使用 Windows VM 系统分配的托管标识访问资源管理器Use a Windows VM system-assigned managed identity to access Resource Manager
Azure 资源的托管标识是 Azure Active Directory 的一项功能。Managed identities for Azure resources is a feature of Azure Active Directory. 支持 Azure 资源的托管标识的每个 Azure 服务都受其自己的时间线限制。Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. 在开始之前,请务必查看资源的托管标识的可用性状态以及已知问题。Make sure you review the availability status of managed identities for your resource and known issues before you begin.
本教程介绍如何使用启用了系统分配的托管标识的 Windows 虚拟机来访问 Azure 资源管理器 API。This tutorial shows you how to access the Azure Resource Manager API using a Windows virtual machine with system-assigned managed identity enabled. Azure 资源的托管标识由 Azure 自动管理,可用于向支持 Azure AD 身份验证的服务进行身份验证,这样就无需在代码中插入凭据了。Managed identities for Azure resources are automatically managed by Azure and enable you to authenticate to services that support Azure AD authentication without needing to insert credentials into your code. 学习如何:You learn how to:
- 授予 VM 对 Azure 资源管理器中资源组的访问权限Grant your VM access to a Resource Group in Azure Resource Manager
- 使用 VM 标识获取访问令牌,并使用它调用 Azure 资源管理器Get an access token using the VM identity and use it to call Azure Resource Manager
先决条件Prerequisites
- 具备托管标识基础知识。A basic understanding of Managed identities. 如果不熟悉 Azure 资源功能的托管标识,请参阅此概述。If you're not familiar with the managed identities for Azure resources feature, see this overview.
- 一个 Azure 帐户,注册试用版。An Azure account, sign up for a Trial.
- 在相应范围(订阅或资源组)内具有“所有者”权限,以执行所需的资源创建和角色管理步骤。"Owner" permissions at the appropriate scope (your subscription or resource group) to perform required resource creation and role management steps. 如果需要有关角色分配的帮助,请参阅使用基于角色的访问控制管理对 Azure 订阅资源的访问权限。If you need assistance with role assignment, see Use Role-Based Access Control to manage access to your Azure subscription resources.
- 还需要启用了系统分配的托管标识的 Windows 虚拟机。You also need a Windows Virtual machine that has system assigned managed identities enabled.
- 如需为本教程创建虚拟机,则可以按照标题为创建启用了系统分配的标识的虚拟机的文章进行操作If you need to create a virtual machine for this tutorial, you can follow the article titled Create a virtual machine with system-assigned identity enabled
授予 VM 对资源管理器中资源组的访问权限Grant your VM access to a resource group in Resource Manager
使用 Azure 资源的托管标识,代码可以获取访问令牌,对支持 Azure AD 身份验证的资源进行身份验证。Using managed identities for Azure resources, your code can get access tokens to authenticate to resources that support Azure AD authentication. Azure 资源管理器支持 Azure AD 身份验证。The Azure Resource Manager supports Azure AD authentication. 首先,需要向此 VM 的系统分配的托管标识授予对资源管理器中资源(在本例中为包含 VM 的资源组)的访问权限。First, we need to grant this VM’s system-assigned managed identity access to a resource in Resource Manager, in this case the Resource Group in which the VM is contained.
转到“资源组”选项卡。Navigate to the tab for Resource Groups.
选择为 Windows VM 创建的特定“资源组”。Select the specific Resource Group you created for your Windows VM.
转到左侧面板中的“访问控制(IAM)”。Go to Access control (IAM) in the left panel.
然后单击“添加角色分配”为 Windows VM 添加一个新的角色分配。Then Add role assignment a new role assignment for your Windows VM. 选择“阅读器”作为“角色”。Choose Role as Reader.
在下一个下拉列表中,为资源虚拟机分配访问权限。In the next drop-down, Assign access to the resource Virtual Machine.
接下来,请确保“订阅”下拉列表中列出的订阅正确无误。Next, ensure the proper subscription is listed in the Subscription dropdown. 对于“资源组”,请选择“所有资源组”。And for Resource Group, select All resource groups.
最后,在“选择”中,选择下拉列表中的 Windows VM 并单击“保存”。Finally, in Select choose your Windows VM in the dropdown and click Save.
使用 VM 的系统分配的托管标识获取访问令牌并使用它来调用 Azure 资源管理器Get an access token using the VM's system-assigned managed identity and use it to call Azure Resource Manager
在此部分中将需要使用 PowerShell。You will need to use PowerShell in this portion. 如果尚未安装 PowerShell,请从 此处下载。If you don’t have PowerShell installed, download it here.
在门户中,导航到“虚拟机”并转到 Windows 虚拟机,然后在“概述”中,单击“连接”。In the portal, navigate to Virtual Machines and go to your Windows virtual machine and in the Overview, click Connect.
输入创建 Windows VM 时添加的用户名和密码。Enter in your Username and Password for which you added when you created the Windows VM.
现在,已经创建了与虚拟机的远程桌面连接,请在远程会话中打开 PowerShell。Now that you have created a Remote Desktop Connection with the virtual machine, open PowerShell in the remote session.
使用 Invoke-WebRequest cmdlet,向 Azure 资源终结点的本地托管标识发出请求以获取 Azure 资源管理器的访问令牌。Using the Invoke-WebRequest cmdlet, make a request to the local managed identity for Azure resources endpoint to get an access token for Azure Resource Manager.
$response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.chinacloudapi.cn/' -Method GET -Headers @{Metadata="true"}
备注
“资源”参数的值必须完全匹配 Azure AD 预期的值。The value of the "resource" parameter must be an exact match for what is expected by Azure AD. 如果使用 Azure 资源管理器资源 ID,必须在 URI 的结尾添加斜线。When using the Azure Resource Manager resource ID, you must include the trailing slash on the URI.
接下来,提取完整响应,响应以 JavaScript 对象表示法 (JSON) 格式字符串的形式存储在 $response 对象中。Next, extract the full response, which is stored as a JavaScript Object Notation (JSON) formatted string in the $response object.
$content = $response.Content | ConvertFrom-Json
接下来,从响应中提取访问令牌。Next, extract the access token from the response.
$ArmToken = $content.access_token
最后,使用访问令牌调用 Azure 资源管理器。Finally, call Azure Resource Manager using the access token. 在此示例中,我们还使用 Invoke-WebRequest cmdlet 调用 Azure 资源管理器,并将访问令牌包含在授权标头中。In this example, we're also using the Invoke-WebRequest cmdlet to make the call to Azure Resource Manager, and include the access token in the Authorization header.
(Invoke-WebRequest -Uri https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>?api-version=2016-06-01 -Method GET -ContentType "application/json" -Headers @{ Authorization ="Bearer $ArmToken"}).content
备注
URL 区分大小写。因此,请确保大小写与之前在命名资源组时使用的大小写完全相同,并确保“resourceGroup”使用的是大写“G”。The URL is case-sensitive, so ensure if you are using the exact same case as you used earlier when you named the Resource Group, and the uppercase "G" in "resourceGroups."
以下命令将返回资源组的详细信息:The following command returns the details of the Resource Group:
{"id":"/subscriptions/98f51385-2edc-4b79-bed9-7718de4cb861/resourceGroups/DevTest","name":"DevTest","location":"chinanorth","properties":{"provisioningState":"Succeeded"}}
后续步骤Next steps
在本快速入门中,你已学习了如何使用系统分配的标识来访问 Azure 资源管理器 API。In this quickstart, you learned how to use a system-assigned managed identity to access the Azure Resource Manager API. 若要详细了解 Azure 资源管理器,请参阅:To learn more about Azure Resource Manager see: