使用 PowerShell 在 Azure VM 上配置 Azure 资源的托管标识Configure managed identities for Azure resources on an Azure VM using PowerShell

Azure 资源的托管标识是 Azure Active Directory 的一项功能。Managed identities for Azure resources is a feature of Azure Active Directory. 支持 Azure 资源的托管标识的每个 Azure 服务都受其自己的时间线限制。Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. 在开始之前,请务必查看资源的托管标识的可用性状态以及已知问题Make sure you review the availability status of managed identities for your resource and known issues before you begin.

Azure 资源的托管标识在 Azure Active Directory 中为 Azure 服务提供了一个自动托管标识。Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. 此标识可用于通过支持 Azure AD 身份验证的任何服务的身份验证,这样就无需在代码中插入凭据了。You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

在本文中,你将了解如何在 Azure VM 上使用 PowerShell 执行 Azure 资源的托管标识的以下操作。In this article, using PowerShell, you learn how to perform the following managed identities for Azure resources operations on an Azure VM.

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

先决条件Prerequisites

系统分配的托管标识System-assigned managed identity

在此部分中,你将了解如何使用 Azure PowerShell 来启用和禁用系统分配的托管标识。In this section, you will learn how to enable and disable the system-assigned managed identity using Azure PowerShell.

在创建 Azure VM 的过程中启用系统分配托管标识Enable system-assigned managed identity during creation of an Azure VM

若要创建启用了系统分配的托管标识的 Azure VM,你的帐户需要虚拟机参与者角色分配。To create an Azure VM with the system-assigned managed identity enabled, your account needs the Virtual Machine Contributor role assignment. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.

  1. 请参阅以下 Azure VM 快速入门之一,仅完成必要部分(“登录到 Azure”、“创建资源组”、“创建网络组”、“创建 VM”)。Refer to one of the following Azure VM Quickstarts, completing only the necessary sections ("Sign in to Azure", "Create resource group", "Create networking group", "Create the VM").

    转到“创建 VM”部分时,需要对 New-AzVMConfig cmdlet 语法稍做修改。When you get to the "Create the VM" section, make a slight modification to the New-AzVMConfig cmdlet syntax. 务必添加 -IdentityType SystemAssigned 参数,以预配启用了系统分配标识的 VM,例如:Be sure to add a -IdentityType SystemAssigned parameter to provision the VM with the system-assigned identity enabled, for example:

    $vmConfig = New-AzVMConfig -VMName myVM -IdentityType SystemAssigned ...
    

在现有 Azure VM 上启用系统分配托管标识Enable system-assigned managed identity on an existing Azure VM

若要在最初未预配系统分配的托管标识的 VM 上启用该托管标识,你的帐户需要虚拟机参与者角色分配。To enable system-assigned managed identity on a VM that was originally provisioned without it, your account needs the Virtual Machine Contributor role assignment. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.

  1. 使用 Connect-AzAccount -Environment AzureChinaCloud 登录到 Azure 门户。Sign in to Azure using Connect-AzAccount -Environment AzureChinaCloud. 使用与包含 VM 的 Azure 订阅关联的帐户。Use an account that is associated with the Azure subscription that contains the VM.

    Connect-AzAccount -Environment AzureChinaCloud
    
  2. 首先,使用 Get-AzVM cmdlet 检索 VM 属性。First retrieve the VM properties using the Get-AzVM cmdlet. 然后,若要启用系统分配的托管标识,请在 Update-AzVM cmdlet 中使用 -IdentityType 开关:Then to enable a system-assigned managed identity, use the -IdentityType switch on the Update-AzVM cmdlet:

    $vm = Get-AzVM -ResourceGroupName myResourceGroup -Name myVM
    Update-AzVM -ResourceGroupName myResourceGroup -VM $vm -IdentityType SystemAssigned
    

将 VM 系统分配的标识添加到组Add VM system assigned identity to a group

在 VM 上启用系统分配的标识后,可以将其添加到组中。After you have enabled system assigned identity on a VM, you can add it to a group. 以下过程将 VM 的系统分配的标识添加到组。The following procedure adds a VM's system assigned identity to a group.

  1. 使用 Connect-AzAccount -Environment AzureChinaCloud 登录到 Azure 门户。Sign in to Azure using Connect-AzAccount -Environment AzureChinaCloud. 使用与包含 VM 的 Azure 订阅关联的帐户。Use an account that is associated with the Azure subscription that contains the VM.

