为 Azure 应用服务配置部署凭据Configure deployment credentials for Azure App Service

Azure 应用服务支持两种类型的凭据,这些凭据适用于本地 GIT 部署FTP/S 部署Azure App Service supports two types of credentials for local Git deployment and FTP/S deployment. 这些凭据与 Azure 订阅凭据不同。These credentials are not the same as your Azure subscription credentials.

  • 用户级凭据:一组适用于整个 Azure 帐户的凭据。User-level credentials: one set of credentials for the entire Azure account. 需要部署到任何订阅(Azure 帐户有权对其进行访问)中的任何应用的应用服务时,可以使用这组凭据。It can be used to deploy to App Service for any app, in any subscription, that the Azure account has permission to access. 这是在门户 GUI(例如应用的资源页的“概览”和“属性”)中呈现的默认组。 It's the default set that's surfaced in the portal GUI (such as the Overview and Properties of the app's resource page). 当通过基于角色的访问控制 (RBAC) 或共同管理员权限授予用户应用访问权限时,该用户便可使用其用户级别的凭据,直到被撤销访问权限。When a user is granted app access via Role-Based Access Control (RBAC) or coadmin permissions, that user can use their own user-level credentials until the access is revoked. 请勿与其他 Azure 用户共享这些凭据。Do not share these credentials with other Azure users.

  • 应用级凭据:一组适用于每个应用的凭据。App-level credentials: one set of credentials for each app. 若要只部署到该应用,则可使用这组凭据。It can be used to deploy to that app only. 每个应用的凭据在其创建时自动生成。The credentials for each app are generated automatically at app creation. 这些凭据不能手动进行配置,但可随时进行重置。They can't be configured manually, but can be reset anytime. 如果要通过 (RBAC) 授予用户访问应用级别凭据的权限,该用户必须是应用的参与者或更高级别身份(包括网站参与者内置角色)。For a user to be granted access to app-level credentials via (RBAC), that user must be contributor or higher on the app (including Website Contributor built-in role). 读者不可进行发布,因此无法访问这些凭据。Readers are not allowed to publish, and can't access those credentials.

配置用户级别凭据Configure user-level credentials

可以在任何应用的资源页面中配置用户级凭据。You can configure your user-level credentials in any app's resource page. 无论在哪个应用中配置这些凭据,这些凭据都适用于 Azure 帐户中的所有应用和所有订阅。Regardless in which app you configure these credentials, it applies to all apps and for all subscriptions in your Azure account.

在 Azure CLI 中In the Azure CLI

若要在 Azure CLI 中配置部署用户,请运行 az webapp deployment user set 命令。To configure the deployment user in the Azure CLI, run the az webapp deployment user set command. 将 <username> 和 <password> 替换为部署用户的用户名和密码。Replace <username> and <password> with a deployment user username and password.

  • 用户名在 Azure 中必须唯一,并且为了本地Git推送,不能包含“@”符号。The username must be unique within Azure, and for local Git pushes, must not contain the ‘@’ symbol.
  • 密码必须至少为 8 个字符,且具有字母、数字和符号这三种元素中的两种。The password must be at least eight characters long, with two of the following three elements: letters, numbers, and symbols.
az webapp deployment user set --user-name <username> --password <password>

JSON 输出会将该密码显示为 nullThe JSON output shows the password as null. 如果收到 'Conflict'. Details: 409 错误,请更改用户名。If you get a 'Conflict'. Details: 409 error, change the username. 如果收到 'Bad Request'. Details: 400 错误,请使用更强的密码。If you get a 'Bad Request'. Details: 400 error, use a stronger password.

在门户中In the portal

在 Azure 门户中,用户必须至少有一个应用,才能访问“部署凭据”页。In the Azure portal, you must have at least one app before you can access the deployment credentials page. 若要配置用户级凭据,请执行以下操作:To configure your user-level credentials:

  1. Azure 门户中,从左侧菜单中选择“应用服务” > “<any_app>” > “部署中心” > “FTP” > “仪表板”。In the Azure portal, from the left menu, select App Services > <any_app> > Deployment center > FTP > Dashboard .

    演示如何从 Azure 应用服务的部署中心选择 FTP 仪表板。

    或者,如果已配置了 Git 部署,请选择“应用程序服务” > “<any_app>” > “部署中心” > “FTP/凭据”。Or, if you've already configured Git deployment, select App Services > <any_app> > Deployment center > FTP/Credentials .

    演示如何从 Azure 应用服务的部署中心为配置的 Git 部署选择 FTP 仪表板。

  2. 选择“用户凭据”,配置用户名和密码,然后选择“保存凭据” 。Select User Credentials , configure the user name and password, and then select Save Credentials .

设置部署凭据后,可以在应用的“概述”页中找到 Git 部署用户名,Once you have set your deployment credentials, you can find the Git deployment username in your app's Overview page,

演示如何在应用“概述”页上查找 Git 部署用户名。

如果配置了 Git 部署,则该页显示 Git/部署用户名 ;否则,显示 FTP/部署用户名If Git deployment is configured, the page shows a Git/deployment username ; otherwise, an FTP/deployment username .

备注

Azure 不会显示用户级部署密码。Azure does not show your user-level deployment password. 如果忘记密码,可以按照本部分的步骤重置凭据。If you forget the password, you can reset your credentials by following the steps in this section.

将用户级凭据用于 FTP/FTPSUse user-level credentials with FTP/FTPS

使用用户级凭据向 FTP/FTPS 终结点进行身份验证时需要使用以下格式的用户名:<app-name>\<user-name>Authenticating to an FTP/FTPS endpoint using user-level credentials requirers a username in the following format: <app-name>\<user-name>

由于用户级凭据链接到用户而不是特定资源,因此用户名必须采用此格式才能将登录操作定向到正确的应用终结点。Since user-level credentials are linked to the user and not a specific resource, the username must be in this format to direct the sign-in action to the right app endpoint.

设置和重置应用级凭据Get and reset app-level credentials

若要获取应用级凭据,请执行以下操作:To get the app-level credentials:

  1. Azure 门户中,从左侧菜单中选择“应用程序服务” > “<any_app>” > “部署中心” > “FTP/凭据”。In the Azure portal, from the left menu, select App Services > <any_app> > Deployment center > FTP/Credentials .

  2. 选择“应用凭据”,然后选择“复制”链接以复制用户名或密码 。Select App Credentials , and select the Copy link to copy the username or password.

若要重置应用级别凭据,请选择相同对话框中的“重置凭据”。To reset the app-level credentials, select Reset Credentials in the same dialog.

禁用基本身份验证Disable basic authentication

一些组织需要满足安全要求,因此宁愿禁用通过 FTP 或 WebDeploy 进行的访问。Some organizations need to meet security requirements and would rather disable access via FTP or WebDeploy. 这样一来,组织的成员就只能通过 Azure Active Directory (Azure AD) 控制的 API 访问其应用服务。This way, the organization's members can only access its App Services through APIs that are controlled by Azure Active Directory (Azure AD).

FTPFTP

若要禁用对站点的 FTP 访问,请运行以下 CLI 命令。To disable FTP access to the site, run the following CLI command. 将占位符替换为资源组和站点名称。Replace the placeholders with your resource group and site name.

az resource update --resource-group <resource-group> --name ftp --namespace Microsoft.Web --resource-type basicPublishingCredentialsPolicies --parent sites/<site-name> --set properties.allow=false

若要确认 FTP 访问被阻止,可以尝试使用 FTP 客户端(如 FileZilla)进行身份验证。To confirm that FTP access is blocked, you can try to authenticate using an FTP client such as FileZilla. 若要检索发布凭据,请转到站点的概览边栏选项卡,然后单击“下载发布配置文件”。To retrieve the publishing credentials, go to the overview blade of your site and click Download Publish Profile. 使用该文件的 FTP 主机名、用户名和密码进行身份验证,你会收到 401 错误响应,指示你未获得授权。Use the file’s FTP hostname, username, and password to authenticate, and you will get a 401 error response, indicating that you are not authorized.

WebDeploy 和 SCMWebDeploy and SCM

若要禁用对 WebDeploy 端口和 SCM 站点的基本身份验证访问,请运行以下 CLI 命令。To disable basic auth access to the WebDeploy port and SCM site, run the following CLI command. 将占位符替换为资源组和站点名称。Replace the placeholders with your resource group and site name.

az resource update --resource-group <resource-group> --name scm --namespace Microsoft.Web --resource-type basicPublishingCredentialsPolicies --parent sites/<site-name> --set properties.allow=false

若要确认发布配置文件凭据在 WebDeploy 上被阻止,请尝试使用 Visual Studio 2019 发布 Web 应用To confirm that the publish profile credentials are blocked on WebDeploy, try publishing a web app using Visual Studio 2019.

禁止对 API 的访问Disable access to the API

上一部分的 API 支持 Azure 基于角色的访问控制 (Azure RBAC),这意味着你可以创建一个自定义角色,并将权限较低的用户分配给该角色,这样这些用户就无法在任何站点上启用基本身份验证。The API in the previous section is backed Azure role-based access control (Azure RBAC), which means you can create a custom role and assign lower-priveldged users to the role so they cannot enable basic auth on any sites. 若要配置自定义角色,请按照这些说明进行操作To configure the custom role, follow these instructions.

你还可以使用 Azure Monitor 审核任何成功的身份验证请求,并使用 Azure Policy 对订阅中的所有站点强制实施此配置。You can also use Azure Monitor to audit any successful authentication requests and use Azure Policy to enforce this configuration for all sites in your subscription.

后续步骤Next steps

了解如何使用这些凭据通过本地 GitFTP/S 部署应用。Find out how to use these credentials to deploy your app from local Git or using FTP/S.