使用模板在 Azure VM 上配置 Azure 资源的托管标识Configure managed identities for Azure resources on an Azure VM using templates
Azure 资源的托管标识是 Azure Active Directory 的一项功能。Managed identities for Azure resources is a feature of Azure Active Directory. 支持 Azure 资源的托管标识的每个 Azure 服务都受其自己的时间线限制。Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. 在开始之前,请务必查看资源的托管标识的可用性状态以及已知问题。Make sure you review the availability status of managed identities for your resource and known issues before you begin.
Azure 资源的托管标识在 Azure Active Directory 中为 Azure 服务提供了一个自动托管标识。Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. 此标识可用于通过支持 Azure AD 身份验证的任何服务的身份验证,这样就无需在代码中插入凭据了。You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.
本文将介绍如何在 Azure VM 上使用 Azure 资源管理器部署模板来执行以下 Azure 资源的托管标识操作:In this article, using the Azure Resource Manager deployment template, you learn how to perform the following managed identities for Azure resources operations on an Azure VM:
先决条件Prerequisites
- 如果不熟悉 Azure 管理器部署模板,请查看概述部分。If you're unfamiliar with using Azure Resource Manager deployment template, check out the overview section. 请务必了解系统分配的托管标识与用户分配的托管标识之间的差异。Be sure to review the difference between a system-assigned and user-assigned managed identity.
- 如果还没有 Azure 帐户,请先注册试用帐户,然后再继续。If you don't already have an Azure account, sign up for a Trial before continuing.
Azure Resource Manager 模板Azure Resource Manager templates
与 Azure 门户和脚本一样,Azure 资源管理器模板支持部署由 Azure 资源组定义的新资源或修改后的资源。As with the Azure portal and scripting, Azure Resource Manager templates provide the ability to deploy new or modified resources defined by an Azure resource group. 有多种可用于执行模板编辑和部署的方法(包括本地方法和基于门户的方法),包括:Several options are available for template editing and deployment, both local and portal-based, including:
- 使用 Azure 市场中的自定义模板,这样可以从头开始创建模板,也可以在现有常见模板或快速启动模板的基础之上操作。Using a custom template from the Azure Marketplace, which allows you to create a template from scratch, or base it on an existing common or quickstart template.
- 派生自现有资源组,具体方法是从原始部署或当前部署导出模板。Deriving from an existing resource group, by exporting a template from either the original deployment, or from the current state of the deployment.
- 使用本地 JSON 编辑器(例如 VS Code),然后使用 PowerShell 或 CLI 进行上传和部署。Using a local JSON editor (such as VS Code), and then uploading and deploying by using PowerShell or CLI.
- 使用 Visual Studio Azure 资源组项目同时创建和部署模板。Using the Visual Studio Azure Resource Group project to both create and deploy a template.
无论选择哪种方法,在初始部署和重新部署期间,模板语法都是相同的。Regardless of the option you choose, template syntax is the same during initial deployment and redeployment. 在新的或现有 VM 上启用系统或用户分配的托管标识所采用的方式是相同的。Enabling a system or user-assigned managed identity on a new or existing VM is done in the same manner. 此外,默认情况下,Azure 资源管理器还会对部署执行增量更新。Also, by default, Azure Resource Manager does an incremental update to deployments.
系统分配的托管标识System-assigned managed identity
在此部分中,将使用 Azure 资源管理器模板启用和禁用系统分配的托管标识。In this section, you will enable and disable a system-assigned managed identity using an Azure Resource Manager template.
在创建 Azure VM 的过程中或在现有 VM 上启用系统分配的托管标识Enable system-assigned managed identity during creation of an Azure VM or on an existing VM
若要在 VM 上启用系统分配的托管标识,你的帐户需要虚拟机参与者角色分配。To enable system-assigned managed identity on a VM, your account needs the Virtual Machine Contributor role assignment. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.
无论是在本地登录到 Azure 还是通过 Azure 门户登录,请使用与包含 VM 的 Azure 订阅关联的帐户。Whether you sign in to Azure locally or via the Azure portal, use an account that is associated with the Azure subscription that contains the VM.
