使用 REST API 调用在 Azure VM 上配置 Azure 资源的托管标识Configure Managed identities for Azure resources on an Azure VM using REST API calls

Azure 资源的托管标识是 Azure Active Directory 的一项功能。Managed identities for Azure resources is a feature of Azure Active Directory. 支持 Azure 资源的托管标识的每个 Azure 服务都受其自己的时间线限制。Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. 在开始之前,请务必查看资源的托管标识的可用性状态以及已知问题Make sure you review the availability status of managed identities for your resource and known issues before you begin.

Azure 资源的托管标识在 Azure Active Directory 中为 Azure 服务提供了一个自动托管系统标识。Managed identities for Azure resources provide Azure services with an automatically managed system identity in Azure Active Directory. 此标识可用于通过支持 Azure AD 身份验证的任何服务的身份验证,这样就无需在代码中插入凭据了。You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

本文将介绍如何在 Azure VM 上通过使用 CURL 对 Azure 资源管理器 REST 终结点进行调用来执行以下 Azure 资源的托管标识操作:In this article, using CURL to make calls to the Azure Resource Manager REST endpoint, you learn how to perform the following managed identities for Azure resources operations on an Azure VM:

  • 在 Azure VM 上启用和禁用系统分配托管标识Enable and disable the system-assigned managed identity on an Azure VM
  • 在 Azure VM 上添加和删除用户分配托管标识Add and remove a user-assigned managed identity on an Azure VM

先决条件Prerequisites

系统分配的托管标识System-assigned managed identity

本节将介绍如何在 Azure VM 上通过使用 CURL 对 Azure 资源管理器 REST 终结点进行调用来启用和禁用系统分配的托管标识。In this section, you learn how to enable and disable system-assigned managed identity on an Azure VM using CURL to make calls to the Azure Resource Manager REST endpoint.

在创建 Azure VM 的过程中启用系统分配托管标识Enable system-assigned managed identity during creation of an Azure VM

若要创建启用了系统分配的托管标识的 Azure VM,你的帐户需要虚拟机参与者角色分配。To create an Azure VM with the system-assigned managed identity enabled, your account needs the Virtual Machine Contributor role assignment. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.

  1. 运行 az group create,创建用于容纳和部署 VM 及其相关资源的资源组Create a resource group for containment and deployment of your VM and its related resources, using az group create. 如果已有要改用的资源组,可以跳过这一步:You can skip this step if you already have resource group you would like to use instead:

    az group create --name myResourceGroup --location chinanorth
    
  2. 为 VM 创建网络接口Create a network interface for your VM:

     az network nic create -g myResourceGroup --vnet-name myVnet --subnet mySubnet -n myNic
    
  3. 检索持有者访问令牌,下一步在授权标头中将使用该令牌创建具有系统分配的托管标识的 VM。Retrieve a Bearer access token, which you will use in the next step in the Authorization header to create your VM with a system-assigned managed identity.

    az account get-access-token
    
  4. 通过使用 CURL 对 Azure 资源管理器 REST 终结点进行调用,创建 VM。Create a VM using CURL to call the Azure Resource Manager REST endpoint. 下面的示例创建名为 myVM 且已启用系统分配的托管标识(请求正文中用值 "identity":{"type":"SystemAssigned"} 进行标识)的 VM。The following example creates a VM named myVM with a system-assigned managed identity, as identified in the request body by the value "identity":{"type":"SystemAssigned"}. 请将 <ACCESS TOKEN> 替换为上一步中请求持有者访问令牌和适合环境的 <SUBSCRIPTION ID> 值时收到的值。Replace <ACCESS TOKEN> with the value you received in the previous step when you requested a Bearer access token and the <SUBSCRIPTION ID> value as appropriate for your environment.

    curl 'https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2018-06-01' -X PUT -d '{"location":"chinanorth","name":"myVM","identity":{"type":"SystemAssigned"},"properties":{"hardwareProfile":{"vmSize":"Standard_D2_v2"},"storageProfile":{"imageReference":{"sku":"2016-Datacenter","publisher":"MicrosoftWindowsServer","version":"latest","offer":"WindowsServer"},"osDisk":{"caching":"ReadWrite","managedDisk":{"storageAccountType":"Standard_LRS"},"name":"myVM3osdisk","createOption":"FromImage"},"dataDisks":[{"diskSizeGB":1023,"createOption":"Empty","lun":0},{"diskSizeGB":1023,"createOption":"Empty","lun":1}]},"osProfile":{"adminUsername":"azureuser","computerName":"myVM","adminPassword":"<SECURE PASSWORD STRING>"},"networkProfile":{"networkInterfaces":[{"id":"/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/myNic","properties":{"primary":true}}]}}}' -H "Content-Type: application/json" -H "Authorization: Bearer <ACCESS TOKEN>"
    
    PUT https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2018-06-01 HTTP/1.1
    

    请求标头Request headers

    请求标头Request header 说明Description
    Content-TypeContent-Type 必需。Required. 设置为 application/jsonSet to application/json.
    授权Authorization 必需。Required. 设置为有效的 Bearer 访问令牌。Set to a valid Bearer access token.

    请求正文Request body

      {
        "location":"chinanorth",
        "name":"myVM",
        "identity":{
           "type":"SystemAssigned"
        },
        "properties":{
           "hardwareProfile":{
              "vmSize":"Standard_D2_v2"
           },
           "storageProfile":{
              "imageReference":{
                 "sku":"2016-Datacenter",
                 "publisher":"MicrosoftWindowsServer",
                 "version":"latest",
                 "offer":"WindowsServer"
              },
              "osDisk":{
                 "caching":"ReadWrite",
                 "managedDisk":{
                    "storageAccountType":"Standard_LRS"
                 },
                 "name":"myVM3osdisk",
                 "createOption":"FromImage"
              },
              "dataDisks":[
                 {
                    "diskSizeGB":1023,
                    "createOption":"Empty",
                    "lun":0
                 },
                 {
                    "diskSizeGB":1023,
                    "createOption":"Empty",
                    "lun":1
                 }
              ]
           },
           "osProfile":{
              "adminUsername":"azureuser",
              "computerName":"myVM",
              "adminPassword":"myPassword12"
           },
           "networkProfile":{
              "networkInterfaces":[
                 {
                    "id":"/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/myNic",
                    "properties":{
                       "primary":true
                    }
                 }
              ]
           }
        }
     }  
    

在现有 Azure VM 上启用系统分配标识Enable system-assigned identity on an existing Azure VM

若要在最初未预配系统分配的托管标识的 VM 上启用该托管标识,你的帐户需要虚拟机参与者角色分配。To enable system-assigned managed identity on a VM that was originally provisioned without it, your account needs the Virtual Machine Contributor role assignment. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.

  1. 检索持有者访问令牌,下一步在授权标头中将使用该令牌创建具有系统分配的托管标识的 VM。Retrieve a Bearer access token, which you will use in the next step in the Authorization header to create your VM with a system-assigned managed identity.

    az account get-access-token
    
  2. 使用以下 CURL 命令对 Azure 资源管理器 REST 终结点进行调用,为名为“myVM”的 VM 启用系统分配的托管标识(在请求正文中用值 {"identity":{"type":"SystemAssigned"} 进行标识)。Use the following CURL command to call the Azure Resource Manager REST endpoint to enable system-assigned managed identity on your VM as identified in the request body by the value {"identity":{"type":"SystemAssigned"} for a VM named myVM. 请将 <ACCESS TOKEN> 替换为上一步中请求持有者访问令牌和适合环境的 <SUBSCRIPTION ID> 值时收到的值。Replace <ACCESS TOKEN> with the value you received in the previous step when you requested a Bearer access token and the <SUBSCRIPTION ID> value as appropriate for your environment.

    重要

    若要确保不删除用户分配给 VM 的任何现有托管标识,需要使用以下 CURL 命令列出用户分配的托管标识:curl 'https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>/providers/Microsoft.Compute/virtualMachines/<VM NAME>?api-version=2018-06-01' -H "Authorization: Bearer <ACCESS TOKEN>"To ensure you don't delete any existing user-assigned managed identities that are assigned to the VM, you need to list the user-assigned managed identities by using this CURL command: curl 'https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>/providers/Microsoft.Compute/virtualMachines/<VM NAME>?api-version=2018-06-01' -H "Authorization: Bearer <ACCESS TOKEN>". 如果具有用户分配给 VM 的任何托管标识(响应中用值 identity 进行标识),请跳过步骤 3,该步骤介绍了如何在 VM 上启用系统分配的托管标识的同时保留用户分配的托管标识。If you have any user-assigned managed identities assigned to the VM as identified in the identity value in the response, skip to step 3 that shows you how to retain user-assigned managed identities while enabling system-assigned managed identity on your VM.

    curl 'https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2018-06-01' -X PATCH -d '{"identity":{"type":"SystemAssigned"}}' -H "Content-Type: application/json" -H "Authorization:Bearer <ACCESS TOKEN>"
    
    PATCH https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2018-06-01 HTTP/1.1
    

    请求标头Request headers

    请求标头Request header 说明Description
    Content-TypeContent-Type 必需。Required. 设置为 application/jsonSet to application/json.
    授权Authorization 必需。Required. 设置为有效的 Bearer 访问令牌。Set to a valid Bearer access token.

    请求正文Request body

     {  
        "identity":{  
           "type":"SystemAssigned"
        }
     }
    
  3. 要在具有现有用户分配的托管标识的 VM 上启用系统分配的托管标识,需要将 SystemAssigned 添加到 type 值。To enable system-assigned managed identity on a VM with existing user-assigned managed identities, you need to add SystemAssigned to the type value.

