使用模板在 Azure VM 上配置 Azure 资源的托管标识Configure managed identities for Azure resources on an Azure VM using templates

Azure 资源的托管标识是 Azure Active Directory 的一项功能。Managed identities for Azure resources is a feature of Azure Active Directory. 支持 Azure 资源的托管标识的每个 Azure 服务都受其自己的时间线限制。Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. 在开始之前,请务必查看资源的托管标识的可用性状态以及已知问题Make sure you review the availability status of managed identities for your resource and known issues before you begin.

Azure 资源的托管标识在 Azure Active Directory 中为 Azure 服务提供了一个自动托管标识。Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. 此标识可用于通过支持 Azure AD 身份验证的任何服务的身份验证,这样就无需在代码中插入凭据了。You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

本文将介绍如何在 Azure VM 上使用 Azure 资源管理器部署模板来执行以下 Azure 资源的托管标识操作:In this article, using the Azure Resource Manager deployment template, you learn how to perform the following managed identities for Azure resources operations on an Azure VM:

先决条件Prerequisites

Azure Resource Manager 模板Azure Resource Manager templates

与 Azure 门户和脚本一样,Azure 资源管理器模板支持部署由 Azure 资源组定义的新资源或修改后的资源。As with the Azure portal and scripting, Azure Resource Manager templates provide the ability to deploy new or modified resources defined by an Azure resource group. 有多种可用于执行模板编辑和部署的方法(包括本地方法和基于门户的方法),包括:Several options are available for template editing and deployment, both local and portal-based, including:

无论选择哪种方法,在初始部署和重新部署期间,模板语法都是相同的。Regardless of the option you choose, template syntax is the same during initial deployment and redeployment. 在新的或现有 VM 上启用系统或用户分配的托管标识所采用的方式是相同的。Enabling a system or user-assigned managed identity on a new or existing VM is done in the same manner. 此外,默认情况下,Azure 资源管理器还会对部署执行增量更新Also, by default, Azure Resource Manager does an incremental update to deployments.

系统分配的托管标识System-assigned managed identity

在此部分中,将使用 Azure 资源管理器模板启用和禁用系统分配的托管标识。In this section, you will enable and disable a system-assigned managed identity using an Azure Resource Manager template.

在创建 Azure VM 的过程中或在现有 VM 上启用系统分配的托管标识Enable system-assigned managed identity during creation of an Azure VM or on an existing VM

若要在 VM 上启用系统分配的托管标识,你的帐户需要虚拟机参与者角色分配。To enable system-assigned managed identity on a VM, your account needs the Virtual Machine Contributor role assignment. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.

  1. 无论是在本地登录到 Azure 还是通过 Azure 门户登录,请使用与包含 VM 的 Azure 订阅关联的帐户。Whether you sign in to Azure locally or via the Azure portal, use an account that is associated with the Azure subscription that contains the VM.

  2. 若要启用系统分配的托管标识,请将模板加载到编辑器中,在 resources 节中找到所关注的 Microsoft.Compute/virtualMachines 资源,并在与 "type": "Microsoft.Compute/virtualMachines" 属性相同的级别添加 "identity" 属性。To enable system-assigned managed identity, load the template into an editor, locate the Microsoft.Compute/virtualMachines resource of interest within the resources section and add the "identity" property at the same level as the "type": "Microsoft.Compute/virtualMachines" property. 使用以下语法:Use the following syntax:

    "identity": {
        "type": "SystemAssigned"
    },
    
  3. 完成后,以下各节应当会添加到模板的 resource 节,该节应当呈现如下:When you're done, the following sections should be added to the resource section of your template and it should resemble the following:

    "resources": [
         {
             //other resource provider properties...
             "apiVersion": "2018-06-01",
             "type": "Microsoft.Compute/virtualMachines",
             "name": "[variables('vmName')]",
             "location": "[resourceGroup().location]",
             "identity": {
                 "type": "SystemAssigned",
                 },
             },
    
             //The following appears only if you provisioned the optional VM extension (to be deprecated)
             {
             "type": "Microsoft.Compute/virtualMachines/extensions",
             "name": "[concat(variables('vmName'),'/ManagedIdentityExtensionForWindows')]",
             "apiVersion": "2018-06-01",
             "location": "[resourceGroup().location]",
             "dependsOn": [
                 "[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
             ],
             "properties": {
                 "publisher": "Microsoft.ManagedIdentity",
                 "type": "ManagedIdentityExtensionForWindows",
                 "typeHandlerVersion": "1.0",
                 "autoUpgradeMinorVersion": true,
                 "settings": {
                     "port": 50342
                 }
             }
         }
     ]
    

向 VM 的系统分配的托管标识分配一个角色Assign a role the VM's system-assigned managed identity

在 VM 上启用系统分配的托管标识后,建议向其授予一个角色,例如对创建它的资源组的“读者”访问权限。After you have enabled system-assigned managed identity on your VM, you may want to grant it a role such as Reader access to the resource group in which it was created.

若要为 VM 的系统分配标识分配角色,你的帐户需要用户访问管理员角色分配。To assign a role to your VM's system-assigned identity, your account needs the User Access Administrator role assignment.

  1. 无论是在本地登录到 Azure 还是通过 Azure 门户登录,请使用与包含 VM 的 Azure 订阅关联的帐户。Whether you sign in to Azure locally or via the Azure portal, use an account that is associated with the Azure subscription that contains the VM.

  2. 将模板加载到编辑器并添加以下信息,向 VM 授予对创建它的资源组的“读者”访问权限。Load the template into an editor and add the following information to give your VM Reader access to the resource group in which it was created. 模板结构可能会有所不同,具体取决于所选的编辑器和部署模型。Your template structure may vary depending on the editor and the deployment model you choose.

    parameters 部分下添加以下代码:Under the parameters section add the following:

    "builtInRoleType": {
        "type": "string",
        "defaultValue": "Reader"
    },
    "rbacGuid": {
        "type": "string"
    }
    

    variables 部分下添加以下代码:Under the variables section add the following:

    "Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]"
    

    resources 部分下添加以下代码:Under the resources section add the following:

    {
        "apiVersion": "2017-09-01",
        "type": "Microsoft.Authorization/roleAssignments",
        "name": "[parameters('rbacGuid')]",
        "properties": {
            "roleDefinitionId": "[variables(parameters('builtInRoleType'))]",
            "principalId": "[reference(variables('vmResourceId'), '2017-12-01', 'Full').identity.principalId]",
            "scope": "[resourceGroup().id]"
        },
         "dependsOn": [
            "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]"
        ]
    }
    

从 Azure VM 中禁用系统分配的托管标识Disable a system-assigned managed identity from an Azure VM

若要从 VM 中删除系统分配的托管标识,你的帐户需要虚拟机参与者角色分配。To remove system-assigned managed identity from a VM, your account needs the Virtual Machine Contributor role assignment. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.

  1. 无论是在本地登录到 Azure 还是通过 Azure 门户登录,请使用与包含 VM 的 Azure 订阅关联的帐户。Whether you sign in to Azure locally or via the Azure portal, use an account that is associated with the Azure subscription that contains the VM.

  2. 将模板加载到编辑器,并在 resources 部分找到相关的 Microsoft.Compute/virtualMachines 资源。Load the template into an editor and locate the Microsoft.Compute/virtualMachines resource of interest within the resources section. 如果 VM 只有系统分配的托管标识,则可以将标识类型更改为 None 来禁用它。If you have a VM that only has system-assigned managed identity, you can disable it by changing the identity type to None.

    Microsoft.Compute/virtualMachines API 版本 2018-06-01Microsoft.Compute/virtualMachines API version 2018-06-01

    如果 VM 同时具有系统和用户分配的托管标识,请从标识类型中删除 SystemAssigned 并保留 UserAssigned 以及 userAssignedIdentities 字典值。If your VM has both system and user-assigned managed identities, remove SystemAssigned from the identity type and keep UserAssigned along with the userAssignedIdentities dictionary values.

    Microsoft.Compute/virtualMachines API 版本 2018-06-01Microsoft.Compute/virtualMachines API version 2018-06-01

    如果 apiVersion2017-12-01 并且 VM 同时具有系统和用户分配的托管标识,请从标识类型中删除 SystemAssigned 并保留 UserAssigned 以及用户分配的托管标识的 identityIds 数组。If your apiVersion is 2017-12-01 and your VM has both system and user-assigned managed identities, remove SystemAssigned from the identity type and keep UserAssigned along with the identityIds array of the user-assigned managed identities.

以下示例演示如何从没有用户分配的托管标识的 VM 删除系统分配的托管标识:The following example shows you how to remove a system-assigned managed identity from a VM with no user-assigned managed identities:

{
    "apiVersion": "2018-06-01",
    "type": "Microsoft.Compute/virtualMachines",
    "name": "[parameters('vmName')]",
    "location": "[resourceGroup().location]",
    "identity": {
        "type": "None"
    }
}

用户分配的托管标识User-assigned managed identity

在此部分中,将使用 Azure 资源管理器模板向 Azure VM 分配用户分配的托管标识。In this section, you assign a user-assigned managed identity to an Azure VM using Azure Resource Manager template.

备注

要使用 Azure 资源管理器模板创建用户分配托管标识,请参阅创建用户分配托管标识To create a user-assigned managed identity using an Azure Resource Manager Template, see Create a user-assigned managed identity.

向 Azure VM 分配用户分配的托管标识Assign a user-assigned managed identity to an Azure VM

若要将用户分配的标识分配给 VM,你的帐户需要虚拟机参与者托管标识操作员角色分配。To assign a user-assigned identity to a VM, your account needs the Virtual Machine Contributor and Managed Identity Operator role assignments. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.

  1. resources 元素下添加以下条目,以向 VM 分配用户分配的托管标识。Under the resources element, add the following entry to assign a user-assigned managed identity to your VM. 请务必将 <USERASSIGNEDIDENTITY> 替换为你创建的用户分配的托管标识的名称。Be sure to replace <USERASSIGNEDIDENTITY> with the name of the user-assigned managed identity you created.

    Microsoft.Compute/virtualMachines API 版本 2018-06-01Microsoft.Compute/virtualMachines API version 2018-06-01

    如果 apiVersion2018-06-01,则用户分配的托管标识以 userAssignedIdentities 字典格式存储,并且 <USERASSIGNEDIDENTITYNAME> 值必须存储在模板的 variables 节中定义的某个变量中。If your apiVersion is 2018-06-01, your user-assigned managed identities are stored in the userAssignedIdentities dictionary format and the <USERASSIGNEDIDENTITYNAME> value must be stored in a variable defined in the variables section of your template.

     {
         "apiVersion": "2018-06-01",
         "type": "Microsoft.Compute/virtualMachines",
         "name": "[variables('vmName')]",
         "location": "[resourceGroup().location]",
         "identity": {
             "type": "userAssigned",
             "userAssignedIdentities": {
                 "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',variables('<USERASSIGNEDIDENTITYNAME>'))]": {}
             }
         }
     }
    

    Microsoft.Compute/virtualMachines API 版本 2017-12-01Microsoft.Compute/virtualMachines API version 2017-12-01

    如果 apiVersion2017-12-01,则用户分配的托管标识存储在 identityIds 数组中,并且 <USERASSIGNEDIDENTITYNAME> 值必须存储在模板的 variables 节中定义的某个变量中。If your apiVersion is 2017-12-01, your user-assigned managed identities are stored in the identityIds array and the <USERASSIGNEDIDENTITYNAME> value must be stored in a variable defined in the variables section of your template.

    {
        "apiVersion": "2017-12-01",
        "type": "Microsoft.Compute/virtualMachines",
        "name": "[variables('vmName')]",
        "location": "[resourceGroup().location]",
        "identity": {
            "type": "userAssigned",
            "identityIds": [
                "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',variables('<USERASSIGNEDIDENTITYNAME>'))]"
            ]
        }
    }
    
  2. 完成后,以下各节应当会添加到模板的 resource 节,该节应当呈现如下:When you're done, the following sections should be added to the resource section of your template and it should resemble the following:

    Microsoft.Compute/virtualMachines API 版本 2018-06-01Microsoft.Compute/virtualMachines API version 2018-06-01

    "resources": [
         {
             //other resource provider properties...
             "apiVersion": "2018-06-01",
             "type": "Microsoft.Compute/virtualMachines",
             "name": "[variables('vmName')]",
             "location": "[resourceGroup().location]",
             "identity": {
                 "type": "userAssigned",
                 "userAssignedIdentities": {
                    "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',variables('<USERASSIGNEDIDENTITYNAME>'))]": {}
                 }
             }
         },
         //The following appears only if you provisioned the optional VM extension (to be deprecated)                  
         {
             "type": "Microsoft.Compute/virtualMachines/extensions",
             "name": "[concat(variables('vmName'),'/ManagedIdentityExtensionForWindows')]",
             "apiVersion": "2018-06-01-preview",
             "location": "[resourceGroup().location]",
             "dependsOn": [
                 "[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
             ],
             "properties": {
                 "publisher": "Microsoft.ManagedIdentity",
                 "type": "ManagedIdentityExtensionForWindows",
                 "typeHandlerVersion": "1.0",
                 "autoUpgradeMinorVersion": true,
                 "settings": {
                     "port": 50342
                 }
             }
         }
     ]   
    

    Microsoft.Compute/virtualMachines API 版本 2017-12-01Microsoft.Compute/virtualMachines API version 2017-12-01

    "resources": [
         {
             //other resource provider properties...
             "apiVersion": "2017-12-01",
             "type": "Microsoft.Compute/virtualMachines",
             "name": "[variables('vmName')]",
             "location": "[resourceGroup().location]",
             "identity": {
                 "type": "userAssigned",
                 "identityIds": [
                    "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',variables('<USERASSIGNEDIDENTITYNAME>'))]"
                 ]
             }
         },
    
         //The following appears only if you provisioned the optional VM extension (to be deprecated)                   
         {
             "type": "Microsoft.Compute/virtualMachines/extensions",
             "name": "[concat(variables('vmName'),'/ManagedIdentityExtensionForWindows')]",
             "apiVersion": "2015-05-01-preview",
             "location": "[resourceGroup().location]",
             "dependsOn": [
                 "[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
             ],
             "properties": {
                 "publisher": "Microsoft.ManagedIdentity",
                 "type": "ManagedIdentityExtensionForWindows",
                 "typeHandlerVersion": "1.0",
                 "autoUpgradeMinorVersion": true,
                 "settings": {
                     "port": 50342
                 }
             }
        }
     ]
    

从 Azure VM 中删除用户分配的托管标识Remove a user-assigned managed identity from an Azure VM

若要从 VM 中删除用户分配的标识,你的帐户需要虚拟机参与者角色分配。To remove a user-assigned identity from a VM, your account needs the Virtual Machine Contributor role assignment. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.

  1. 无论是在本地登录到 Azure 还是通过 Azure 门户登录,请使用与包含 VM 的 Azure 订阅关联的帐户。Whether you sign in to Azure locally or via the Azure portal, use an account that is associated with the Azure subscription that contains the VM.

  2. 将模板加载到编辑器,并在 resources 部分找到相关的 Microsoft.Compute/virtualMachines 资源。Load the template into an editor and locate the Microsoft.Compute/virtualMachines resource of interest within the resources section. 如果 VM 只有用户分配的托管标识,则可以通过将标识类型更改为 None 来禁用它。If you have a VM that only has user-assigned managed identity, you can disable it by changing the identity type to None.

    以下示例演示如何从没有系统分配的托管标识的 VM 中删除所有用户分配的托管标识:The following example shows you how remove all user-assigned managed identities from a VM with no system-assigned managed identities:

     {
       "apiVersion": "2018-06-01",
       "type": "Microsoft.Compute/virtualMachines",
       "name": "[parameters('vmName')]",
       "location": "[resourceGroup().location]",
       "identity": {
           "type": "None"
           },
     }
    

    Microsoft.Compute/virtualMachines API 版本 2018-06-01Microsoft.Compute/virtualMachines API version 2018-06-01

    若要从 VM 中删除单个用户分配的托管标识,请将其从 useraAssignedIdentities 字典中删除。To remove a single user-assigned managed identity from a VM, remove it from the useraAssignedIdentities dictionary.

    如果具有系统分配的托管标识,请将其保持在 identity 值下的 type 值中。If you have a system-assigned managed identity, keep it in the type value under the identity value.

    Microsoft.Compute/virtualMachines API 版本 2017-12-01Microsoft.Compute/virtualMachines API version 2017-12-01

    若要从 VM 中删除单个用户分配的托管标识,请将其从 identityIds 数组中删除。To remove a single user-assigned managed identity from a VM, remove it from the identityIds array.

    如果具有系统分配的托管标识,请将其保持在 identity 值下的 type 值中。If you have a system-assigned managed identity, keep it in the type value under the identity value.

后续步骤Next steps