若要启用系统分配的托管标识,请将模板加载到编辑器中,在
resources
节中找到所关注的Microsoft.Compute/virtualMachines
资源,并在与"type": "Microsoft.Compute/virtualMachines"
属性相同的级别添加"identity"
属性。To enable system-assigned managed identity, load the template into an editor, locate theMicrosoft.Compute/virtualMachines
resource of interest within theresources
section and add the"identity"
property at the same level as the"type": "Microsoft.Compute/virtualMachines"
property. 使用以下语法:Use the following syntax:"identity": { "type": "SystemAssigned" },
完成后,以下各节应当会添加到模板的
resource
节,该节应当呈现如下:When you're done, the following sections should be added to theresource
section of your template and it should resemble the following:"resources": [ { //other resource provider properties... "apiVersion": "2018-06-01", "type": "Microsoft.Compute/virtualMachines", "name": "[variables('vmName')]", "location": "[resourceGroup().location]", "identity": { "type": "SystemAssigned", }, }, //The following appears only if you provisioned the optional VM extension (to be deprecated) { "type": "Microsoft.Compute/virtualMachines/extensions", "name": "[concat(variables('vmName'),'/ManagedIdentityExtensionForWindows')]", "apiVersion": "2018-06-01", "location": "[resourceGroup().location]", "dependsOn": [ "[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]" ], "properties": { "publisher": "Microsoft.ManagedIdentity", "type": "ManagedIdentityExtensionForWindows", "typeHandlerVersion": "1.0", "autoUpgradeMinorVersion": true, "settings": { "port": 50342 } } } ]
向 VM 的系统分配的托管标识分配一个角色Assign a role the VM's system-assigned managed identity
在 VM 上启用系统分配的托管标识后,建议向其授予一个角色,例如对创建它的资源组的“读者”访问权限。After you have enabled system-assigned managed identity on your VM, you may want to grant it a role such as Reader access to the resource group in which it was created.
若要为 VM 的系统分配标识分配角色,你的帐户需要用户访问管理员角色分配。To assign a role to your VM's system-assigned identity, your account needs the User Access Administrator role assignment.
无论是在本地登录到 Azure 还是通过 Azure 门户登录,请使用与包含 VM 的 Azure 订阅关联的帐户。Whether you sign in to Azure locally or via the Azure portal, use an account that is associated with the Azure subscription that contains the VM.
将模板加载到编辑器并添加以下信息,向 VM 授予对创建它的资源组的“读者”访问权限。Load the template into an editor and add the following information to give your VM Reader access to the resource group in which it was created. 模板结构可能会有所不同,具体取决于所选的编辑器和部署模型。Your template structure may vary depending on the editor and the deployment model you choose.
在
parameters
部分下添加以下代码:Under theparameters
section add the following:"builtInRoleType": { "type": "string", "defaultValue": "Reader" }, "rbacGuid": { "type": "string" }
在
variables
部分下添加以下代码:Under thevariables
section add the following:"Reader": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]"
在
resources
部分下添加以下代码:Under theresources
section add the following:{ "apiVersion": "2017-09-01", "type": "Microsoft.Authorization/roleAssignments", "name": "[parameters('rbacGuid')]", "properties": { "roleDefinitionId": "[variables(parameters('builtInRoleType'))]", "principalId": "[reference(variables('vmResourceId'), '2017-12-01', 'Full').identity.principalId]", "scope": "[resourceGroup().id]" }, "dependsOn": [ "[concat('Microsoft.Compute/virtualMachines/', parameters('vmName'))]" ] }
从 Azure VM 中禁用系统分配的托管标识Disable a system-assigned managed identity from an Azure VM
若要从 VM 中删除系统分配的托管标识,你的帐户需要虚拟机参与者角色分配。To remove system-assigned managed identity from a VM, your account needs the Virtual Machine Contributor role assignment. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.
无论是在本地登录到 Azure 还是通过 Azure 门户登录,请使用与包含 VM 的 Azure 订阅关联的帐户。Whether you sign in to Azure locally or via the Azure portal, use an account that is associated with the Azure subscription that contains the VM.
