教程:使用 Windows VM 系统分配的托管标识访问 Azure Key VaultTutorial: Use a Windows VM system-assigned managed identity to access Azure Key Vault

Azure 资源的托管标识是 Azure Active Directory 的一项功能。Managed identities for Azure resources is a feature of Azure Active Directory. 支持 Azure 资源的托管标识的每个 Azure 服务都受其自己的时间线限制。Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. 在开始之前,请务必查看资源的托管标识的可用性状态以及已知问题Make sure you review the availability status of managed identities for your resource and known issues before you begin.

本教程介绍了如何使用 Windows 虚拟机 (VM) 系统分配的托管标识来访问 Azure Key Vault。This tutorial shows you how to use a system-assigned managed identity for a Windows virtual machine (VM) to access Azure Key Vault. 作为引导,Key Vault 随后可让客户端应用程序使用机密访问未受 Azure Active Directory (AD) 保护的资源。Serving as a bootstrap, Key Vault makes it possible for your client application to then use the secret to access resources not secured by Azure Active Directory (AD). 托管服务标识由 Azure 自动管理,可用于向支持 Azure AD 身份验证的服务进行身份验证,这样就无需在代码中插入凭据了。Managed Service Identities are automatically managed by Azure and enable you to authenticate to services that support Azure AD authentication, without needing to insert credentials into your code.

学习如何:You learn how to:

  • 授予 VM 对 Key Vault 中存储的密钥的访问权限Grant your VM access to a secret stored in a Key Vault
  • 使用 VM 标识获取访问令牌,并使用它来检索 Key Vault 中的密钥Get an access token using the VM identity and use it to retrieve the secret from Key Vault



启用系统分配的托管标识只需单击一次即可。Enabling a system-assigned managed identity is a one-click experience. 可以在创建 VM 的过程中或在现有 VM 的属性中启用它。You can either enable it during the creation of a VM or in the properties of an existing VM.


若要在新 VM 上启用系统分配的托管标识,请执行以下操作:To enable a system-assigned managed identity on a new VM:

  1. 登录到 Azure 门户Sign in to Azure portal

  2. 创建启用了系统分配标识的虚拟机Create a virtual machine with system-assigned identity enabled

授予访问权限Grant access  

  本部分说明如何授予 VM 访问密钥保管库中存储的密钥的权限。This section shows how to grant your VM access to a Secret stored in a Key Vault. 使用 Azure 资源的托管标识,代码可以获取访问令牌,对支持 Azure AD 身份验证的资源进行身份验证。Using managed identities for Azure resources, your code can get access tokens to authenticate to resources that support Azure AD authentication.  但是,并非所有 Azure 服务都支持 Azure AD 身份验证。  However, not all Azure services support Azure AD authentication. 若要将 Azure 资源的托管标识用于这些服务,请将服务凭据存储在 Azure Key Vault 中,然后使用 VM 的托管标识访问 Key Vault 以检索凭据。 To use managed identities for Azure resources with those services, store the service credentials in Azure Key Vault, and use the VM's managed identity to access Key Vault to retrieve the credentials. 

首先,我们需要创建一个 Key Vault 并授予 VM 的系统分配托管标识对 Key Vault 的访问权限。First, we need to create a Key Vault and grant our VM’s system-assigned managed identity access to the Key Vault.   

  1. 在左侧导航栏的顶部,依次选择“创建资源” > “安全 + 标识” > “Key Vault” 。At the top of the left navigation bar, select Create a resource > Security + Identity > Key Vault.  

  2. 为新 Key Vault 提供一个名称 。Provide a Name for the new Key Vault. 

  3. 定位到之前创建的 VM 所在的订阅和资源组中的 Key Vault。Locate the Key Vault in the same subscription and resource group as the VM you created earlier. 

  4. 选择“访问策略” ,然后单击“添加新” 。Select Access policies and click Add new. 

  5. 在模板中的“配置”中,选择“密钥管理” 。In Configure from template, select Secret Management. 

  6. 选择“选择主体” ,并在搜索字段中输入之前创建的 VM 的名称。Choose Select Principal, and in the search field enter the name of the VM you created earlier.  选择结果列表中的 VM,并单击“选择” 。  Select the VM in the result list and click Select. 

  7. 单击“确定” 完成添加新的访问策略,然后单击“确定” 完成访问策略选择。Click OK to finishing adding the new access policy, and OK to finish access policy selection. 

  8. 单击“创建” 完成创建 Key Vault。Click Create to finish creating the Key Vault. 

    Alt 图像文本

接下来,将密钥添加到 Key Vault,以便稍后可以使用在 VM 中运行的代码检索此密钥:Next, add a secret to the Key Vault, so that later you can retrieve the secret using code running in your VM: 

  1. 选择“所有资源” ,找到并选择已创建的 Key Vault。Select All Resources, and find and select the Key Vault you created. 
  2. 选择“密钥” ,然后单击“添加” 。Select Secrets, and click Add. 
  3. 从“上传选项” 中选择“手动” 。Select Manual, from Upload options. 
  4. 输入密钥的名称和值。Enter a name and value for the secret.  该值可以是任何需要的内容。  The value can be anything you want. 
  5. 明确指定激活日期和到期日期,并将“已启用” 设置为“是” 。Leave the activation date and expiration date clear, and leave Enabled as Yes. 
  6. 单击“创建” 以创建密钥。Click Create to create the secret.   

访问数据Access data  

本部分介绍如何使用 VM 标识获取访问令牌并使用它从 Key Vault 中检索机密。This section shows how to get an access token using the VM identity and use it to retrieve the secret from the Key Vault. 如果未安装 PowerShell 4.3.1 或更高版本,则需要下载并安装最新版本If you don’t have PowerShell 4.3.1 or greater installed, you'll need to download and install the latest version.

首先,我们使用 VM 的系统分配托管标识获取访问令牌,向 Key Vault 证明身份:First, we use the VM’s system-assigned managed identity to get an access token to authenticate to Key Vault:  

  1. 在门户中,导航到“虚拟机” 并转到 Windows 虚拟机,然后在“概述” 中,单击“连接” 。In the portal, navigate to Virtual Machines and go to your Windows virtual machine and in the Overview, click Connect.

  2. 输入创建 Windows VM 时添加的用户名 和密码 。Enter in your Username and Password for which you added when you created the Windows VM.  

  3. 现在,已经创建了与虚拟机的远程桌面连接 ,请在远程会话中打开 PowerShell。Now that you have created a Remote Desktop Connection with the virtual machine, open PowerShell in the remote session.  

  4. 在 PowerShell 中,调用租户上的 Web 请求,为 VM 特定端口中的本地主机获取令牌。In PowerShell, invoke the web request on the tenant to get the token for the local host in the specific port for the VM.  

    PowerShell 请求:The PowerShell request:

    $response = Invoke-WebRequest -Uri '' -Method GET -Headers @{Metadata="true"} 

    接下来,提取完整响应,响应以 JavaScript 对象表示法 (JSON) 格式字符串的形式存储在 $response 对象中。Next, extract the full response which is stored as a JavaScript Object Notation (JSON) formatted string in the $response object.  

    $content = $response.Content | ConvertFrom-Json 

    接下来,从响应中提取访问令牌。Next, extract the access token from the response.  

    $KeyVaultToken = $content.access_token 

    最后,使用 PowerShell 的 Invoke-WebRequest 命令检索之前在 Key Vault 中创建的密钥,在授权标头中传递访问令牌。Finally, use PowerShell’s Invoke-WebRequest command to retrieve the secret you created earlier in the Key Vault, passing the access token in the Authorization header.  将需要 Key Vault 的 URL,该 URL 位于 Key Vault 的“概述” 页的“软件包” 部分。  You’ll need the URL of your Key Vault, which is in the Essentials section of the Overview page of the Key Vault.  

    (Invoke-WebRequest -Uri https://<your-key-vault-URL>/secrets/<secret-name>?api-version=2016-10-01 -Method GET -Headers @{Authorization="Bearer $KeyVaultToken"}).content 

    响应将如下所示:The response will look like this: 


在检索 Key Vault 中的密钥后,可以使用该密钥对需要名称和密码的服务进行身份验证。Once you’ve retrieved the secret from the Key Vault, you can use it to authenticate to a service that requires a name and password. 


若要在 VM 上禁用系统分配的标识,请将系统分配的标识的状态设为“关” 。To disable the system-assigned identity on your VM, set the status of the system-assigned identity to Off.


后续步骤Next steps

在本教程中,你已学习了如何使用 Windows VM 系统分配的托管标识来访问 Azure Key Vault。In this tutorial, you learned how use a Windows VM system-assigned managed identity to access Azure Key Vault. 若要详细了解 Azure Key Vault,请参阅:To learn more about Azure Key Vault see: