使用 Windows VM 系统分配的托管标识访问资源管理器Use a Windows VM system-assigned managed identity to access Resource Manager

Azure 资源的托管标识是 Azure Active Directory 的一项功能。Managed identities for Azure resources is a feature of Azure Active Directory. 支持 Azure 资源的托管标识的每个 Azure 服务都受其自己的时间线限制。Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. 在开始之前,请务必查看资源的托管标识的可用性状态以及已知问题Make sure you review the availability status of managed identities for your resource and known issues before you begin.

本教程介绍如何使用启用了系统分配的托管标识的 Windows 虚拟机来访问 Azure 资源管理器 API。This tutorial shows you how to access the Azure Resource Manager API using a Windows virtual machine with system-assigned managed identity enabled. Azure 资源的托管标识由 Azure 自动管理,可用于向支持 Azure AD 身份验证的服务进行身份验证,这样就无需在代码中插入凭据了。Managed identities for Azure resources are automatically managed by Azure and enable you to authenticate to services that support Azure AD authentication without needing to insert credentials into your code. 学习如何:You learn how to:

  • 授予 VM 对 Azure 资源管理器中资源组的访问权限Grant your VM access to a Resource Group in Azure Resource Manager
  • 使用 VM 标识获取访问令牌,并使用它调用 Azure 资源管理器Get an access token using the VM identity and use it to call Azure Resource Manager

先决条件Prerequisites

授予 VM 对资源管理器中资源组的访问权限Grant your VM access to a resource group in Resource Manager

使用 Azure 资源的托管标识,代码可以获取访问令牌,对支持 Azure AD 身份验证的资源进行身份验证。Using managed identities for Azure resources, your code can get access tokens to authenticate to resources that support Azure AD authentication. Azure 资源管理器支持 Azure AD 身份验证。The Azure Resource Manager supports Azure AD authentication. 首先,需要向此 VM 的系统分配的托管标识授予对资源管理器中资源(在本例中为包含 VM 的资源组)的访问权限。First, we need to grant this VM’s system-assigned managed identity access to a resource in Resource Manager, in this case the Resource Group in which the VM is contained.

  1. 转到“资源组”选项卡。Navigate to the tab for Resource Groups.

  2. 选择为 Windows VM 创建的特定“资源组”。Select the specific Resource Group you created for your Windows VM.

  3. 转到左侧面板中的“访问控制(IAM)”。Go to Access control (IAM) in the left panel.

  4. 然后单击“添加角色分配”为 Windows VM 添加一个新的角色分配。Then Add role assignment a new role assignment for your Windows VM. 选择“阅读器”作为“角色”。Choose Role as Reader.

  5. 在下一个下拉列表中,为资源虚拟机分配访问权限。In the next drop-down, Assign access to the resource Virtual Machine.

  6. 接下来,请确保“订阅”下拉列表中列出的订阅正确无误。Next, ensure the proper subscription is listed in the Subscription dropdown. 对于“资源组”,请选择“所有资源组”。And for Resource Group, select All resource groups.

  7. 最后,在“选择”中,选择下拉列表中的 Windows VM 并单击“保存”。Finally, in Select choose your Windows VM in the dropdown and click Save.

    Alt 图像文本

使用 VM 的系统分配的托管标识获取访问令牌并使用它来调用 Azure 资源管理器Get an access token using the VM's system-assigned managed identity and use it to call Azure Resource Manager

在此部分中将需要使用 PowerShell。You will need to use PowerShell in this portion. 如果尚未安装 PowerShell,请从 此处下载。If you don’t have PowerShell installed, download it here.

  1. 在门户中,导航到“虚拟机”并转到 Windows 虚拟机,然后在“概述”中,单击“连接”。In the portal, navigate to Virtual Machines and go to your Windows virtual machine and in the Overview, click Connect.

  2. 输入创建 Windows VM 时添加的用户名和密码。Enter in your Username and Password for which you added when you created the Windows VM.

  3. 现在,已经创建了与虚拟机的远程桌面连接,请在远程会话中打开 PowerShell。Now that you have created a Remote Desktop Connection with the virtual machine, open PowerShell in the remote session.

  4. 使用 Invoke-WebRequest cmdlet,向 Azure 资源终结点的本地托管标识发出请求以获取 Azure 资源管理器的访问令牌。Using the Invoke-WebRequest cmdlet, make a request to the local managed identity for Azure resources endpoint to get an access token for Azure Resource Manager.

       $response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.chinacloudapi.cn/' -Method GET -Headers @{Metadata="true"}

    备注

    “资源”参数的值必须完全匹配 Azure AD 预期的值。The value of the "resource" parameter must be an exact match for what is expected by Azure AD. 如果使用 Azure 资源管理器资源 ID,必须在 URI 的结尾添加斜线。When using the Azure Resource Manager resource ID, you must include the trailing slash on the URI.

    接下来,提取完整响应,响应以 JavaScript 对象表示法 (JSON) 格式字符串的形式存储在 $response 对象中。Next, extract the full response, which is stored as a JavaScript Object Notation (JSON) formatted string in the $response object.

    $content = $response.Content | ConvertFrom-Json

    接下来,从响应中提取访问令牌。Next, extract the access token from the response.

    $ArmToken = $content.access_token

    最后,使用访问令牌调用 Azure 资源管理器。Finally, call Azure Resource Manager using the access token. 在此示例中,我们还使用 Invoke-WebRequest cmdlet 调用 Azure 资源管理器,并将访问令牌包含在授权标头中。In this example, we're also using the Invoke-WebRequest cmdlet to make the call to Azure Resource Manager, and include the access token in the Authorization header.

    (Invoke-WebRequest -Uri https://management.chinacloudapi.cn/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE GROUP>?api-version=2016-06-01 -Method GET -ContentType "application/json" -Headers @{ Authorization ="Bearer $ArmToken"}).content

    备注

    URL 区分大小写。因此,请确保大小写与之前在命名资源组时使用的大小写完全相同,并确保“resourceGroup”使用的是大写“G”。The URL is case-sensitive, so ensure if you are using the exact same case as you used earlier when you named the Resource Group, and the uppercase "G" in "resourceGroups."

    以下命令将返回资源组的详细信息:The following command returns the details of the Resource Group:

    {"id":"/subscriptions/98f51385-2edc-4b79-bed9-7718de4cb861/resourceGroups/DevTest","name":"DevTest","location":"chinanorth","properties":{"provisioningState":"Succeeded"}}

后续步骤Next steps

在本快速入门中,你已学习了如何使用系统分配的标识来访问 Azure 资源管理器 API。In this quickstart, you learned how to use a system-assigned managed identity to access the Azure Resource Manager API. 若要详细了解 Azure 资源管理器,请参阅:To learn more about Azure Resource Manager see:

Azure 资源管理器Azure Resource Manager