使用 PowerShell 在虚拟机规模集上配置 Azure 资源的托管标识Configure managed identities for Azure resources on virtual machine scale sets using PowerShell

Azure 资源的托管标识是 Azure Active Directory 的一项功能。Managed identities for Azure resources is a feature of Azure Active Directory. 支持 Azure 资源的托管标识的每个 Azure 服务都受其自己的时间线限制。Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. 在开始之前,请务必查看资源的托管标识的可用性状态以及已知问题Make sure you review the availability status of managed identities for your resource and known issues before you begin.

Azure 资源的托管标识在 Azure Active Directory 中为 Azure 服务提供了一个自动托管标识。Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. 此标识可用于通过支持 Azure AD 身份验证的任何服务的身份验证,这样就无需在代码中插入凭据了。You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

在本文中,你将了解如何使用 PowerShell 在虚拟机规模集上执行 Azure 资源的托管标识操作:In this article, using PowerShell, you learn how to perform the managed identities for Azure resources operations on a virtual machine scale set:

  • 在虚拟机规模集上启用和禁用系统分配的托管标识Enable and disable the system-assigned managed identity on a virtual machine scale set
  • 在虚拟机规模集上添加和删除用户分配的托管标识Add and remove a user-assigned managed identity on a virtual machine scale set

备注

本文已经过更新,以便使用 Azure Az PowerShell 模块。This article has been updated to use the Azure Az PowerShell module. 若要与 Azure 交互,建议使用的 PowerShell 模块是 Az PowerShell 模块。The Az PowerShell module is the recommended PowerShell module for interacting with Azure. 若要开始使用 Az PowerShell 模块,请参阅安装 Azure PowerShellTo get started with the Az PowerShell module, see Install Azure PowerShell. 若要了解如何迁移到 Az PowerShell 模块,请参阅 将 Azure PowerShell 从 AzureRM 迁移到 AzTo learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

先决条件Prerequisites

  • 如果不熟悉 Azure 资源的托管标识,请查阅概述部分If you're unfamiliar with managed identities for Azure resources, check out the overview section. 请务必了解系统分配的托管标识与用户分配的托管标识之间的差异Be sure to review the difference between a system-assigned and user managed assigned identity.

  • 如果还没有 Azure 帐户,请先注册试用帐户,然后再继续。If you don't already have an Azure account, sign up for a Trial before continuing.

  • 若要执行本文中的管理操作,帐户需要以下基于 Azure 角色的访问控制分配:To perform the management operations in this article, your account needs the following Azure role-based access control assignments:

    备注

    无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments required.

    • 虚拟机参与者,可创建虚拟机规模集,并从虚拟机规模集启用和删除系统分配的托管标识和/或用户分配的托管标识。Virtual Machine Contributor to create a virtual machine scale set and enable and remove system-assigned managed and/or user-assigned managed identity from a virtual machine scale set.
    • 托管标识参与者角色,可以创建用户分配的托管标识。Managed Identity Contributor role to create a user-assigned managed identity.
    • 托管标识操作员角色,可在虚拟机规模集中分配和删除用户分配的托管标识。Managed Identity Operator role to assign and remove a user-assigned managed identity from and to a virtual machine scale set.
  • 若要运行示例脚本,可以通过安装最新版的 Azure PowerShell 在本地运行脚本,然后使用 Connect-AzAccount -Environment AzureChinaCloud 登录到 Azure。To run the example scripts, you can run scripts locally by installing the latest version of Azure PowerShell, then sign in to Azure using Connect-AzAccount -Environment AzureChinaCloud.

系统分配的托管标识System-assigned managed identity

在此部分中,将了解如何使用 Azure PowerShell 启用和删除系统分配的托管标识。In this section, you learn how to enable and remove a system-assigned managed identity using Azure PowerShell.

在创建 Azure 虚拟机规模集的过程中启用系统分配的托管标识Enable system-assigned managed identity during the creation of an Azure virtual machine scale set

要创建启用了系统分配托管标识的虚拟机规模集,请执行以下操作:To create a virtual machine scale set with the system-assigned managed identity enabled:

  1. 请参阅 New-AzVmssConfig cmdlet 参考文章中的示例 1,以创建具有系统分配的托管标识的虚拟机规模集。Refer to Example 1 in the New-AzVmssConfig cmdlet reference article to create a virtual machine scale set with a system-assigned managed identity. 将参数 -IdentityType SystemAssigned 添加到 New-AzVmssConfig cmdlet:Add the parameter -IdentityType SystemAssigned to the New-AzVmssConfig cmdlet:

    $VMSS = New-AzVmssConfig -Location $Loc -SkuCapacity 2 -SkuName "Standard_A0" -UpgradePolicyMode "Automatic" -NetworkInterfaceConfiguration $NetCfg -IdentityType SystemAssigned`
    

在现有 Azure 虚拟机规模集上启用系统分配的托管标识Enable system-assigned managed identity on an existing Azure virtual machine scale set

如果需要在现有 Azure 虚拟机规模集上启用系统分配的托管标识,请执行以下操作:If you need to enable a system-assigned managed identity on an existing Azure virtual machine scale set:

  1. 请确保你使用的 Azure 帐户所属角色可授予对虚拟机规模集的写入权限,如“虚拟机参与者”。Make sure the Azure account you're using belongs to a role that gives you write permissions on the virtual machine scale set, such as "Virtual Machine Contributor".

  2. 使用 Get-AzVmss cmdlet 检索虚拟机规模集属性。Retrieve the virtual machine scale set properties using the Get-AzVmss cmdlet. 然后,若要启用系统分配的托管标识,请在 Update-AzVmss cmdlet 上使用 -IdentityType 开关:Then to enable a system-assigned managed identity, use the -IdentityType switch on the Update-AzVmss cmdlet:

    Update-AzVmss -ResourceGroupName myResourceGroup -Name -myVmss -IdentityType "SystemAssigned"
    

从 Azure 虚拟机规模集中禁用系统分配的托管标识Disable the system-assigned managed identity from an Azure virtual machine scale set

如果某个虚拟机规模集不再需要系统分配的托管标识,但仍需要用户分配的托管标识,请使用以下 cmdlet:If you have a virtual machine scale set that no longer needs the system-assigned managed identity but still needs user-assigned managed identities, use the following cmdlet:

  1. 请确保该帐户所属角色可授予对虚拟机规模集的写入权限,如“虚拟机参与者”。Make sure your account belongs to a role that gives you write permissions on the virtual machine scale set, such as "Virtual Machine Contributor".

  2. 运行以下 cmdlet:Run the following cmdlet:

    Update-AzVmss -ResourceGroupName myResourceGroup -Name myVmss -IdentityType "UserAssigned"
    
  3. 如果某个虚拟机规模集不再需要系统分配的托管标识,且没有用户分配的托管标识,请使用以下命令:If you have a virtual machine scale set that no longer needs system-assigned managed identity and it has no user-assigned managed identities, use the following command:

    Update-AzVmss -ResourceGroupName myResourceGroup -Name myVmss -IdentityType None
    

用户分配的托管标识User-assigned managed identity

本部分介绍如何使用 Azure PowerShell 从虚拟机规模集中添加和删除用户分配的托管标识。In this section, you learn how to add and remove a user-assigned managed identity from a virtual machine scale set using Azure PowerShell.

在创建 Azure 虚拟机规模集的过程中启用用户分配的托管标识Assign a user-assigned managed identity during creation of an Azure virtual machine scale set

目前不支持通过 PowerShell 创建具有用户分配的托管标识的新虚拟机规模集。Creating a new virtual machine scale set with a user-assigned managed identity isn't currently supported via PowerShell. 有关如何将用户分配的托管标识添加到现有虚拟机规模集的信息,请参阅下一部分。See the next section on how to add a user-assigned managed identity to an existing virtual machine scale set. 请关注后续更新。Check back for updates.

将用户分配的托管标识分配到现有 Azure 虚拟机规模集Assign a user-assigned managed identity to an existing Azure virtual machine scale set

将用户分配的托管标识分配到现有 Azure 虚拟机规模集:To assign a user-assigned managed identity to an existing Azure virtual machine scale set:

  1. 请确保该帐户所属角色可授予对虚拟机规模集的写入权限,如“虚拟机参与者”。Make sure your account belongs to a role that gives you write permissions on the virtual machine scale set, such as "Virtual Machine Contributor".

  2. 使用 Get-AzVM cmdlet 检索虚拟机规模集属性。Retrieve the virtual machine scale set properties using the Get-AzVM cmdlet. 然后,若要向虚拟机规模集分配用户分配的托管标识,请在 Update-AzVmss cmdlet 上使用 -IdentityType-IdentityID 开关。Then to assign a user-assigned managed identity to the virtual machine scale set, use the -IdentityType and -IdentityID switch on the Update-AzVmss cmdlet. <VM NAME><SUBSCRIPTION ID><RESROURCE GROUP><USER ASSIGNED ID1>USER ASSIGNED ID2 替换为自己的值。Replace <VM NAME>, <SUBSCRIPTION ID>, <RESROURCE GROUP>, <USER ASSIGNED ID1>, USER ASSIGNED ID2 with your own values.

    重要

    创建用户分配标识时,只能使用字母数字字符(0-9、a-z、A-Z)、下划线 (_) 和连字符 (-)。When creating user assigned identities, only alphanumeric characters (0-9, a-z, A-Z), the underscore (_) and the hyphen (-) are supported. 另外,为了确保能够正常分配给 VM/VMSS,名称长度应该为 3 到 128 个字符。Additionally, the name should be atleast 3 characters and up to 128 characters in length for the assignment to VM/VMSS to work properly. 请关注后续更新。Check back for updates. 有关详细信息,请参阅 FAQ 和已知问题For more information, see FAQs and known issues.

    Update-AzVmss -ResourceGroupName <RESOURCE GROUP> -Name <VMSS NAME> -IdentityType UserAssigned -IdentityID "<USER ASSIGNED ID1>","<USER ASSIGNED ID2>"
    

从 Azure 虚拟机规模集删除用户分配的托管标识Remove a user-assigned managed identity from an Azure virtual machine scale set

如果虚拟机规模集有多个用户分配的托管标识,则可以使用以下命令将这些标识删除到只剩一个。If your virtual machine scale set has multiple user-assigned managed identities, you can remove all but the last one using the following commands. 请务必将 <RESOURCE GROUP><VIRTUAL MACHINE SCALE SET NAME> 参数值替换为自己的值。Be sure to replace the <RESOURCE GROUP> and <VIRTUAL MACHINE SCALE SET NAME> parameter values with your own values. <USER ASSIGNED IDENTITY NAME> 是用户分配的托管标识的名称属性,该属性应保留在虚拟机规模集上。The <USER ASSIGNED IDENTITY NAME> is the user-assigned managed identity's name property, which should remain on the virtual machine scale set. 可通过 az vmss show 在虚拟机规模集的标识部分中找到此信息:This information can be found in the identity section of the virtual machine scale set using az vmss show:

Update-AzVmss -ResourceGroupName myResourceGroup -Name myVmss -IdentityType UserAssigned -IdentityID "<USER ASSIGNED IDENTITY NAME>"

如果虚拟机规模集没有系统分配的托管标识,并且你想要从中删除所有用户分配的托管标识,请使用以下命令:If your virtual machine scale set does not have a system-assigned managed identity and you want to remove all user-assigned managed identities from it, use the following command:

Update-AzVmss -ResourceGroupName myResourceGroup -Name myVmss -IdentityType None

如果虚拟机规模集同时具有系统分配的托管标识和用户分配的托管标识,则可通过切换为仅使用系统分配的托管标识,删除所有用户分配的托管标识。If your virtual machine scale set has both system-assigned and user-assigned managed identities, you can remove all the user-assigned managed identities by switching to use only system-assigned managed identity.

Update-AzVmss -ResourceGroupName myResourceGroup -Name myVmss -IdentityType "SystemAssigned"

后续步骤Next steps