    Connect-AzAccount -Environment AzureChinaCloud
    
  2. 检索并记下 VM 服务主体的 ObjectID(在返回值的 Id 字段中指定):Retrieve and note the ObjectID (as specified in the Id field of the returned values) of the VM's service principal:

    Get-AzADServicePrincipal -displayname "myVM"
    
  3. 检索并记下组中的 ObjectID(在返回值的 Id 字段中指定):Retrieve and note the ObjectID (as specified in the Id field of the returned values) of the group:

    Get-AzADGroup -searchstring "myGroup"
    
  4. 将 VM 的服务主体添加到组:Add the VM's service principal to the group:

    Add-AzureADGroupMember -ObjectId "<objectID of group>" -RefObjectId "<object id of VM service principal>"
    

从 Azure VM 中禁用系统分配的托管标识Disable system-assigned managed identity from an Azure VM

若要在 VM 上禁用系统分配的托管标识,你的帐户需要虚拟机参与者角色分配。To disable system-assigned managed identity on a VM, your account needs the Virtual Machine Contributor role assignment. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.

如果某个虚拟机不再需要系统分配的托管标识,但仍需要用户分配的托管标识,请使用以下 cmdlet:If you have a Virtual Machine that no longer needs the system-assigned managed identity but still needs user-assigned managed identities, use the following cmdlet:

  1. 使用 Connect-AzAccount -Environment AzureChinaCloud 登录到 Azure 门户。Sign in to Azure using Connect-AzAccount -Environment AzureChinaCloud. 使用与包含 VM 的 Azure 订阅关联的帐户。Use an account that is associated with the Azure subscription that contains the VM.

    Connect-AzAccount -Environment AzureChinaCloud
    
  2. 使用 Get-AzVM cmdlet 检索 VM 属性并将 -IdentityType 参数设置为 UserAssignedRetrieve the VM properties using the Get-AzVM cmdlet and set the -IdentityType parameter to UserAssigned:

    $vm = Get-AzVM -ResourceGroupName myResourceGroup -Name myVM
    Update-AzVm -ResourceGroupName myResourceGroup -VM $vm -IdentityType "UserAssigned"
    

如果某个虚拟机不再需要系统分配的托管标识,且没有用户分配的托管标识,请使用以下命令:If you have a virtual machine that no longer needs system-assigned managed identity and it has no user-assigned managed identities, use the following commands:

$vm = Get-AzVM -ResourceGroupName myResourceGroup -Name myVM
Update-AzVm -ResourceGroupName myResourceGroup -VM $vm -IdentityType None

用户分配的托管标识User-assigned managed identity

在此部分中,你将了解如何使用 Azure PowerShell 在 VM 中添加和删除用户分配的托管标识。In this section, you learn how to add and remove a user-assigned managed identity from a VM using Azure PowerShell.

在创建过程中向 VM 分配用户分配的托管标识Assign a user-assigned managed identity to a VM during creation

若要将用户分配的标识分配给 VM,你的帐户需要虚拟机参与者托管标识操作员角色分配。To assign a user-assigned identity to a VM, your account needs the Virtual Machine Contributor and Managed Identity Operator role assignments. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.

  1. 请参阅以下 Azure VM 快速入门之一,仅完成必要部分(“登录到 Azure”、“创建资源组”、“创建网络组”、“创建 VM”)。Refer to one of the following Azure VM Quickstarts, completing only the necessary sections ("Sign in to Azure", "Create resource group", "Create networking group", "Create the VM").

    转到“创建 VM”部分时,需要对 New-AzVMConfig cmdlet 语法稍做修改。When you get to the "Create the VM" section, make a slight modification to the New-AzVMConfig cmdlet syntax. 添加 -IdentityType UserAssigned-IdentityID 参数,为 VM 预配用户分配的标识。Add the -IdentityType UserAssigned and -IdentityID parameters to provision the VM with a user-assigned identity. <VM NAME><SUBSCRIPTION ID><RESROURCE GROUP><USER ASSIGNED IDENTITY NAME> 替换为自己的值。Replace <VM NAME>,<SUBSCRIPTION ID>, <RESROURCE GROUP>, and <USER ASSIGNED IDENTITY NAME> with your own values. 例如:For example:

    $vmConfig = New-AzVMConfig -VMName <VM NAME> -IdentityType UserAssigned -IdentityID "/subscriptions/<SUBSCRIPTION ID>/resourcegroups/<RESROURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>..."
    

向现有 Azure VM 分配用户分配托管标识Assign a user-assigned managed identity to an existing Azure VM

若要将用户分配的标识分配给 VM,你的帐户需要虚拟机参与者托管标识操作员角色分配。To assign a user-assigned identity to a VM, your account needs the Virtual Machine Contributor and Managed Identity Operator role assignments. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.

  1. 使用 Connect-AzAccount -Environment AzureChinaCloud 登录到 Azure 门户。Sign in to Azure using Connect-AzAccount -Environment AzureChinaCloud. 使用与包含 VM 的 Azure 订阅关联的帐户。Use an account that is associated with the Azure subscription that contains the VM.

    Connect-AzAccount -Environment AzureChinaCloud
    
  2. 使用 New-AzUserAssignedIdentity cmdlet 创建用户分配的托管标识。Create a user-assigned managed identity using the New-AzUserAssignedIdentity cmdlet. 记下输出中的 Id,因为下一步会用到它。Note the Id in the output because you will need this in the next step.

    重要

    创建用户分配的托管标识时仅支持字母数字、下划线和连字符(0-9 或 a-z 或 A-Z,_ 或 -)字符。Creating user-assigned managed identities only supports alphanumeric, underscore and hyphen (0-9 or a-z or A-Z, _ or -) characters. 此外,名称的长度应限制为 3 到 128 个字符,这样分配给 VM/VMSS 才能正常工作。Additionally, name should be limited from 3 to 128 character length for the assignment to VM/VMSS to work properly. 有关详细信息,请参阅 FAQ 和已知问题For more information see FAQs and known issues

    New-AzUserAssignedIdentity -ResourceGroupName <RESOURCEGROUP> -Name <USER ASSIGNED IDENTITY NAME>
    
  3. 使用 Get-AzVM cmdlet 检索 VM 属性。Retrieve the VM properties using the Get-AzVM cmdlet. 然后,若要向 Azure VM 分配用户分配的托管标识,请在 Update-AzVM cmdlet 中使用 -IdentityType-IdentityID 开关。Then to assign a user-assigned managed identity to the Azure VM, use the -IdentityType and -IdentityID switch on the Update-AzVM cmdlet. -IdentityId 参数的值是在上一步中记下的 IdThe value for the-IdentityId parameter is the Id you noted in the previous step. <VM NAME><SUBSCRIPTION ID><RESROURCE GROUP><USER ASSIGNED IDENTITY NAME> 替换为自己的值。Replace <VM NAME>, <SUBSCRIPTION ID>, <RESROURCE GROUP>, and <USER ASSIGNED IDENTITY NAME> with your own values.

    警告

    若要保留分配给 VM 的任何以前用户分配的托管标识,请查询 VM 对象的 Identity 属性(例如,$vm.Identity)。To retain any previously user-assigned managed identities assigned to the VM, query the Identity property of the VM object (for example, $vm.Identity). 如果返回了任何用户分配的托管标识,请将其添加到以下命令以及要分配给 VM 的新用户分配的托管标识中。If any user assigned managed identities are returned, include them in the following command along with the new user assigned managed identity you would like to assign to the VM.

    $vm = Get-AzVM -ResourceGroupName <RESOURCE GROUP> -Name <VM NAME>
    Update-AzVM -ResourceGroupName <RESOURCE GROUP> -VM $vm -IdentityType UserAssigned -IdentityID "/subscriptions/<SUBSCRIPTION ID>/resourcegroups/<RESROURCE GROUP>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<USER ASSIGNED IDENTITY NAME>"
    

从 Azure VM 中删除用户分配的托管标识Remove a user-assigned managed identity from an Azure VM

若要从 VM 中删除用户分配的标识,你的帐户需要虚拟机参与者角色分配。To remove a user-assigned identity to a VM, your account needs the Virtual Machine Contributor role assignment.

如果 VM 具有多个用户分配的托管标识,则可以使用以下命令将这些标识删除到只剩一个。If your VM has multiple user-assigned managed identities, you can remove all but the last one using the following commands. 请务必将 <RESOURCE GROUP><VM NAME> 参数值替换为自己的值。Be sure to replace the <RESOURCE GROUP> and <VM NAME> parameter values with your own values. <USER ASSIGNED IDENTITY NAME> 是用户分配的托管标识的名称属性,该属性应保留在 VM 上。The <USER ASSIGNED IDENTITY NAME> is the user-assigned managed identity's name property, which should remain on the VM. 可以通过查询 VM 对象的 Identity 属性找到该信息。This information can be found by querying the Identity property of the VM object. 例如,$vm.IdentityFor example, $vm.Identity:

$vm = Get-AzVm -ResourceGroupName myResourceGroup -Name myVm
Update-AzVm -ResourceGroupName myResourceGroup -VirtualMachine $vm -IdentityType UserAssigned -IdentityID <USER ASSIGNED IDENTITY NAME>

如果 VM 没有系统分配的托管标识,并且希望从中删除所有用户分配的托管标识,请使用以下命令:If your VM does not have a system-assigned managed identity and you want to remove all user-assigned managed identities from it, use the following command:

$vm = Get-AzVm -ResourceGroupName myResourceGroup -Name myVm
Update-AzVm -ResourceGroupName myResourceGroup -VM $vm -IdentityType None

如果 VM 同时具有系统分配的托管标识和用户分配的托管标识,则可通过切换为仅使用系统分配的托管标识,删除所有用户分配的托管标识。If your VM has both system-assigned and user-assigned managed identities, you can remove all the user-assigned managed identities by switching to use only system-assigned managed identities.

$vm = Get-AzVm -ResourceGroupName myResourceGroup -Name myVm
Update-AzVm -ResourceGroupName myResourceGroup -VirtualMachine $vm -IdentityType "SystemAssigned"

后续步骤Next steps