使用模板在 Azure 虚拟机规模集上为 Azure 资源配置托管标识Configure managed identities for Azure resources on an Azure virtual machine scale using a template
Azure 资源的托管标识是 Azure Active Directory 的一项功能。Managed identities for Azure resources is a feature of Azure Active Directory. 支持 Azure 资源的托管标识的每个 Azure 服务都受其自己的时间线限制。Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. 在开始之前,请务必查看资源的托管标识的可用性状态以及已知问题。Make sure you review the availability status of managed identities for your resource and known issues before you begin.
Azure 资源的托管标识在 Azure Active Directory 中为 Azure 服务提供了一个自动托管标识。Managed identities for Azure resources provide Azure services with an automatically managed identity in Azure Active Directory. 此标识可用于通过支持 Azure AD 身份验证的任何服务的身份验证,这样就无需在代码中插入凭据了。You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.
本文将介绍如何使用 Azure 资源管理器部署模板在 Azure 虚拟机规模集上执行以下 Azure 资源托管标识操作:In this article, you learn how to perform the following managed identities for Azure resources operations on an Azure virtual machine scale set, using Azure Resource Manager deployment template:
- 在 Azure 虚拟机规模集上启用和禁用系统分配托管标识Enable and disable the system-assigned managed identity on an Azure virtual machine scale set
- 在 Azure 虚拟机规模集上添加和删除用户分配托管标识Add and remove a user-assigned managed identity on an Azure virtual machine scale set
先决条件Prerequisites
如果不熟悉 Azure 资源的托管标识,请查阅概述部分。If you're unfamiliar with managed identities for Azure resources, check out the overview section. 请务必了解系统分配的托管标识与用户分配的托管标识之间的差异。Be sure to review the difference between a system-assigned and user-assigned managed identity.
如果还没有 Azure 帐户,请先注册试用帐户,然后再继续。If you don't already have an Azure account, sign up for a Trial before continuing.
若要执行本文中的管理操作,帐户需要以下基于 Azure 角色的访问控制分配:To perform the management operations in this article, your account needs the following Azure role-based access control assignments:
备注
无需其他 Azure AD 目录角色分配。No additional Azure AD directory role assignments required.
- 虚拟机参与者,可创建虚拟机规模集,并从虚拟机规模集启用和删除系统和/或用户分配托管标识。Virtual Machine Contributor to create a virtual machine scale set and enable and remove system and/or user-assigned managed identity from a virtual machine scale set.
- 托管标识参与者角色,可以创建用户分配的托管标识。Managed Identity Contributor role to create a user-assigned managed identity.
- 托管标识操作员角色,可在虚拟机规模集中分配和删除用户分配的托管标识。Managed Identity Operator role to assign and remove a user-assigned managed identity from and to a virtual machine scale set.
Azure Resource Manager 模板Azure Resource Manager templates
与 Azure 门户和脚本一样,Azure 资源管理器模板支持部署由 Azure 资源组定义的新资源或修改后的资源。As with the Azure portal and scripting, Azure Resource Manager templates provide the ability to deploy new or modified resources defined by an Azure resource group. 有多种可用于执行模板编辑和部署的方法(包括本地方法和基于门户的方法),包括:Several options are available for template editing and deployment, both local and portal-based, including:
- 使用 Azure 市场中的自定义模板,这样可以从头开始创建模板,也可以在现有常见模板或快速启动模板的基础之上操作。Using a custom template from the Azure Marketplace, which allows you to create a template from scratch, or base it on an existing common or quickstart template.
- 派生自现有资源组,具体方法是从原始部署或当前部署导出模板。Deriving from an existing resource group, by exporting a template from either the original deployment, or from the current state of the deployment.
- 使用本地 JSON 编辑器(例如 VS Code),然后使用 PowerShell 或 CLI 进行上传和部署。Using a local JSON editor (such as VS Code), and then uploading and deploying by using PowerShell or CLI.
- 使用 Visual Studio Azure 资源组项目同时创建和部署模板。Using the Visual Studio Azure Resource Group project to both create and deploy a template.
无论选择哪种方法,在初始部署和重新部署期间,模板语法都是相同的。Regardless of the option you choose, template syntax is the same during initial deployment and redeployment. 在新 VM 或现有 VM 上启用 Azure 资源托管标识的方式相同。Enabling managed identities for Azure resources on a new or existing VM is done in the same manner. 此外,默认情况下,Azure 资源管理器还会对部署执行增量更新。Also, by default, Azure Resource Manager does an incremental update to deployments.
系统分配的托管标识System-assigned managed identity
在此部分中,将使用 Azure 资源管理器模板启用和禁用系统分配托管标识。In this section, you will enable and disable the system-assigned managed identity using an Azure Resource Manager template.
在创建虚拟机规模集期间或在现有的虚拟机规模集上启用系统分配托管标识Enable system-assigned managed identity during creation the creation of a virtual machines scale set or an existing virtual machine scale set
无论是在本地登录到 Azure 还是通过 Azure 门户登录,请使用与包含虚拟机规模集的 Azure 订阅关联的帐户。Whether you sign in to Azure locally or via the Azure portal, use an account that is associated with the Azure subscription that contains the virtual machine scale set.
要启用系统分配托管标识,请将模板加载到编辑器中,在 resources 节中找到所关注的
Microsoft.Compute/virtualMachinesScaleSets资源,并在与identity属性相同的级别添加"type": "Microsoft.Compute/virtualMachinesScaleSets"属性。To enable the system-assigned managed identity, load the template into an editor, locate theMicrosoft.Compute/virtualMachinesScaleSetsresource of interest within the resources section and add theidentityproperty at the same level as the"type": "Microsoft.Compute/virtualMachinesScaleSets"property. 使用以下语法:Use the following syntax:"identity": { "type": "SystemAssigned" }
备注
可以选择通过在模板的 extensionProfile 元素中指定 Azure 资源虚拟机规模集扩展来为其预配托管标识。You may optionally provision the managed identities for Azure resources virtual machine scale set extension by specifying it in the extensionProfile element of the template. 此步骤是可选的,因为也可以使用 Azure 实例元数据服务 (IMDS) 标识终结点来检索令牌。This step is optional as you can use the Azure Instance Metadata Service (IMDS) identity endpoint, to retrieve tokens as well. 有关详细信息,请参阅从 VM 扩展迁移到 Azure IMDS 以进行身份验证。For more information, see Migrate from VM extension to Azure IMDS for authentication.
完成后,以下各节应当会添加到模板的 resource 节并应当呈现如下:When you're done, the following sections should added to the resource section of your template and should resemble the following:
"resources": [ { //other resource provider properties... "apiVersion": "2018-06-01", "type": "Microsoft.Compute/virtualMachineScaleSets", "name": "[variables('vmssName')]", "location": "[resourceGroup().location]", "identity": { "type": "SystemAssigned", }, "properties": { //other resource provider properties... "virtualMachineProfile": { //other virtual machine profile properties... //The following appears only if you provisioned the optional virtual machine scale set extension (to be deprecated) "extensionProfile": { "extensions": [ { "name": "ManagedIdentityWindowsExtension", "properties": { "publisher": "Microsoft.ManagedIdentity", "type": "ManagedIdentityExtensionForWindows", "typeHandlerVersion": "1.0", "autoUpgradeMinorVersion": true, "settings": { "port": 50342 } } } ] } } } } ]
从 Azure 虚拟机规模集中禁用系统分配托管标识Disable a system-assigned managed identity from an Azure virtual machine scale set
如果虚拟机规模集不再需要系统分配托管标识,请执行以下操作:If you have a virtual machine scale set that no longer needs a system-assigned managed identity:
无论是在本地登录到 Azure 还是通过 Azure 门户登录,请使用与包含虚拟机规模集的 Azure 订阅关联的帐户。Whether you sign in to Azure locally or via the Azure portal, use an account that is associated with the Azure subscription that contains the virtual machine scale set.
将模板加载到编辑器,并在
resources部分找到相关的Microsoft.Compute/virtualMachineScaleSets资源。Load the template into an editor and locate theMicrosoft.Compute/virtualMachineScaleSetsresource of interest within theresourcessection. 如果 VM 只有系统分配的托管标识,则可以将标识类型更改为None来禁用它。If you have a VM that only has system-assigned managed identity, you can disable it by changing the identity type toNone.Microsoft.Compute/virtualMachineScaleSets API 版本 2018-06-01Microsoft.Compute/virtualMachineScaleSets API version 2018-06-01
如果 apiVersion 为
2018-06-01并且 VM 同时具有系统和用户分配的托管标识,请从标识类型中删除SystemAssigned并保留UserAssigned以及 userAssignedIdentities 字典值。If your apiVersion is2018-06-01and your VM has both system and user-assigned managed identities, removeSystemAssignedfrom the identity type and keepUserAssignedalong with the userAssignedIdentities dictionary values.Microsoft.Compute/virtualMachineScaleSets API 版本 2018-06-01Microsoft.Compute/virtualMachineScaleSets API version 2018-06-01
如果 apiVersion 为
2017-12-01并且虚拟机规模集同时具有系统和用户分配的托管标识,请从标识类型中删除SystemAssigned,并保留UserAssigned以及用户分配托管标识的identityIds数组。If your apiVersion is2017-12-01and your virtual machine scale set has both system and user-assigned managed identities, removeSystemAssignedfrom the identity type and keepUserAssignedalong with theidentityIdsarray of the user-assigned managed identities.以下示例演示如何从没有用户分配托管标识的虚拟机规模集中删除系统分配托管标识:The following example shows you how to remove a system-assigned managed identity from a virtual machine scale set with no user-assigned managed identities:
{ "name": "[variables('vmssName')]", "apiVersion": "2018-06-01", "location": "[parameters(Location')]", "identity": { "type": "None" } }
用户分配的托管标识User-assigned managed identity
在本部分中,将使用 Azure 资源管理器模板向虚拟机规模集分配用户分配托管标识。In this section, you assign a user-assigned managed identity to a virtual machine scale set using Azure Resource Manager template.
备注
要使用 Azure 资源管理器模板创建用户分配托管标识,请参阅创建用户分配托管标识。To create a user-assigned managed identity using an Azure Resource Manager Template, see Create a user-assigned managed identity.
将用户分配的托管标识分配给虚拟机规模集Assign a user-assigned managed identity to a virtual machine scale set
在
resources元素下添加以下条目,向虚拟机规模集分配用户分配托管标识。Under theresourceselement, add the following entry to assign a user-assigned managed identity to your virtual machine scale set. 请务必将<USERASSIGNEDIDENTITY>替换为你创建的用户分配的托管标识的名称。Be sure to replace<USERASSIGNEDIDENTITY>with the name of the user-assigned managed identity you created.Microsoft.Compute/virtualMachineScaleSets API 版本 2018-06-01Microsoft.Compute/virtualMachineScaleSets API version 2018-06-01
如果 apiVersion 为
2018-06-01,则用户分配托管标识以userAssignedIdentities字典格式存储,并且<USERASSIGNEDIDENTITYNAME>值必须存储在模板的variables节中定义的某个变量中。If your apiVersion is2018-06-01, your user-assigned managed identities are stored in theuserAssignedIdentitiesdictionary format and the<USERASSIGNEDIDENTITYNAME>value must be stored in a variable defined in thevariablessection of your template.{ "name": "[variables('vmssName')]", "apiVersion": "2018-06-01", "location": "[parameters(Location')]", "identity": { "type": "userAssigned", "userAssignedIdentities": { "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',variables('<USERASSIGNEDIDENTITYNAME>'))]": {} } } }Microsoft.Compute/virtualMachineScaleSets API 版本 2017-12-01Microsoft.Compute/virtualMachineScaleSets API version 2017-12-01
如果
apiVersion为2017-12-01或早期版本,则用户分配托管标识存储在identityIds数组中,并且<USERASSIGNEDIDENTITYNAME>值必须存储在模板的 variables 节中定义的某个变量中。If yourapiVersionis2017-12-01or earlier, your user-assigned managed identities are stored in theidentityIdsarray and the<USERASSIGNEDIDENTITYNAME>value must be stored in a variable defined in the variables section of your template.{ "name": "[variables('vmssName')]", "apiVersion": "2017-03-30", "location": "[parameters(Location')]", "identity": { "type": "userAssigned", "identityIds": [ "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',variables('<USERASSIGNEDIDENTITY>'))]" ] } }
备注
可以选择通过在模板的 extensionProfile 元素中指定 Azure 资源虚拟机规模集扩展来为其预配托管标识。You may optionally provision the managed identities for Azure resources virtual machine scale set extension by specifying it in the extensionProfile element of the template. 此步骤是可选的,因为也可以使用 Azure 实例元数据服务 (IMDS) 标识终结点来检索令牌。This step is optional as you can use the Azure Instance Metadata Service (IMDS) identity endpoint, to retrieve tokens as well. 有关详细信息,请参阅从 VM 扩展迁移到 Azure IMDS 以进行身份验证。For more information, see Migrate from VM extension to Azure IMDS for authentication.
完成后,模板应当类似于以下示例:When you are done, your template should look similar to the following:
Microsoft.Compute/virtualMachineScaleSets API 版本 2018-06-01Microsoft.Compute/virtualMachineScaleSets API version 2018-06-01
"resources": [ { //other resource provider properties... "apiVersion": "2018-06-01", "type": "Microsoft.Compute/virtualMachineScaleSets", "name": "[variables('vmssName')]", "location": "[resourceGroup().location]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',variables('<USERASSIGNEDIDENTITYNAME>'))]": {} } }, "properties": { //other virtual machine properties... "virtualMachineProfile": { //other virtual machine profile properties... //The following appears only if you provisioned the optional virtual machine scale set extension (to be deprecated) "extensionProfile": { "extensions": [ { "name": "ManagedIdentityWindowsExtension", "properties": { "publisher": "Microsoft.ManagedIdentity", "type": "ManagedIdentityExtensionForWindows", "typeHandlerVersion": "1.0", "autoUpgradeMinorVersion": true, "settings": { "port": 50342 } } } ] } } } } ]Microsoft.Compute/virtualMachines API 版本 2017-12-01Microsoft.Compute/virtualMachines API version 2017-12-01
"resources": [ { //other resource provider properties... "apiVersion": "2017-12-01", "type": "Microsoft.Compute/virtualMachineScaleSets", "name": "[variables('vmssName')]", "location": "[resourceGroup().location]", "identity": { "type": "UserAssigned", "identityIds": [ "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',variables('<USERASSIGNEDIDENTITYNAME>'))]" ] }, "properties": { //other virtual machine properties... "virtualMachineProfile": { //other virtual machine profile properties... //The following appears only if you provisioned the optional virtual machine scale set extension (to be deprecated) "extensionProfile": { "extensions": [ { "name": "ManagedIdentityWindowsExtension", "properties": { "publisher": "Microsoft.ManagedIdentity", "type": "ManagedIdentityExtensionForWindows", "typeHandlerVersion": "1.0", "autoUpgradeMinorVersion": true, "settings": { "port": 50342 } } } ] } } } } ]从 Azure 虚拟机规模集删除用户分配的托管标识Remove user-assigned managed identity from an Azure virtual machine scale set
如果虚拟机规模集不再需要用户分配托管标识,请执行以下操作:If you have a virtual machine scale set that no longer needs a user-assigned managed identity:
无论是在本地登录到 Azure 还是通过 Azure 门户登录,请使用与包含虚拟机规模集的 Azure 订阅关联的帐户。Whether you sign in to Azure locally or via the Azure portal, use an account that is associated with the Azure subscription that contains the virtual machine scale set.
将模板加载到编辑器,并在
resources部分找到相关的Microsoft.Compute/virtualMachineScaleSets资源。Load the template into an editor and locate theMicrosoft.Compute/virtualMachineScaleSetsresource of interest within theresourcessection. 如果虚拟机规模集只有用户分配的托管标识,则可以通过将标识类型更改为None来禁用它。If you have a virtual machine scale set that only has user-assigned managed identity, you can disable it by changing the identity type toNone.以下示例演示如何从没有系统分配的托管标识的 VM 中删除所有用户分配的托管标识:The following example shows you how to remove all user-assigned managed identities from a VM with no system-assigned managed identities:
{ "name": "[variables('vmssName')]", "apiVersion": "2018-06-01", "location": "[parameters(Location')]", "identity": { "type": "None" } }Microsoft.Compute/virtualMachineScaleSets API 版本 2018-06-01Microsoft.Compute/virtualMachineScaleSets API version 2018-06-01
若要从虚拟机规模集中删除单个用户分配的托管标识,请将其从
userAssignedIdentities字典中删除。To remove a single user-assigned managed identity from a virtual machine scale set, remove it from theuserAssignedIdentitiesdictionary.如果具有系统分配的标识,请将其保持在
identity值下的type值中。If you have a system-assigned identity, keep it in thetypevalue under theidentityvalue.Microsoft.Compute/virtualMachineScaleSets API 版本 2017-12-01Microsoft.Compute/virtualMachineScaleSets API version 2017-12-01
要从虚拟机规模集中删除单个用户分配托管标识,请将其从
identityIds数组中删除。To remove a single user-assigned managed identity from a virtual machine scale set, remove it from theidentityIdsarray.如果具有系统分配的托管标识,请将其保持在
identity值下的type值中。If you have a system-assigned managed identity, keep it in thetypevalue under theidentityvalue.