教程:使用 Windows VM 上用户分配的托管标识访问 Azure 资源管理器Tutorial: Use a user-assigned managed identity on a Windows VM to access Azure Resource Manager

用户分配的托管标识是 Azure Active Directory 的预览版功能。User assigned managed identities are a preview feature of Azure Active Directory. 在开始之前,请确保已查看已知问题Make sure you review the known issues before you begin. 有关预览版的详细信息,请参阅 Azure 预览版补充使用条款For more information about previews, see Supplemental Terms of Use for Azure Previews.

本教程介绍了如何创建用户分配的标识、将其分配给 Windows 虚拟机 (VM),然后再使用此标识访问 Azure 资源管理器 API。This tutorial explains how to create a user-assigned identity, assign it to a Windows Virtual Machine (VM), and then use that identity to access the Azure Resource Manager API. 托管服务标识由 Azure 自动管理。Managed Service Identities are automatically managed by Azure. 此标识可用于向支持 Azure AD 身份验证的服务进行身份验证,这样就无需在代码中嵌入凭据了。They enable authentication to services that support Azure AD authentication, without needing to embed credentials into your code.

你将学习如何执行以下操作:You learn how to:

  • 创建用户分配的托管标识Create a user-assigned managed identity
  • 将用户分配的标识分配给 Windows VMAssign your user-assigned identity to your Windows VM
  • 向用户分配的标识授予对 Azure 资源管理器中资源组的访问权限Grant the user-assigned identity access to a Resource Group in Azure Resource Manager
  • 使用用户分配的标识获取访问令牌,并使用它调用 Azure 资源管理器Get an access token using the user-assigned identity and use it to call Azure Resource Manager
  • 读取资源组属性Read the properties of a Resource Group

备注

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

必备条件Prerequisites

  • 如果不熟悉 Azure 资源功能的托管标识,请参阅此概述If you're not familiar with the managed identities for Azure resources feature, see this overview.

启用Enable

对于基于用户分配标识的方案,需要执行以下步骤:For a scenario that is based on a user-assigned identity, you need to perform the following steps:

  • 创建标识Create an identity

  • 分配新建的标识Assign the newly created identity

创建标识Create identity

本部分说明如何创建用户分配的标识。This section shows how to create a user-assigned identity. 用户分配的标识是作为独立的 Azure 资源创建的。A user-assigned identity is created as a standalone Azure resource. 使用 New-AzUserAssignedIdentity,Azure 可在你的 Azure AD 租户中创建可分配给一个或多个 Azure 服务实例的标识。Using the New-AzUserAssignedIdentity, Azure creates an identity in your Azure AD tenant that can be assigned to one or more Azure service instances.

重要

创建用户分配标识时,只能使用字母数字字符(0-9、a-z、A-Z)、下划线 (_) 和连字符 (-)。When creating user assigned identities, only alphanumeric characters (0-9, a-z, A-Z), the underscore (_) and the hyphen (-) are supported. 另外,为了确保能够正常分配给 VM/VMSS,名称长度应该为 3 到 128 个字符。Additionally, the name should be atleast 3 characters and up to 128 characters in length for the assignment to VM/VMSS to work properly. 请关注后续更新。Check back for updates. 有关详细信息,请参阅 FAQ 和已知问题For more information, see FAQs and known issues.

New-AzUserAssignedIdentity -ResourceGroupName myResourceGroupVM -Name ID1

该响应包含已创建的用户分配标识的详细信息,与以下示例类似。The response contains details for the user-assigned identity created, similar to the following example. 请记录用户分配的标识的 IdClientId 值,因为在后续步骤中将使用它们:Note the Id and ClientId values for your user-assigned identity, because they are used in subsequent steps:

{
Id: /subscriptions/<SUBSCRIPTIONID>/resourcegroups/myResourceGroupVM/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID1
ResourceGroupName : myResourceGroupVM
Name: ID1
Location: chinanorth
TenantId: 733a8f0e-ec41-4e69-8ad8-971fc4b533f8
PrincipalId: e591178e-b785-43c8-95d2-1397559b2fb9
ClientId: af825a31-b0e0-471f-baea-96de555632f9
ClientSecretUrl: https://control-chinanorth.identity.chinacloudapi.cn/subscriptions/<SUBSCRIPTIONID>/resourcegroups/myResourceGroupVM/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID1/credentials?tid=733a8f0e-ec41-4e69-8ad8-971fc4b533f8&oid=e591178e-b785-43c8-95d2-1397559b2fb9&aid=af825a31-b0e0-471f-baea-96de555632f9
Type: Microsoft.ManagedIdentity/userAssignedIdentities
}

分配标识Assign identity

本部分介绍如何将用户分配的标识分配给 Windows VM。This section shows how to Assign the user-assigned identity to a Windows VM. 用户分配的标识可以由多个 Azure 资源上的客户端使用。A user-assigned identity can be used by clients on multiple Azure resources. 使用以下命令将用户分配的标识分配给单个 VM。Use the following commands to assign the user-assigned identity to a single VM. 将上一步返回的 Id 属性用于 -IdentityID 参数。Use the Id property returned in the previous step for the -IdentityID parameter.

$vm = Get-AzVM -ResourceGroupName myResourceGroup -Name myVM
Update-AzVM -ResourceGroupName TestRG -VM $vm -IdentityType "UserAssigned" -IdentityID "/subscriptions/<SUBSCRIPTIONID>/resourcegroups/myResourceGroupVM/providers/Microsoft.ManagedIdentity/userAssignedIdentities/ID1"

授予访问权限Grant access

本部分介绍如何授予用户分配的标识访问 Azure 资源管理器中的资源组的权限。This section shows how to grant your user-assigned identity access to a Resource Group in Azure Resource Manager. Azure 资源的托管标识提供了相关标识,你的代码可使用这些标识来请求访问令牌,以向支持 Azure AD 身份验证的资源 API 进行身份验证。Managed identities for Azure resources provides identities that your code can use to request access tokens to authenticate to resource APIs that support Azure AD authentication. 在本教程中,你的代码将访问 Azure 资源管理器 API。In this tutorial, your code will access the Azure Resource Manager API.

需先向标识授予对 Azure 资源管理器中资源的访问权限,代码才能访问 API。Before your code can access the API, you need to grant the identity access to a resource in Azure Resource Manager. 在此情况下,即为包含 VM 的资源组。In this case, the Resource Group in which the VM is contained. 根据环境适当地更新 <SUBSCRIPTION ID> 的值。Update the value for <SUBSCRIPTION ID> as appropriate for your environment.

$spID = (Get-AzUserAssignedIdentity -ResourceGroupName myResourceGroupVM -Name ID1).principalid
New-AzRoleAssignment -ObjectId $spID -RoleDefinitionName "Reader" -Scope "/subscriptions/<SUBSCRIPTIONID>/resourcegroups/myResourceGroupVM/"

响应包含所创建的角色分配的详细信息,与以下示例类似:The response contains details for the role assignment created, similar to the following example:

RoleAssignmentId: /subscriptions/80c696ff-5efa-4909-a64d-f1b616f423ca/resourcegroups/myResourceGroupVM/providers/Microsoft.Authorization/roleAssignments/f9cc753d-265e-4434-ae19-0c3e2ead62ac
Scope: /subscriptions/80c696ff-5efa-4909-a64d-f1b616f423ca/resourcegroups/myResourceGroupVM
DisplayName: ID1
SignInName:
RoleDefinitionName: Reader
RoleDefinitionId: acdd72a7-3385-48ef-bd42-f606fba81ae7
ObjectId: e591178e-b785-43c8-95d2-1397559b2fb9
ObjectType: ServicePrincipal
CanDelegate: False

访问数据Access data

获取访问令牌Get an access token

在本教程的剩余部分,你将从先前创建的 VM 入手。For the remainder of the tutorial, you will work from the VM we created earlier.

  1. 通过 https://portal.azure.cn 登录到 Azure 门户Sign in to the Azure portal at https://portal.azure.cn

  2. 在门户中,导航到“虚拟机” 并转到 Windows 虚拟机,然后在“概述” 中单击“连接” 。In the portal, navigate to Virtual Machines and go to the Windows virtual machine and in the Overview, click Connect.

  3. 输入创建 Windows VM 时使用的“用户名” 和“密码” 。Enter the Username and Password you used when you created the Windows VM.

  4. 现在,已经创建了与虚拟机的远程桌面连接 ,请在远程会话中打开 PowerShell 。Now that you have created a Remote Desktop Connection with the virtual machine, open PowerShell in the remote session.

  5. 使用 Powershell 的 Invoke-WebRequest,向 Azure 资源终结点的本地托管标识发出请求以获取 Azure 资源管理器的访问令牌。Using PowerShell’s Invoke-WebRequest, make a request to the local managed identities for Azure resources endpoint to get an access token for Azure Resource Manager. client_id 值是创建用户分配的托管标识时返回的值。The client_id value is the value returned when you created the user-assigned managed identity.

    $response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&client_id=af825a31-b0e0-471f-baea-96de555632f9&resource=https://management.chinacloudapi.cn/' -Method GET -Headers @{Metadata="true"}
    $content = $response.Content | ConvertFrom-Json
    $ArmToken = $content.access_token
    

读取属性Read properties

使用上一个步骤中检索到的访问令牌访问 Azure 资源管理器,并读取向用户分配的标识授予了访问权限的资源组的属性。Use the access token retrieved in the previous step to access Azure Resource Manager, and read the properties of the Resource Group you granted your user-assigned identity access. <SUBSCRIPTION ID> 替换为你环境的订阅 ID。Replace <SUBSCRIPTION ID> with the subscription id of your environment.

(Invoke-WebRequest -Uri https://management.chinacloudapi.cn/subscriptions/80c696ff-5efa-4909-a64d-f1b616f423ca/resourceGroups/myResourceGroupVM?api-version=2016-06-01 -Method GET -ContentType "application/json" -Headers @{Authorization ="Bearer $ArmToken"}).content

响应包含特定资源组信息,类似于下面的示例:The response contains the specific Resource Group information, similar to the following example:

{"id":"/subscriptions/<SUBSCRIPTIONID>/resourceGroups/myResourceGroupVM","name":"myResourceGroupVM","location":"chinanorth","properties":{"provisioningState":"Succeeded"}}

后续步骤Next steps

在本教程中,你已学习了如何创建用户分配的标识,并将其附加到 Azure 虚拟机以访问 Azure 资源管理器 API。In this tutorial, you learned how to create a user-assigned identity and attach it to an Azure Virtual Machine to access the Azure Resource Manager API. 若要详细了解 Azure 资源管理器,请参阅:To learn more about Azure Resource Manager see: