)。When creating user assigned identities, only alphanumeric characters (0-9, a-z, A-Z), the underscore (_) and the hyphen (-) are supported. 另外,为了确保能够正常分配给 VM/VMSS,名称长度应该为 3 到 128 个字符。Additionally, the name should be atleast 3 characters and up to 128 characters in length for the assignment to VM/VMSS to work properly. 请关注后续更新。Check back for updates. 有关详细信息,请参阅 FAQ 和已知问题For more information, see FAQs and known issues.

    az identity create -g <RESOURCE GROUP> -n <USER ASSIGNED IDENTITY NAME>
    

    响应包含所创建的用户分配托管标识的详细信息,与以下示例类似。The response contains details for the user-assigned managed identity created, similar to the following. 下一步会用到分配给用户分配托管标识的资源 id 值。The resource id value assigned to the user-assigned managed identity is used in the following step.

    {
         "clientId": "73444643-8088-4d70-9532-c3a0fdc190fz",
         "clientSecretUrl": "https://control-chinanorth.identity.chinacloudapi.cn/subscriptions/<SUBSCRIPTON ID>/resourcegroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>/credentials?tid=5678&oid=9012&aid=73444643-8088-4d70-9532-c3a0fdc190fz",
         "id": "/subscriptions/<SUBSCRIPTON ID>/resourcegroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>",
         "location": "chinanorth",
         "name": "<USER ASSIGNED IDENTITY NAME>",
         "principalId": "e5fdfdc1-ed84-4d48-8551-fe9fb9dedfll",
         "resourceGroup": "<RESOURCE GROUP>",
         "tags": {},
         "tenantId": "733a8f0e-ec41-4e69-8ad8-971fc4b533bl",
         "type": "Microsoft.ManagedIdentity/userAssignedIdentities"    
    }
    
  3. 创建虚拟机规模集。Create a virtual machine scale set. 以下示例创建与新用户分配托管标识关联的虚拟机规模集,用 --assign-identity 参数指定。The following example creates a virtual machine scale set associated with the new user-assigned managed identity, as specified by the --assign-identity parameter. 请务必将 <RESOURCE GROUP><VMSS NAME><USER NAME><PASSWORD><USER ASSIGNED IDENTITY> 参数值替换为你自己的值。Be sure to replace the <RESOURCE GROUP>, <VMSS NAME>, <USER NAME>, <PASSWORD>, and <USER ASSIGNED IDENTITY> parameter values with your own values.

    az vmss create --resource-group <RESOURCE GROUP> --name <VMSS NAME> --image UbuntuLTS --admin-username <USER NAME> --admin-password <PASSWORD> --assign-identity <USER ASSIGNED IDENTITY>
    

将用户分配托管标识分配到现有虚拟机规模集Assign a user-assigned managed identity to an existing virtual machine scale set

  1. 使用 az identity create 创建用户分配托管标识。Create a user-assigned managed identity using az identity create. -g 参数指定要创建用户分配托管标识的资源组,-n 参数指定其名称。The -g parameter specifies the resource group where the user-assigned managed identity is created, and the -n parameter specifies its name. 请务必将 <RESOURCE GROUP><USER ASSIGNED IDENTITY NAME> 参数值替换为自己的值:Be sure to replace the <RESOURCE GROUP> and <USER ASSIGNED IDENTITY NAME> parameter values with your own values:

    az identity create -g <RESOURCE GROUP> -n <USER ASSIGNED IDENTITY NAME>
    

    响应包含所创建的用户分配托管标识的详细信息,与以下示例类似。The response contains details for the user-assigned managed identity created, similar to the following.

    {
         "clientId": "73444643-8088-4d70-9532-c3a0fdc190fz",
         "clientSecretUrl": "https://control-chinanorth.identity.chinacloudapi.cn/subscriptions/<SUBSCRIPTON ID>/resourcegroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY >/credentials?tid=5678&oid=9012&aid=73444643-8088-4d70-9532-c3a0fdc190fz",
         "id": "/subscriptions/<SUBSCRIPTON ID>/resourcegroups/<RESOURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY>",
         "location": "chinanorth",
         "name": "<USER ASSIGNED IDENTITY>",
         "principalId": "e5fdfdc1-ed84-4d48-8551-fe9fb9dedfll",
         "resourceGroup": "<RESOURCE GROUP>",
         "tags": {},
         "tenantId": "733a8f0e-ec41-4e69-8ad8-971fc4b533bl",
         "type": "Microsoft.ManagedIdentity/userAssignedIdentities"    
    }
    
  2. 将用户分配的托管标识分配给虚拟机规模集。Assign the user-assigned managed identity to your virtual machine scale set. 请务必将 <RESOURCE GROUP><VIRTUAL MACHINE SCALE SET NAME> 参数值替换为自己的值。Be sure to replace the <RESOURCE GROUP> and <VIRTUAL MACHINE SCALE SET NAME> parameter values with your own values. <USER ASSIGNED IDENTITY> 为上一步创建的用户分配标识的资源 name 属性:The <USER ASSIGNED IDENTITY> is the user-assigned identity's resource name property, as created in the previous step:

    az vmss identity assign -g <RESOURCE GROUP> -n <VIRTUAL MACHINE SCALE SET NAME> --identities <USER ASSIGNED IDENTITY>
    

从 Azure 虚拟机规模集删除用户分配的托管标识Remove a user-assigned managed identity from an Azure virtual machine scale set

若要从虚拟机规模集中删除用户分配的托管标识,请使用 az vmss identity removeTo remove a user-assigned managed identity from a virtual machine scale set use az vmss identity remove. 如果这是用户分配给虚拟机规模集的唯一托管标识,则 UserAssigned 将从标识类型值中删除。If this is the only user-assigned managed identity assigned to the virtual machine scale set, UserAssigned will be removed from the identity type value. 请务必将 <RESOURCE GROUP><VIRTUAL MACHINE SCALE SET NAME> 参数值替换为自己的值。Be sure to replace the <RESOURCE GROUP> and <VIRTUAL MACHINE SCALE SET NAME> parameter values with your own values. <USER ASSIGNED IDENTITY> 将为用户分配托管标识的 name 属性,可通过 az vmss identity show 在虚拟机规模集的标识部分中找到:The <USER ASSIGNED IDENTITY> will be the user-assigned managed identity's name property, which can be found in the identity section of the virtual machine scale set using az vmss identity show:

az vmss identity remove -g <RESOURCE GROUP> -n <VIRTUAL MACHINE SCALE SET NAME> --identities <USER ASSIGNED IDENTITY>

如果虚拟机规模集没有系统分配的托管标识,并且你想要从中删除所有用户分配的托管标识,请使用以下命令:If your virtual machine scale set does not have a system-assigned managed identity and you want to remove all user-assigned managed identities from it, use the following command:

备注

none 区分大小写。The value none is case sensitive. 它必须为小写。It must be lowercase.

az vmss update -n myVMSS -g myResourceGroup --set identity.type="none" identity.userAssignedIdentities=null

如果虚拟机规模集同时具有系统分配托管标识和用户分配托管标识,则可通过切换为仅使用系统分配托管标识,删除所有用户分配标识。If your virtual machine scale set has both system-assigned and user-assigned managed identities, you can remove all the user-assigned identities by switching to use only system-assigned managed identity. 请使用以下命令:Use the following command:

az vmss update -n myVMSS -g myResourceGroup --set identity.type='SystemAssigned' identity.userAssignedIdentities=null 

后续步骤Next steps