使用 Azure 门户在 VM 上配置 Azure 资源托管标识Configure managed identities for Azure resources on a VM using the Azure portal

Azure 资源的托管标识是 Azure Active Directory 的一项功能。Managed identities for Azure resources is a feature of Azure Active Directory. 支持 Azure 资源的托管标识的每个 Azure 服务都受其自己的时间线限制。Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. 在开始之前,请务必查看资源的托管标识的可用性状态以及已知问题Make sure you review the availability status of managed identities for your resource and known issues before you begin.

Azure 资源的托管标识在 Azure Active Directory 中为 Azure 服务提供了一个自动托管标识。Managed identities for Azure resources provides Azure services with an automatically managed identity in Azure Active Directory. 此标识可用于通过支持 Azure AD 身份验证的任何服务的身份验证,这样就无需在代码中插入凭据了。You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

本文介绍如何使用 Azure 门户为 Azure 虚拟机 (VM) 启用和禁用系统和用户分配的托管标识。In this article, you learn how to enable and disable system and user-assigned managed identities for an Azure Virtual Machine (VM), using the Azure portal.

先决条件Prerequisites

  • 如果不熟悉 Azure 资源的托管标识,请查阅概述部分If you're unfamiliar with managed identities for Azure resources, check out the overview section.
  • 如果还没有 Azure 帐户,请先注册试用帐户,然后再继续。If you don't already have an Azure account, sign up for a Trial before continuing.

系统分配的托管标识System-assigned managed identity

本部分介绍如何使用 Azure 门户为 VM 启用和禁用系统分配托管标识。In this section, you learn how to enable and disable the system-assigned managed identity for VM using the Azure portal.

在现有 VM 上启用系统分配托管标识Enable system-assigned managed identity on an existing VM

若要在最初未预配系统分配的托管标识的 VM 上启用该托管标识,你的帐户需要虚拟机参与者角色分配。To enable system-assigned managed identity on a VM that was originally provisioned without it, your account needs the Virtual Machine Contributor role assignment. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.

  1. 使用已与包含 VM 的 Azure 订阅关联的帐户登录 Azure 门户Sign in to the Azure portal using an account associated with the Azure subscription that contains the VM.

  2. 导航到所需的虚拟机,然后选择“标识”。 Navigate to the desired Virtual Machine and select Identity.

  3. 在“系统分配” 、“状态” 下,选择“开启” ,然后单击“保存” :Under System assigned, Status, select On and then click Save:

    “配置”页屏幕截图

从 VM 删除系统分配托管标识Remove system-assigned managed identity from a VM

若要从 VM 中删除系统分配的托管标识,你的帐户需要虚拟机参与者角色分配。To remove system-assigned managed identity from a VM, your account needs the Virtual Machine Contributor role assignment. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.

如果虚拟机不再需要系统分配托管标识,请执行以下操作:If you have a Virtual Machine that no longer needs system-assigned managed identity:

  1. 使用已与包含 VM 的 Azure 订阅关联的帐户登录 Azure 门户Sign in to the Azure portal using an account associated with the Azure subscription that contains the VM.

  2. 导航到所需的虚拟机,然后选择“标识”。 Navigate to the desired Virtual Machine and select Identity.

  3. 在“系统分配” 、“状态” 下,选择“关闭” ,然后单击“保存” :Under System assigned, Status, select Off and then click Save:

    “配置”页屏幕截图

用户分配的托管标识User-assigned managed identity

本部分介绍如何使用 Azure 门户在 VM 中添加和删除用户分配托管标识。In this section, you learn how to add and remove a user-assigned managed identity from a VM using the Azure portal.

在创建 VM 期间分配用户分配标识Assign a user-assigned identity during the creation of a VM

若要将用户分配的标识分配给 VM,你的帐户需要虚拟机参与者托管标识操作员角色分配。To assign a user-assigned identity to a VM, your account needs the Virtual Machine Contributor and Managed Identity Operator role assignments. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.

当前,Azure 门户不支持在创建 VM 期间分配用户分配托管标识。Currently, the Azure portal does not support assigning a user-assigned managed identity during the creation of a VM. 请改为参考以下 VM 创建快速入门文章之一来首先创建 VM,然后前进到下一部分来了解有关为 VM 分配用户分配托管标识的详细信息:Instead, refer to one of the following VM creation Quickstart articles to first create a VM, and then proceed to the next section for details on assigning a user-assigned managed identity to the VM:

向现有 VM 分配用户分配托管标识Assign a user-assigned managed identity to an existing VM

若要将用户分配的标识分配给 VM,你的帐户需要虚拟机参与者托管标识操作员角色分配。To assign a user-assigned identity to a VM, your account needs the Virtual Machine Contributor and Managed Identity Operator role assignments. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.

  1. 使用已与包含 VM 的 Azure 订阅关联的帐户登录 Azure 门户Sign in to the Azure portal using an account associated with the Azure subscription that contains the VM.

  2. 导航到所需的 VM,依次单击“标识”、“用户分配”和“添加”。 +Navigate to the desired VM and click Identity, User assigned and then +Add.

    向 VM 添加用户分配托管标识

  3. 单击要添加到 VM 的用户分配的标识,然后单击“添加” 。Click the user-assigned identity you want to add to the VM and then click Add.

    向 VM 添加用户分配托管标识

从 VM 中删除用户分配托管标识Remove a user-assigned managed identity from a VM

若要从 VM 中删除用户分配的标识,你的帐户需要虚拟机参与者角色分配。To remove a user-assigned identity from a VM, your account needs the Virtual Machine Contributor role assignment. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.

  1. 使用已与包含 VM 的 Azure 订阅关联的帐户登录 Azure 门户Sign in to the Azure portal using an account associated with the Azure subscription that contains the VM.

  2. 导航到所需的 VM,然后依次单击“标识”、“用户分配”、要删除的用户分配托管标识,然后单击“删除”(在确认窗格中单击“是”) 。Navigate to the desired VM and click Identity, User assigned, the name of the user-assigned managed identity you want to delete and then click Remove (click Yes in the confirmation pane).

    从 VM 中删除用户分配托管标识

后续步骤Next steps