将模板加载到编辑器,并在
resources
部分找到相关的Microsoft.Compute/virtualMachines
资源。Load the template into an editor and locate theMicrosoft.Compute/virtualMachines
resource of interest within theresources
section. 如果 VM 只有系统分配的托管标识,则可以将标识类型更改为None
来禁用它。If you have a VM that only has system-assigned managed identity, you can disable it by changing the identity type toNone
.Microsoft.Compute/virtualMachines API 版本 2018-06-01Microsoft.Compute/virtualMachines API version 2018-06-01
如果 VM 同时具有系统和用户分配的托管标识,请从标识类型中删除
SystemAssigned
并保留UserAssigned
以及userAssignedIdentities
字典值。If your VM has both system and user-assigned managed identities, removeSystemAssigned
from the identity type and keepUserAssigned
along with theuserAssignedIdentities
dictionary values.Microsoft.Compute/virtualMachines API 版本 2018-06-01Microsoft.Compute/virtualMachines API version 2018-06-01
如果
apiVersion
为2017-12-01
并且 VM 同时具有系统和用户分配的托管标识,请从标识类型中删除SystemAssigned
并保留UserAssigned
以及用户分配的托管标识的identityIds
数组。If yourapiVersion
is2017-12-01
and your VM has both system and user-assigned managed identities, removeSystemAssigned
from the identity type and keepUserAssigned
along with theidentityIds
array of the user-assigned managed identities.
以下示例演示如何从没有用户分配的托管标识的 VM 删除系统分配的托管标识:The following example shows you how to remove a system-assigned managed identity from a VM with no user-assigned managed identities:
{
"apiVersion": "2018-06-01",
"type": "Microsoft.Compute/virtualMachines",
"name": "[parameters('vmName')]",
"location": "[resourceGroup().location]",
"identity": {
"type": "None"
}
}
用户分配的托管标识User-assigned managed identity
在此部分中,将使用 Azure 资源管理器模板向 Azure VM 分配用户分配的托管标识。In this section, you assign a user-assigned managed identity to an Azure VM using Azure Resource Manager template.
备注
要使用 Azure 资源管理器模板创建用户分配托管标识,请参阅创建用户分配托管标识。To create a user-assigned managed identity using an Azure Resource Manager Template, see Create a user-assigned managed identity.
向 Azure VM 分配用户分配的托管标识Assign a user-assigned managed identity to an Azure VM
若要将用户分配的标识分配给 VM,你的帐户需要虚拟机参与者和托管标识操作员角色分配。To assign a user-assigned identity to a VM, your account needs the Virtual Machine Contributor and Managed Identity Operator role assignments. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.
在
resources
元素下添加以下条目,以向 VM 分配用户分配的托管标识。Under theresources
element, add the following entry to assign a user-assigned managed identity to your VM. 请务必将<USERASSIGNEDIDENTITY>
替换为你创建的用户分配的托管标识的名称。Be sure to replace<USERASSIGNEDIDENTITY>
with the name of the user-assigned managed identity you created.Microsoft.Compute/virtualMachines API 版本 2018-06-01Microsoft.Compute/virtualMachines API version 2018-06-01
如果
apiVersion
为2018-06-01
,则用户分配的托管标识以userAssignedIdentities
字典格式存储,并且<USERASSIGNEDIDENTITYNAME>
值必须存储在模板的variables
节中定义的某个变量中。If yourapiVersion
is2018-06-01
, your user-assigned managed identities are stored in theuserAssignedIdentities
dictionary format and the<USERASSIGNEDIDENTITYNAME>
value must be stored in a variable defined in thevariables
section of your template.{ "apiVersion": "2018-06-01", "type": "Microsoft.Compute/virtualMachines", "name": "[variables('vmName')]", "location": "[resourceGroup().location]", "identity": { "type": "userAssigned", "userAssignedIdentities": { "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',variables('<USERASSIGNEDIDENTITYNAME>'))]": {} } } }
Microsoft.Compute/virtualMachines API 版本 2017-12-01Microsoft.Compute/virtualMachines API version 2017-12-01
如果
apiVersion
为2017-12-01
,则用户分配的托管标识存储在identityIds
数组中,并且<USERASSIGNEDIDENTITYNAME>
值必须存储在模板的variables
节中定义的某个变量中。If yourapiVersion
is2017-12-01
, your user-assigned managed identities are stored in theidentityIds
array and the<USERASSIGNEDIDENTITYNAME>
value must be stored in a variable defined in thevariables
section of your template.{ "apiVersion": "2017-12-01", "type": "Microsoft.Compute/virtualMachines", "name": "[variables('vmName')]", "location": "[resourceGroup().location]", "identity": { "type": "userAssigned", "identityIds": [ "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',variables('<USERASSIGNEDIDENTITYNAME>'))]" ] } }
完成后,以下各节应当会添加到模板的
resource
节,该节应当呈现如下:When you're done, the following sections should be added to theresource
section of your template and it should resemble the following:Microsoft.Compute/virtualMachines API 版本 2018-06-01Microsoft.Compute/virtualMachines API version 2018-06-01
"resources": [ { //other resource provider properties... "apiVersion": "2018-06-01", "type": "Microsoft.Compute/virtualMachines", "name": "[variables('vmName')]", "location": "[resourceGroup().location]", "identity": { "type": "userAssigned", "userAssignedIdentities": { "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',variables('<USERASSIGNEDIDENTITYNAME>'))]": {} } } }, //The following appears only if you provisioned the optional VM extension (to be deprecated) { "type": "Microsoft.Compute/virtualMachines/extensions", "name": "[concat(variables('vmName'),'/ManagedIdentityExtensionForWindows')]", "apiVersion": "2018-06-01-preview", "location": "[resourceGroup().location]", "dependsOn": [ "[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]" ], "properties": { "publisher": "Microsoft.ManagedIdentity", "type": "ManagedIdentityExtensionForWindows", "typeHandlerVersion": "1.0", "autoUpgradeMinorVersion": true, "settings": { "port": 50342 } } } ]
Microsoft.Compute/virtualMachines API 版本 2017-12-01Microsoft.Compute/virtualMachines API version 2017-12-01
"resources": [ { //other resource provider properties... "apiVersion": "2017-12-01", "type": "Microsoft.Compute/virtualMachines", "name": "[variables('vmName')]", "location": "[resourceGroup().location]", "identity": { "type": "userAssigned", "identityIds": [ "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',variables('<USERASSIGNEDIDENTITYNAME>'))]" ] } }, //The following appears only if you provisioned the optional VM extension (to be deprecated) { "type": "Microsoft.Compute/virtualMachines/extensions", "name": "[concat(variables('vmName'),'/ManagedIdentityExtensionForWindows')]", "apiVersion": "2015-05-01-preview", "location": "[resourceGroup().location]", "dependsOn": [ "[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]" ], "properties": { "publisher": "Microsoft.ManagedIdentity", "type": "ManagedIdentityExtensionForWindows", "typeHandlerVersion": "1.0", "autoUpgradeMinorVersion": true, "settings": { "port": 50342 } } } ]
从 Azure VM 中删除用户分配的托管标识Remove a user-assigned managed identity from an Azure VM
若要从 VM 中删除用户分配的标识,你的帐户需要虚拟机参与者角色分配。To remove a user-assigned identity from a VM, your account needs the Virtual Machine Contributor role assignment. 无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments are required.
无论是在本地登录到 Azure 还是通过 Azure 门户登录,请使用与包含 VM 的 Azure 订阅关联的帐户。Whether you sign in to Azure locally or via the Azure portal, use an account that is associated with the Azure subscription that contains the VM.
将模板加载到编辑器,并在
resources
部分找到相关的Microsoft.Compute/virtualMachines
资源。Load the template into an editor and locate theMicrosoft.Compute/virtualMachines
resource of interest within theresources
section. 如果 VM 只有用户分配的托管标识,则可以通过将标识类型更改为None
来禁用它。If you have a VM that only has user-assigned managed identity, you can disable it by changing the identity type toNone
.以下示例演示如何从没有系统分配的托管标识的 VM 中删除所有用户分配的托管标识:The following example shows you how remove all user-assigned managed identities from a VM with no system-assigned managed identities:
{ "apiVersion": "2018-06-01", "type": "Microsoft.Compute/virtualMachines", "name": "[parameters('vmName')]", "location": "[resourceGroup().location]", "identity": { "type": "None" }, }
Microsoft.Compute/virtualMachines API 版本 2018-06-01Microsoft.Compute/virtualMachines API version 2018-06-01
若要从 VM 中删除单个用户分配的托管标识,请将其从
useraAssignedIdentities
字典中删除。To remove a single user-assigned managed identity from a VM, remove it from theuseraAssignedIdentities
dictionary.如果具有系统分配的托管标识,请将其保持在
identity
值下的type
值中。If you have a system-assigned managed identity, keep it in thetype
value under theidentity
value.Microsoft.Compute/virtualMachines API 版本 2017-12-01Microsoft.Compute/virtualMachines API version 2017-12-01
若要从 VM 中删除单个用户分配的托管标识,请将其从
identityIds
数组中删除。To remove a single user-assigned managed identity from a VM, remove it from theidentityIds
array.如果具有系统分配的托管标识,请将其保持在
identity
值下的type
值中。If you have a system-assigned managed identity, keep it in thetype
value under theidentity
value.