    例如,如果 VM 具有用户分配给它的托管标识 ID1ID2 并且你希望将系统分配的托管标识添加到该 VM,请使用以下 CURL 调用。For example, if your VM has the user-assigned managed identities ID1 and ID2 assigned to it, and you would like to add system-assigned managed identity to the VM, use the following CURL call. <ACCESS TOKEN><SUBSCRIPTION ID> 替换为适合环境的值。Replace <ACCESS TOKEN> and <SUBSCRIPTION ID> with values appropriate to your environment.

    API 版本 2018-06-01 以字典格式将用户分配的托管标识存储在 userAssignedIdentities 值中,而 API 版本 2017-12-01 则以数组格式将托管标识存储在 identityIds 值中。API version 2018-06-01 stores user-assigned managed identities in the userAssignedIdentities value in a dictionary format as opposed to the identityIds value in an array format used in API version 2017-12-01.

    API 版本 2018-06-01API VERSION 2018-06-01

    curl 'https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2018-06-01' -X PATCH -d '{"identity":{"type":"SystemAssigned, UserAssigned", "userAssignedIdentities":{"/subscriptions/<<SUBSCRIPTION ID>>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID1":{},"/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID2":{}}}}' -H "Content-Type: application/json" -H "Authorization:Bearer <ACCESS TOKEN>"
    
    PATCH https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2018-06-01 HTTP/1.1
    

    请求标头Request headers

    请求标头Request header 说明Description
    Content-TypeContent-Type 必需。Required. 设置为 application/jsonSet to application/json.
    授权Authorization 必需。Required. 设置为有效的 Bearer 访问令牌。Set to a valid Bearer access token.

    请求正文Request body

     {  
        "identity":{  
           "type":"SystemAssigned, UserAssigned",
           "userAssignedIdentities":{  
              "/subscriptions/<<SUBSCRIPTION ID>>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID1":{  
    
              },
              "/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID2":{  
    
              }
           }
        }
     }
    

    API 版本 2017-12-01API VERSION 2017-12-01

    curl 'https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2017-12-01' -X PATCH -d '{"identity":{"type":"SystemAssigned, UserAssigned", "identityIds":["/subscriptions/<<SUBSCRIPTION ID>>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID1","/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID2"]}}' -H "Content-Type: application/json" -H "Authorization:Bearer <ACCESS TOKEN>"
    
    PATCH https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2017-12-01 HTTP/1.1
    

    请求标头Request headers

    请求标头Request header 说明Description
    Content-TypeContent-Type 必需。Required. 设置为 application/jsonSet to application/json.
    授权Authorization 必需。Required. 设置为有效的 Bearer 访问令牌。Set to a valid Bearer access token.

    请求正文Request body

     {  
        "identity":{  
           "type":"SystemAssigned, UserAssigned",
           "identityIds":[  
              "/subscriptions/<<SUBSCRIPTION ID>>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID1",
              "/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID2"
           ]
        }
     }
    

从 Azure VM 中禁用系统分配的托管标识Disable system-assigned managed identity from an Azure VM

若要在 VM 上禁用系统分配的托管标识,你的帐户需要虚拟机参与者角色分配。To disable system-assigned managed identity on a VM, your account needs the Virtual Machine Contributor role assignment. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.

  1. 检索持有者访问令牌,下一步在授权标头中将使用该令牌创建具有系统分配的托管标识的 VM。Retrieve a Bearer access token, which you will use in the next step in the Authorization header to create your VM with a system-assigned managed identity.

    az account get-access-token
    
  2. 通过使用 CURL 对 Azure 资源管理器 REST 终结点进行调用以禁用系统分配的托管标识,更新 VM。Update the VM using CURL to call the Azure Resource Manager REST endpoint to disable system-assigned managed identity. 下面的示例从名为 myVM 的 VM 禁用系统分配的托管标识(请求正文中用值 {"identity":{"type":"None"}} 进行标识)。The following example disables system-assigned managed identity as identified in the request body by the value {"identity":{"type":"None"}} from a VM named myVM. 请将 <ACCESS TOKEN> 替换为上一步中请求持有者访问令牌和适合环境的 <SUBSCRIPTION ID> 值时收到的值。Replace <ACCESS TOKEN> with the value you received in the previous step when you requested a Bearer access token and the <SUBSCRIPTION ID> value as appropriate for your environment.

    重要

    若要确保不删除用户分配给 VM 的任何现有托管标识,需要使用以下 CURL 命令列出用户分配的托管标识:curl 'https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>/providers/Microsoft.Compute/virtualMachines/<VM NAME>?api-version=2018-06-01' -H "Authorization: Bearer <ACCESS TOKEN>"To ensure you don't delete any existing user-assigned managed identities that are assigned to the VM, you need to list the user-assigned managed identities by using this CURL command: curl 'https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>/providers/Microsoft.Compute/virtualMachines/<VM NAME>?api-version=2018-06-01' -H "Authorization: Bearer <ACCESS TOKEN>". 如果具有用户分配给 VM 的任何托管标识(响应中用值 identity 进行标识),请跳过步骤 3,该步骤介绍了如何在 VM 上禁用系统分配的托管标识的同时保留用户分配的托管标识。If you have any user-assigned managed identities assigned to the VM as identified in the identity value in the response, skip to step 3 that shows you how to retain user-assigned managed identities while disabling system-assigned managed identity on your VM.

    curl 'https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2018-06-01' -X PATCH -d '{"identity":{"type":"None"}}' -H "Content-Type: application/json" -H "Authorization:Bearer <ACCESS TOKEN>"
    
    PATCH https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2018-06-01 HTTP/1.1
    

    请求标头Request headers

    请求标头Request header 说明Description
    Content-TypeContent-Type 必需。Required. 设置为 application/jsonSet to application/json.
    授权Authorization 必需。Required. 设置为有效的 Bearer 访问令牌。Set to a valid Bearer access token.

    请求正文Request body

     {  
        "identity":{  
           "type":"None"
        }
     }
    

    如果使用的是 API 版本 2018-06-01,若要从具有用户分配的托管标识的虚拟机中删除系统分配的托管标识,请从 {"identity":{"type:" "}} 值中删除 SystemAssigned,同时保留 UserAssigned 值和 userAssignedIdentities 字典值。To remove system-assigned managed identity from a virtual machine that has user-assigned managed identities, remove SystemAssigned from the {"identity":{"type:" "}} value while keeping the UserAssigned value and the userAssignedIdentities dictionary values if you are using API version 2018-06-01. 如果使用的是 API 版本 2017-12-01 或早期版本,请保留 identityIds 数组。If you are using API version 2017-12-01 or earlier, keep the identityIds array.

用户分配的托管标识User-assigned managed identity

本节将介绍如何在 Azure VM 上通过使用 CURL 对 Azure 资源管理器 REST 终结点进行调用来添加和删除用户分配的托管标识。In this section, you learn how to add and remove user-assigned managed identity on an Azure VM using CURL to make calls to the Azure Resource Manager REST endpoint.

在创建 Azure VM 的过程中分配用户分配托管标识Assign a user-assigned managed identity during the creation of an Azure VM

若要将用户分配的标识分配给 VM,你的帐户需要虚拟机参与者托管标识操作员角色分配。To assign a user-assigned identity to a VM, your account needs the Virtual Machine Contributor and Managed Identity Operator role assignments. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.

  1. 检索持有者访问令牌,下一步在授权标头中将使用该令牌创建具有系统分配的托管标识的 VM。Retrieve a Bearer access token, which you will use in the next step in the Authorization header to create your VM with a system-assigned managed identity.

    az account get-access-token
    
  2. 为 VM 创建网络接口Create a network interface for your VM:

     az network nic create -g myResourceGroup --vnet-name myVnet --subnet mySubnet -n myNic
    
  3. 检索持有者访问令牌,下一步在授权标头中将使用该令牌创建具有系统分配的托管标识的 VM。Retrieve a Bearer access token, which you will use in the next step in the Authorization header to create your VM with a system-assigned managed identity.

    az account get-access-token
    
  4. 按照此处的说明创建用户分配的托管标识:创建用户分配的托管标识Create a user-assigned managed identity using the instructions found here: Create a user-assigned managed identity.

  5. 通过使用 CURL 对 Azure 资源管理器 REST 终结点进行调用,创建 VM。Create a VM using CURL to call the Azure Resource Manager REST endpoint. 下面的示例在资源组“myResourceGroup”中创建名为“myVM”的 VM,该 VM 具有用户分配的托管标识 ID1(请求正文中用值 "identity":{"type":"UserAssigned"} 进行标识) 。The following example creates a VM named myVM in the resource group myResourceGroup with a user-assigned managed identity ID1, as identified in the request body by the value "identity":{"type":"UserAssigned"}. 请将 <ACCESS TOKEN> 替换为上一步中请求持有者访问令牌和适合环境的 <SUBSCRIPTION ID> 值时收到的值。Replace <ACCESS TOKEN> with the value you received in the previous step when you requested a Bearer access token and the <SUBSCRIPTION ID> value as appropriate for your environment.

    API 版本 2018-06-01API VERSION 2018-06-01

    curl 'https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2018-06-01' -X PUT -d '{"location":"chinanorth","name":"myVM","identity":{"type":"UserAssigned","identityIds":["/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID1"]},"properties":{"hardwareProfile":{"vmSize":"Standard_D2_v2"},"storageProfile":{"imageReference":{"sku":"2016-Datacenter","publisher":"MicrosoftWindowsServer","version":"latest","offer":"WindowsServer"},"osDisk":{"caching":"ReadWrite","managedDisk":{"storageAccountType":"Standard_LRS"},"name":"myVM3osdisk","createOption":"FromImage"},"dataDisks":[{"diskSizeGB":1023,"createOption":"Empty","lun":0},{"diskSizeGB":1023,"createOption":"Empty","lun":1}]},"osProfile":{"adminUsername":"azureuser","computerName":"myVM","adminPassword":"myPassword12"},"networkProfile":{"networkInterfaces":[{"id":"/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/myNic","properties":{"primary":true}}]}}}' -H "Content-Type: application/json" -H "Authorization: Bearer <ACCESS TOKEN>"
    
    PUT https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2018-06-01 HTTP/1.1
    

    请求标头Request headers

    请求标头Request header 说明Description
    Content-TypeContent-Type 必需。Required. 设置为 application/jsonSet to application/json.
    授权Authorization 必需。Required. 设置为有效的 Bearer 访问令牌。Set to a valid Bearer access token.

    请求正文Request body

     {  
        "location":"chinanorth",
        "name":"myVM",
        "identity":{  
           "type":"UserAssigned",
           "identityIds":[  
              "/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID1"
           ]
        },
        "properties":{  
           "hardwareProfile":{  
              "vmSize":"Standard_D2_v2"
           },
           "storageProfile":{  
              "imageReference":{  
                 "sku":"2016-Datacenter",
                 "publisher":"MicrosoftWindowsServer",
                 "version":"latest",
                 "offer":"WindowsServer"
              },
              "osDisk":{  
                 "caching":"ReadWrite",
                 "managedDisk":{  
                    "storageAccountType":"Standard_LRS"
                 },
                 "name":"myVM3osdisk",
                 "createOption":"FromImage"
              },
              "dataDisks":[  
                 {  
                    "diskSizeGB":1023,
                    "createOption":"Empty",
                    "lun":0
                 },
                 {  
                    "diskSizeGB":1023,
                    "createOption":"Empty",
                    "lun":1
                 }
              ]
           },
           "osProfile":{  
              "adminUsername":"azureuser",
              "computerName":"myVM",
              "adminPassword":"myPassword12"
           },
           "networkProfile":{  
              "networkInterfaces":[  
                 {  
                    "id":"/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/myNic",
                    "properties":{  
                       "primary":true
                    }
                 }
              ]
           }
        }
     }
    
    

    API 版本 2017-12-01API VERSION 2017-12-01

    curl 'https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2017-12-01' -X PUT -d '{"location":"chinanorth","name":"myVM","identity":{"type":"UserAssigned","identityIds":["/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID1"]},"properties":{"hardwareProfile":{"vmSize":"Standard_D2_v2"},"storageProfile":{"imageReference":{"sku":"2016-Datacenter","publisher":"MicrosoftWindowsServer","version":"latest","offer":"WindowsServer"},"osDisk":{"caching":"ReadWrite","managedDisk":{"storageAccountType":"Standard_LRS"},"name":"myVM3osdisk","createOption":"FromImage"},"dataDisks":[{"diskSizeGB":1023,"createOption":"Empty","lun":0},{"diskSizeGB":1023,"createOption":"Empty","lun":1}]},"osProfile":{"adminUsername":"azureuser","computerName":"myVM","adminPassword":"myPassword12"},"networkProfile":{"networkInterfaces":[{"id":"/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/myNic","properties":{"primary":true}}]}}}' -H "Content-Type: application/json" -H "Authorization: Bearer <ACCESS TOKEN>"
    
    PUT https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2017-12-01 HTTP/1.1
    

    请求标头Request headers

    请求标头Request header 说明Description
    Content-TypeContent-Type 必需。Required. 设置为 application/jsonSet to application/json.
    授权Authorization 必需。Required. 设置为有效的 Bearer 访问令牌。Set to a valid Bearer access token.

    请求正文Request body

     {
        "location":"chinanorth",
        "name":"myVM",
        "identity":{
           "type":"UserAssigned",
           "identityIds":[
              "/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID1"
           ]
        },
        "properties":{
           "hardwareProfile":{
              "vmSize":"Standard_D2_v2"
           },
           "storageProfile":{
              "imageReference":{
                 "sku":"2016-Datacenter",
                 "publisher":"MicrosoftWindowsServer",
                 "version":"latest",
                 "offer":"WindowsServer"
              },
              "osDisk":{
                 "caching":"ReadWrite",
                 "managedDisk":{
                    "storageAccountType":"Standard_LRS"
                 },
                 "name":"myVM3osdisk",
                 "createOption":"FromImage"
              },
              "dataDisks":[
                 {
                    "diskSizeGB":1023,
                    "createOption":"Empty",
                    "lun":0
                 },
                 {
                    "diskSizeGB":1023,
                    "createOption":"Empty",
                    "lun":1
                 }
              ]
           },
           "osProfile":{
              "adminUsername":"azureuser",
              "computerName":"myVM",
              "adminPassword":"myPassword12"
           },
           "networkProfile":{
              "networkInterfaces":[
                 {
                    "id":"/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Network/networkInterfaces/myNic",
                    "properties":{
                       "primary":true
                    }
                 }
              ]
           }
        }
     }
    

向现有 Azure VM 分配用户分配托管标识Assign a user-assigned managed identity to an existing Azure VM

若要将用户分配的标识分配给 VM,你的帐户需要虚拟机参与者托管标识操作员角色分配。To assign a user-assigned identity to a VM, your account needs the Virtual Machine Contributor and Managed Identity Operator role assignments. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.

  1. 检索持有者访问令牌,下一步在授权标头中将使用该令牌创建具有系统分配的托管标识的 VM。Retrieve a Bearer access token, which you will use in the next step in the Authorization header to create your VM with a system-assigned managed identity.

    az account get-access-token
    
  2. 按照此处的说明创建用户分配的托管标识:创建用户分配的托管标识Create a user-assigned managed identity using the instructions found here, Create a user-assigned managed identity.

  3. 若要确保不删除用户或系统分配给 VM 的现有托管标识,需要使用以下 CURL 命令列出分配给 VM 的标识。To ensure you don't delete existing user or system-assigned managed identities that are assigned to the VM, you need to list the identity types assigned to the VM by using the following CURL command. 如果具有分配给虚拟机规模集的托管标识,则这些标识会在 identity 值下列出。If you have managed identities assigned to the virtual machine scale set, they are listed under in the identity value.

    curl 'https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>/providers/Microsoft.Compute/virtualMachines/<VM NAME>?api-version=2018-06-01' -H "Authorization: Bearer <ACCESS TOKEN>" 
    
    GET https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>/providers/Microsoft.Compute/virtualMachines/<VM NAME>?api-version=2018-06-01 HTTP/1.1
    

    请求标头Request headers

    请求标头Request header 说明Description
    授权Authorization 必需。Required. 设置为有效的 Bearer 访问令牌。Set to a valid Bearer access token.

    如果你将任何用户或系统分配的托管标识分配给 VM(如响应中的 identity 值所标识),请跳过步骤 5,该步骤展示了如何在 VM 上保留系统分配的托管标识,同时添加用户分配的托管标识。If you have any user or system-assigned managed identities assigned to the VM as identified in the identity value in the response, skip to step 5 that shows you how to retain the system-assigned managed identity while adding a user-assigned managed identity on your VM.

  4. 如果没有用户分配给 VM 的任何托管标识,请使用以下 CURL 命令对 Azure 资源管理器 REST 终结点进行调用,以将第一个用户分配的托管标识分配给 VM。If you don't have any user-assigned managed identities assigned to your VM, use the following CURL command to call the Azure Resource Manager REST endpoint to assign the first user-assigned managed identity to the VM.

    下面的示例将用户分配的托管标识 ID1 分配给资源组 myResourceGroup 中名为 myVM 的 VM。The following example assigns a user-assigned managed identity, ID1 to a VM named myVM in the resource group myResourceGroup. 请将 <ACCESS TOKEN> 替换为上一步中请求持有者访问令牌和适合环境的 <SUBSCRIPTION ID> 值时收到的值。Replace <ACCESS TOKEN> with the value you received in the previous step when you requested a Bearer access token and the <SUBSCRIPTION ID> value as appropriate for your environment.

    API 版本 2018-06-01API VERSION 2018-06-01

    curl 'https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2018-06-01' -X PATCH -d '{"identity":{"type":"UserAssigned", "userAssignedIdentities":{"/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID1":{}}}}' -H "Content-Type: application/json" -H "Authorization:Bearer <ACCESS TOKEN>"
    
    PATCH https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2018-06-01 HTTP/1.1
    

    请求标头Request headers

    请求标头Request header 说明Description
    Content-TypeContent-Type 必需。Required. 设置为 application/jsonSet to application/json.
    授权Authorization 必需。Required. 设置为有效的 Bearer 访问令牌。Set to a valid Bearer access token.

    请求正文Request body

     {
        "identity":{
           "type":"UserAssigned",
           "userAssignedIdentities":{
              "/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID1":{
    
              }
           }
        }
     }
    

    API 版本 2017-12-01API VERSION 2017-12-01

    curl 'https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2017-12-01' -X PATCH -d '{"identity":{"type":"userAssigned", "identityIds":["/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID1"]}}' -H "Content-Type: application/json" -H "Authorization:Bearer <ACCESS TOKEN>"
    
    PATCH https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2017-12-01 HTTP/1.1
    

    请求标头Request headers

    请求标头Request header 说明Description
    Content-TypeContent-Type 必需。Required. 设置为 application/jsonSet to application/json.
    授权Authorization 必需。Required. 设置为有效的 Bearer 访问令牌。Set to a valid Bearer access token.

    请求正文Request body

     {
        "identity":{
           "type":"userAssigned",
           "identityIds":[
              "/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID1"
           ]
        }
     }
    
  5. 如果具有用户或系统分配给 VM 的现有托管标识,则:If you have an existing user-assigned or system-assigned managed identity assigned to your VM:

    API 版本 2018-06-01API VERSION 2018-06-01

    将用户分配的托管标识添加到 userAssignedIdentities 字典值。Add the user-assigned managed identity to the userAssignedIdentities dictionary value.

    例如,如果你具有当前分配给虚拟机的系统分配的托管标识和用户分配的托管标识 ID1 并希望将用户分配的托管标识 ID2 添加到该虚拟机,则:For example, if you have system-assigned managed identity and the user-assigned managed identity ID1 currently assigned to your VM and would like to add the user-assigned managed identity ID2 to it:

    curl  'https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2018-06-01' -X PATCH -d '{"identity":{"type":"SystemAssigned, UserAssigned", "userAssignedIdentities":{"/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID1":{},"/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID2":{}}}}' -H "Content-Type: application/json" -H "Authorization:Bearer <ACCESS TOKEN>"
    
    PATCH https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2018-06-01 HTTP/1.1
    

    请求标头Request headers

    请求标头Request header 说明Description
    Content-TypeContent-Type 必需。Required. 设置为 application/jsonSet to application/json.
    授权Authorization 必需。Required. 设置为有效的 Bearer 访问令牌。Set to a valid Bearer access token.

    请求正文Request body

     {
        "identity":{
           "type":"SystemAssigned, UserAssigned",
           "userAssignedIdentities":{
              "/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID1":{
    
              },
              "/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID2":{
    
              }
           }
        }
     }
    

    API 版本 2017-12-01API VERSION 2017-12-01

    identityIds 数组值中保留要保持的用户分配的托管标识,同时添加新的用户分配的托管标识。Retain the user-assigned managed identities you would like to keep in the identityIds array value while adding the new user-assigned managed identity.

    例如,如果你具有当前分配给虚拟机的系统分配的托管标识和用户分配的托管标识 ID1 并希望将用户分配的托管标识 ID2 添加到该虚拟机,则:For example, if you have system-assigned managed identity and the user-assigned managed identity ID1 currently assigned to your VM and would like to add the user-assigned managed identity ID2 to it:

    curl  'https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2017-12-01' -X PATCH -d '{"identity":{"type":"SystemAssigned,UserAssigned", "identityIds":["/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID1","/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID2"]}}' -H "Content-Type: application/json" -H "Authorization:Bearer <ACCESS TOKEN>"
    
    PATCH https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2017-12-01 HTTP/1.1
    

    请求标头Request headers

    请求标头Request header 说明Description
    Content-TypeContent-Type 必需。Required. 设置为 application/jsonSet to application/json.
    授权Authorization 必需。Required. 设置为有效的 Bearer 访问令牌。Set to a valid Bearer access token.

    请求正文Request body

     {
        "identity":{
           "type":"SystemAssigned,UserAssigned",
           "identityIds":[
              "/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID1",
              "/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID2"
           ]
        }
     }
    

从 Azure VM 中删除用户分配的托管标识Remove a user-assigned managed identity from an Azure VM

若要从 VM 中删除用户分配的标识,你的帐户需要虚拟机参与者角色分配。To remove a user-assigned identity to a VM, your account needs the Virtual Machine Contributor role assignment.

  1. 检索持有者访问令牌,下一步在授权标头中将使用该令牌创建具有系统分配的托管标识的 VM。Retrieve a Bearer access token, which you will use in the next step in the Authorization header to create your VM with a system-assigned managed identity.

    az account get-access-token
    
  2. 若要确保不删除任何现有用户分配的托管标识(希望保留在 VM 上)或不删除系统分配的托管标识,需要使用以下 CURL 命令列出这些托管标识:To ensure you don't delete any existing user-assigned managed identities that you would like to keep assigned to the VM or remove the system-assigned managed identity, you need to list the managed identities by using the following CURL command:

    curl 'https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>/providers/Microsoft.Compute/virtualMachines/<VM NAME>?api-version=2018-06-01' -H "Authorization: Bearer <ACCESS TOKEN>"
    
    GET https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>/providers/Microsoft.Compute/virtualMachines/<VM NAME>?api-version=2018-06-01 HTTP/1.1
    

    请求标头Request headers

    请求标头Request header 说明Description
    Content-TypeContent-Type 必需。Required. 设置为 application/jsonSet to application/json.
    授权Authorization 必需。Required. 设置为有效的 Bearer 访问令牌。Set to a valid Bearer access token.

    如果具有分配给 VM 的托管标识,则这些标识会在 identity 值下列出。If you have managed identities assigned to the VM, they are listed in the response in the identity value.

    例如,如果你有分配给 VM 的用户分配的托管标识 ID1ID2,并且仅希望保持分配 ID1 并保留系统分配的标识:For example, if you have user-assigned managed identities ID1 and ID2 assigned to your VM, and you only want to keep ID1 assigned and retain the system-assigned identity:

    API 版本 2018-06-01API VERSION 2018-06-01

    null 添加到要删除的用户分配的托管标识:Add null to the user-assigned managed identity you would like to remove:

    curl 'https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2018-06-01' -X PATCH -d '{"identity":{"type":"SystemAssigned, UserAssigned", "userAssignedIdentities":{"/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID2":null}}}' -H "Content-Type: application/json" -H "Authorization:Bearer <ACCESS TOKEN>"
    
    PATCH https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2018-06-01 HTTP/1.1
    

    请求标头Request headers

    请求标头Request header 说明Description
    Content-TypeContent-Type 必需。Required. 设置为 application/jsonSet to application/json.
    授权Authorization 必需。Required. 设置为有效的 Bearer 访问令牌。Set to a valid Bearer access token.

    请求正文Request body

     {
        "identity":{
           "type":"SystemAssigned, UserAssigned",
           "userAssignedIdentities":{
              "/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID2":null
           }
        }
     }
    

    API 版本 2017-12-01API VERSION 2017-12-01

    identityIds 数组中仅保留要保持的用户分配的托管标识:Retain only the user-assigned managed identity(s) you would like to keep in the identityIds array:

    curl 'https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2017-12-01' -X PATCH -d '{"identity":{"type":"SystemAssigned, UserAssigned", "identityIds":["/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID1"]}}' -H "Content-Type: application/json" -H "Authorization:Bearer <ACCESS TOKEN>"
    
    PATCH https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2017-12-01 HTTP/1.1
    

    请求标头Request headers

    请求标头Request header 说明Description
    Content-TypeContent-Type 必需。Required. 设置为 application/jsonSet to application/json.
    授权Authorization 必需。Required. 设置为有效的 Bearer 访问令牌。Set to a valid Bearer access token.

    请求正文Request body

     {
        "identity":{
           "type":"SystemAssigned, UserAssigned",
           "identityIds":[
              "/subscriptions/<SUBSCRIPTION ID>/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID1"
           ]
        }
     }
    

如果 VM 同时具有系统分配的托管标识和用户分配的托管标识,则可通过使用以下命令切换为仅使用系统分配的托管标识,删除所有用户分配的托管标识:If your VM has both system-assigned and user-assigned managed identities, you can remove all the user-assigned managed identities by switching to use only system-assigned managed identity using the following command:

curl 'https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2018-06-01' -X PATCH -d '{"identity":{"type":"SystemAssigned"}}' -H "Content-Type: application/json" -H "Authorization:Bearer <ACCESS TOKEN>"
PATCH https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2018-06-01 HTTP/1.1

请求标头Request headers

请求标头Request header 说明Description
Content-TypeContent-Type 必需。Required. 设置为 application/jsonSet to application/json.
授权Authorization 必需。Required. 设置为有效的 Bearer 访问令牌。Set to a valid Bearer access token.

请求正文Request body

{
   "identity":{
      "type":"SystemAssigned"
   }
}

如果 VM 只具有用户分配的托管标识并希望删除所有这些托管标识,请使用以下命令:If your VM has only user-assigned managed identities and you would like to remove them all, use the following command:

curl 'https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2018-06-01' -X PATCH -d '{"identity":{"type":"None"}}' -H "Content-Type: application/json" -H Authorization:"Bearer <ACCESS TOKEN>"
PATCH https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/myResourceGroup/providers/Microsoft.Compute/virtualMachines/myVM?api-version=2018-06-01 HTTP/1.1

请求标头Request headers

请求标头Request header 说明Description
Content-TypeContent-Type 必需。Required. 设置为 application/jsonSet to application/json.
授权Authorization 必需。Required. 设置为有效的 Bearer 访问令牌。Set to a valid Bearer access token.

请求正文Request body

{
   "identity":{
      "type":"None"
   }
}

后续步骤Next steps

有关如何使用 REST 创建、列出或删除用户分配的托管标识,请参阅:For information on how to create, list, or delete user-assigned managed identities using REST see: