使用 PowerShell 在虚拟机规模集上配置 Azure 资源的托管标识Configure managed identities for Azure resources on virtual machine scale sets using PowerShell

Azure 资源的托管标识是 Azure Active Directory 的一项功能。Managed identities for Azure resources is a feature of Azure Active Directory. 支持 Azure 资源的托管标识的每个 Azure 服务都受其自己的时间线限制。Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. 在开始之前,请务必查看资源的托管标识的可用性状态以及已知问题Make sure you review the availability status of managed identities for your resource and known issues before you begin.

Azure 资源的托管标识在 Azure Active Directory 中为 Azure 服务提供了一个自动托管标识。Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. 此标识可用于通过支持 Azure AD 身份验证的任何服务的身份验证,这样就无需在代码中插入凭据了。You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

在本文中,你将了解如何使用 PowerShell 在虚拟机规模集上执行 Azure 资源的托管标识操作:In this article, using PowerShell, you learn how to perform the managed identities for Azure resources operations on a virtual machine scale set:

  • 在虚拟机规模集上启用和禁用系统分配的托管标识Enable and disable the system-assigned managed identity on a virtual machine scale set
  • 在虚拟机规模集上添加和删除用户分配的托管标识Add and remove a user-assigned managed identity on a virtual machine scale set

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

先决条件Prerequisites

系统分配的托管标识System-assigned managed identity

在此部分中,将了解如何使用 Azure PowerShell 启用和删除系统分配的托管标识。In this section, you learn how to enable and remove a system-assigned managed identity using Azure PowerShell.

在创建 Azure 虚拟机规模集的过程中启用系统分配的托管标识Enable system-assigned managed identity during the creation of an Azure virtual machine scale set

要创建启用了系统分配托管标识的虚拟机规模集,请执行以下操作:To create a virtual machine scale set with the system-assigned managed identity enabled:

  1. 请参阅 New-AzVmssConfig cmdlet 参考文章中的示例 1,以创建具有系统分配的托管标识的虚拟机规模集。Refer to Example 1 in the New-AzVmssConfig cmdlet reference article to create a virtual machine scale set with a system-assigned managed identity. 将参数 -IdentityType SystemAssigned 添加到 New-AzVmssConfig cmdlet:Add the parameter -IdentityType SystemAssigned to the New-AzVmssConfig cmdlet:

    $VMSS = New-AzVmssConfig -Location $Loc -SkuCapacity 2 -SkuName "Standard_A0" -UpgradePolicyMode "Automatic" -NetworkInterfaceConfiguration $NetCfg -IdentityType SystemAssigned`
    

在现有 Azure 虚拟机规模集上启用系统分配的托管标识Enable system-assigned managed identity on an existing Azure virtual machine scale set

如果需要在现有 Azure 虚拟机规模集上启用系统分配的托管标识,请执行以下操作:If you need to enable a system-assigned managed identity on an existing Azure virtual machine scale set:

  1. 使用 Connect-AzAccount -Environment AzureChinaCloud 登录到 Azure 门户。Sign in to Azure using Connect-AzAccount -Environment AzureChinaCloud. 使用与包含虚拟机规模集的 Azure 订阅关联的帐户。Use an account that is associated with the Azure subscription that contains the virtual machine scale set. 此外,请确保该帐户所属角色可授予对虚拟机规模集的写入权限,如“虚拟机参与者”:Also make sure your account belongs to a role that gives you write permissions on the virtual machine scale set, such as “Virtual Machine Contributor”:

    Connect-AzAccount -Environment AzureChinaCloud
    
  2. 首先使用 Get-AzVmss cmdlet 检索虚拟机规模集属性。First retrieve the virtual machine scale set properties using the Get-AzVmss cmdlet. 然后,若要启用系统分配的托管标识,请在 Update-AzVmss cmdlet 上使用 -IdentityType 开关:Then to enable a system-assigned managed identity, use the -IdentityType switch on the Update-AzVmss cmdlet:

    Update-AzVmss -ResourceGroupName myResourceGroup -Name -myVmss -IdentityType "SystemAssigned"
    

从 Azure 虚拟机规模集中禁用系统分配的托管标识Disable the system-assigned managed identity from an Azure virtual machine scale set

如果某个虚拟机规模集不再需要系统分配的托管标识,但仍需要用户分配的托管标识,请使用以下 cmdlet:If you have a virtual machine scale set that no longer needs the system-assigned managed identity but still needs user-assigned managed identities, use the following cmdlet:

  1. 使用 Connect-AzAccount -Environment AzureChinaCloud 登录到 Azure 门户。Sign in to Azure using Connect-AzAccount -Environment AzureChinaCloud. 使用与包含 VM 的 Azure 订阅关联的帐户。Use an account that is associated with the Azure subscription that contains the VM. 此外,请确保该帐户所属角色可授予对虚拟机规模集的写入权限,如“虚拟机参与者”:Also make sure your account belongs to a role that gives you write permissions on the virtual machine scale set, such as “Virtual Machine Contributor”:

  2. 运行以下 cmdlet:Run the following cmdlet:

    Update-AzVmss -ResourceGroupName myResourceGroup -Name myVmss -IdentityType "UserAssigned"
    

如果某个虚拟机规模集不再需要系统分配的托管标识,且没有用户分配的托管标识,请使用以下命令:If you have a virtual machine scale set that no longer needs system-assigned managed identity and it has no user-assigned managed identities, use the following commands:

Update-AzVmss -ResourceGroupName myResourceGroup -Name myVmss -IdentityType None

用户分配的托管标识User-assigned managed identity

本部分介绍如何使用 Azure PowerShell 从虚拟机规模集中添加和删除用户分配的托管标识。In this section, you learn how to add and remove a user-assigned managed identity from a virtual machine scale set using Azure PowerShell.

在创建 Azure 虚拟机规模集的过程中启用用户分配的托管标识Assign a user-assigned managed identity during creation of an Azure virtual machine scale set

目前不支持通过 PowerShell 创建具有用户分配的托管标识的新虚拟机规模集。Creating a new virtual machine scale set with a user-assigned managed identity isn't currently supported via PowerShell. 有关如何将用户分配的托管标识添加到现有虚拟机规模集的信息,请参阅下一部分。See the next section on how to add a user-assigned managed identity to an existing virtual machine scale set. 请关注后续更新。Check back for updates.

将用户分配的托管标识分配到现有 Azure 虚拟机规模集Assign a user-assigned managed identity to an existing Azure virtual machine scale set

将用户分配的托管标识分配到现有 Azure 虚拟机规模集:To assign a user-assigned managed identity to an existing Azure virtual machine scale set:

  1. 使用 Connect-AzAccount -Environment AzureChinaCloud 登录到 Azure 门户。Sign in to Azure using Connect-AzAccount -Environment AzureChinaCloud. 使用与包含虚拟机规模集的 Azure 订阅关联的帐户。Use an account that is associated with the Azure subscription that contains the virtual machine scale set. 此外,请确保该帐户所属角色可授予对虚拟机规模集的写入权限,如“虚拟机参与者”:Also make sure your account belongs to a role that gives you write permissions on the virtual machine scale set, such as “Virtual Machine Contributor”:

    Connect-AzAccount -Environment AzureChinaCloud
    
  2. 首先使用 Get-AzVM cmdlet 检索虚拟机规模集属性。First retrieve the virtual machine scale set properties using the Get-AzVM cmdlet. 然后,若要向虚拟机规模集分配用户分配的托管标识,请在 Update-AzVmss cmdlet 上使用 -IdentityType-IdentityID 开关。Then to assign a user-assigned managed identity to the virtual machine scale set, use the -IdentityType and -IdentityID switch on the Update-AzVmss cmdlet. <VM NAME><SUBSCRIPTION ID><RESROURCE GROUP><USER ASSIGNED ID1>USER ASSIGNED ID2 替换为自己的值。Replace <VM NAME>, <SUBSCRIPTION ID>, <RESROURCE GROUP>, <USER ASSIGNED ID1>, USER ASSIGNED ID2 with your own values.

    重要

    创建用户分配标识时,只能使用字母数字字符(0-9、a-z、A-Z)、下划线 (_) 和连字符 (-)。When creating user assigned identities, only alphanumeric characters (0-9, a-z, A-Z), the underscore (_) and the hyphen (-) are supported. 另外,为了确保能够正常分配给 VM/VMSS,名称长度应该为 3 到 128 个字符。Additionally, the name should be atleast 3 characters and up to 128 characters in length for the assignment to VM/VMSS to work properly. 请关注后续更新。Check back for updates. 有关详细信息,请参阅 FAQ 和已知问题For more information, see FAQs and known issues.

    Update-AzVmss -ResourceGroupName <RESOURCE GROUP> -Name <VMSS NAME> -IdentityType UserAssigned -IdentityID "<USER ASSIGNED ID1>","<USER ASSIGNED ID2>"
    

从 Azure 虚拟机规模集删除用户分配的托管标识Remove a user-assigned managed identity from an Azure virtual machine scale set

如果虚拟机规模集有多个用户分配的托管标识,则可以使用以下命令将这些标识删除到只剩一个。If your virtual machine scale set has multiple user-assigned managed identities, you can remove all but the last one using the following commands. 请务必将 <RESOURCE GROUP><VIRTUAL MACHINE SCALE SET NAME> 参数值替换为自己的值。Be sure to replace the <RESOURCE GROUP> and <VIRTUAL MACHINE SCALE SET NAME> parameter values with your own values. <USER ASSIGNED IDENTITY NAME> 是用户分配的托管标识的名称属性,该属性应保留在虚拟机规模集上。The <USER ASSIGNED IDENTITY NAME> is the user-assigned managed identity's name property, which should remain on the virtual machine scale set. 可通过 az vmss show 在虚拟机规模集的标识部分中找到此信息:This information can be found in the identity section of the virtual machine scale set using az vmss show:

Update-AzVmss -ResourceGroupName myResourceGroup -Name myVmss -IdentityType UserAssigned -IdentityID "<USER ASSIGNED IDENTITY NAME>"

如果虚拟机规模集没有系统分配的托管标识,并且你想要从中删除所有用户分配的托管标识,请使用以下命令:If your virtual machine scale set does not have a system-assigned managed identity and you want to remove all user-assigned managed identities from it, use the following command:

Update-AzVmss -ResourceGroupName myResourceGroup -Name myVmss -IdentityType None

如果虚拟机规模集同时具有系统分配的托管标识和用户分配的托管标识,则可通过切换为仅使用系统分配的托管标识,删除所有用户分配的托管标识。If your virtual machine scale set has both system-assigned and user-assigned managed identities, you can remove all the user-assigned managed identities by switching to use only system-assigned managed identity.

Update-AzVmss -ResourceGroupName myResourceGroup -Name myVmss -IdentityType "SystemAssigned"

后续步骤Next steps