Azure 自动化中的连接资产Connection assets in Azure Automation

自动化连接资产包含从 Runbook 或 DSC 配置连接到外部服务或应用程序所需的信息。An Automation connection asset contains the information required to connect to an external service or application from a runbook or DSC configuration. 除 URL 和端口等连接信息外,还包括身份验证所需的信息,如用户名和密码。This may include information required for authentication such as a username and password in addition to connection information such as a URL or a port. 使用连接的值将用于连接一个特定应用程序的所有属性保留在一个资产中,而不是创建多个变量。The value of a connection is keeping all of the properties for connecting to a particular application in one asset as opposed to creating multiple variables. 用户可以从一个位置编辑连接的值,并且可以在单个参数中将连接名称传递给 Runbook 或 DSC 配置。The user can edit the values for a connection in one place, and you can pass the name of a connection to a runbook or DSC configuration in a single parameter. 可在 Runbook 或 DSC 配置中使用 Get-AutomationConnection 活动访问连接的属性。The properties for a connection can be accessed in the runbook or DSC configuration with the Get-AutomationConnection activity.

当创建连接时,必须指定“连接类型” 。When you create a connection, you must specify a connection type. 连接类型是定义了一组属性的模板。The connection type is a template that defines a set of properties. 连接为其连接类型中定义的每个属性定义值。The connection defines values for each property defined in its connection type.

备注

Azure 自动化中的安全资产包括凭据、证书、连接和加密的变量。Secure assets in Azure Automation include credentials, certificates, connections, and encrypted variables. 这些资产已使用针对每个自动化帐户生成的唯一密钥加密并存储在 Azure 自动化中。These assets are encrypted and stored in Azure Automation using a unique key that is generated for each automation account. 此密钥存储在系统托管的密钥保管库中。This key is stored in a system managed Key Vault. 在存储安全资产之前,从密钥保管库加载密钥,然后使用该密钥加密资产。Before storing a secure asset, the key is loaded from Key Vault and then used to encrypt the asset. 此过程由 Azure 自动化管理。This process is managed by Azure Automation.

连接类型Connection types

Azure 自动化中有三种类型的内置连接:There are three types of built-in connections available in Azure Automation:

  • Azure - 此连接可以用于管理经典资源。Azure - This connection can be used to manage classic resources.
  • AzureClassicCertificate - AzureClassicRunAs 帐户使用此连接 。AzureClassicCertificate - This connection is used by the AzureClassicRunAs account.
  • AzureServicePrincipal - AzureRunAs 帐户使用此连接 。AzureServicePrincipal - This connection is used by the AzureRunAs account.

在大多数情况下不需要创建连接资源,因为在创建运行方式帐户时已经创建了该连接。In most cases, you don't need to create a connection resource because it is created when you create a RunAs account.

Windows PowerShell CmdletWindows PowerShell Cmdlets

下表中的 cmdlet 用于通过 Windows PowerShell 创建和管理自动化连接。The cmdlets in the following table are used to create and manage Automation connections with Windows PowerShell. 可在自动化 Runbook 和 DSC 配置中使用的 Azure PowerShell 模块已随附了这些 cmdlet。They ship as part of the Azure PowerShell module, which is available for use in Automation runbooks and DSC configurations.

CmdletCmdlet 说明Description
Get-AzureRmAutomationConnectionGet-AzureRmAutomationConnection 检索连接。Retrieves a connection. 包括一个哈希表,其中包括连接的字段的值。Includes a hash table with the values of the connection's fields.
New-AzureRmAutomationConnectionNew-AzureRmAutomationConnection 创建新连接。Creates a new connection.
Remove-AzureRmAutomationConnectionRemove-AzureRmAutomationConnection 删除现有连接。Remove an existing connection.
Set-AzureRmAutomationConnectionFieldValueSet-AzureRmAutomationConnectionFieldValue 设置现有连接的一个特定字段的值。Sets the value of a particular field for an existing connection.

活动Activities

下表中的活动用于在 Runbook 或 DSC 配置中访问连接。The activities in the following table are used to access connections in a runbook or DSC configuration.

活动Activities 说明Description
Get-AutomationConnectionGet-AutomationConnection 获取要使用的连接。Gets a connection to use. 返回包括该连接属性的哈希表。Returns a hash table with the properties of the connection.

备注

应避免在 Get-AutomationConnection 的 -Name 参数中使用变量,因为这可能会使设计时发现 Runbook 或 DSC 配置与连接资产之间的依赖关系变得复杂化。You should avoid using variables with the -Name parameter of Get-AutomationConnection since this can complicate discovering dependencies between runbooks or DSC configurations, and connection assets at design time.

Python2 函数Python2 functions

下表中的函数用于在 Python2 Runbook 中访问连接。The function in the following table is used to access connections in a Python2 runbook.

函数Function 说明Description
automationassets.get_automation_connectionautomationassets.get_automation_connection 检索连接。Retrieves a connection. 返回包括该连接属性的字典。Returns a dictionary with the properties of the connection.

备注

必须在 Python Runbook 顶部导入“automationassets”模块才能访问资产函数。You must import the "automationassets" module at the top of your Python runbook in order to access the asset functions.

创建新连接Creating a New Connection

使用 Azure 门户创建新连接To create a new connection with the Azure portal

  1. 在自动化帐户中,单击“资产” 部分以打开“资产” 边栏选项卡。From your automation account, click the Assets part to open the Assets blade.
  2. 单击“连接” 部分以打开“连接” 边栏选项卡。Click the Connections part to open the Connections blade.
  3. 单击边栏选项卡顶部的“添加连接” 。Click Add a connection at the top of the blade.
  4. 在“类型” 下拉列表中,选择想要创建的连接类型。In the Type dropdown, select the type of connection you want to create. 表单会显示该特定类型的属性。The form will present the properties for that particular type.
  5. 完成该表单,并单击“创建” 以保存新连接。Complete the form and click Create to save the new connection.

使用 Windows PowerShell 创建新连接To create a new connection with Windows PowerShell

使用 Windows PowerShell 通过 New-AzureRmAutomationConnection cmdlet 创建新连接。Create a new connection with Windows PowerShell using the New-AzureRmAutomationConnection cmdlet. 此 cmdlet 有一个名为 ConnectionFieldValues 的参数,预期为一个哈希表,用于为连接类型定义的每个属性定义值 。This cmdlet has a parameter named ConnectionFieldValues that expects a hash table defining values for each of the properties defined by the connection type.

如果熟悉自动化的运行方式帐户(可使用服务主体对 Runbook 进行身份验证),可以使用 PowerShell 脚本(在从门户创建运行方式帐户时作为替代方法提供)通过以下示例命令创建新的连接资产。If you are familiar with the Automation Run As account to authenticate runbooks using the service principal, the PowerShell script, provided as an alternative to creating the Run As account from the portal, creates a new connection asset using the following sample commands.

$ConnectionAssetName = "AzureRunAsConnection"
$ConnectionFieldValues = @{"ApplicationId" = $Application.ApplicationId; "TenantId" = $TenantID.TenantId; "CertificateThumbprint" = $Cert.Thumbprint; "SubscriptionId" = $SubscriptionId}
New-AzureRmAutomationConnection -ResourceGroupName $ResourceGroup -AutomationAccountName $AutomationAccountName -Name $ConnectionAssetName -ConnectionTypeName AzureServicePrincipal -ConnectionFieldValues $ConnectionFieldValues

可以使用脚本创建连接资产,因为在创建自动化帐户时,该帐户默认情况下会在使用连接类型 AzureServicePrincipal 时自动包括多个全局模块,以便创建 AzureRunAsConnection 连接资产。You are able to use the script to create the connection asset because when you create your Automation account, it automatically includes several global modules by default along with the connection type AzureServicePrincipal to create the AzureRunAsConnection connection asset. 牢记这一点很重要,因为如果尝试使用其他身份验证方法创建新的连接资产来连接到服务或应用程序,则会失败,原因在于连接类型尚未在自动化帐户中定义。This is important to keep in mind, because if you attempt to create a new connection asset to connect to a service or application with a different authentication method, it will fail because the connection type is not already defined in your Automation account.

在 Runbook 或 DSC 配置中使用连接Using a connection in a runbook or DSC configuration

请使用 Get-AutomationConnection cmdlet 检索 Runbook 或 DSC 配置中的连接。You retrieve a connection in a runbook or DSC configuration with the Get-AutomationConnection cmdlet. 不能使用 Get-AzureRmAutomationConnection 活动。You cannot use the Get-AzureRmAutomationConnection activity. 此活动检索连接中的不同字段的值,并将它们作为哈希表返回,该哈希表随后可用于 Runbook 或 DSC 配置中的相应命令。This activity retrieves the values of the different fields in the connection and returns them as a hash table which can then be used with the appropriate commands in the runbook or DSC configuration.

文本 Runbook 示例Textual runbook sample

以下示例命令演示如何使用前面所述的运行方式帐户,向 Runbook 中的 Azure Resource Manager 资源进行身份验证。The following sample commands show how to use the Run As account mentioned earlier, to authenticate with Azure Resource Manager resources in your runbook. 它使用表示该运行方式帐户的连接资产,该帐户引用基于证书的服务主体而不是凭据。It uses the connection asset representing the Run As account, which references the certificate-based service principal, not credentials.

$Conn = Get-AutomationConnection -Name AzureRunAsConnection
Connect-AzureRmAccount -ServicePrincipal -Tenant $Conn.TenantID -ApplicationId $Conn.ApplicationID -CertificateThumbprint $Conn.CertificateThumbprint -EnvironmentName "AzureChinaCloud" 

重要

Add-AzureRmAccount 现在是 Connect-AzureRMAccount 的别名 。Add-AzureRmAccount is now an alias for Connect-AzureRMAccount. 搜索库项时,如果未看到 Connect-AzureRMAccount,可以使用 Add-AzureRmAccount,或更新自动化帐户中的模块 。When searching your library items, if you do not see Connect-AzureRMAccount, you can use Add-AzureRmAccount, or you can update your modules in your Automation Account.

图形 Runbook 示例Graphical runbook samples

在图形编辑器的“库” 窗格中,右键单击连接,并选择“添加到画布” 将 Get-AutomationConnection 活动添加到图形 Runbook。You add a Get-AutomationConnection activity to a graphical runbook by right-clicking on the connection in the Library pane of the graphical editor and selecting Add to canvas.

添加到画布

下图显示了在图形 Runbook 中使用连接的示例。The following image shows an example of using a connection in a graphical runbook. 这是上面显示的同一示例,可以使用运行方式帐户通过文本 Runbook 进行身份验证。This is the same example shown above for authenticating using the Run As account with a textual runbook. 此示例使用常量值数据集执行获取 RunAs 连接活动,该活动使用连接对象进行身份验证。This example uses the Constant value data set for the Get RunAs Connection activity that uses a connection object for authentication. 此处使用了一个管道链接,因为 ServicePrincipalCertificate 参数集需要单个对象。A pipeline link is used here since the ServicePrincipalCertificate parameter set is expecting a single object.

获取连接

Python2 Runbook 示例Python2 runbook sample

下图演示了如何在 Python2 Runbook 中使用运行方式连接进行身份验证。The following sample shows how to authenticate using the Run As connection in a Python2 runbook.

""" Tutorial to show how to authenticate against Azure resource manager resources """
import azure.mgmt.resource
import automationassets

def get_automation_runas_credential(runas_connection):
    """ Returns credentials to authenticate against Azure resoruce manager """
    from OpenSSL import crypto
    from msrestazure import azure_active_directory
    import adal

    # Get the Azure Automation Run As service principal certificate
    cert = automationassets.get_automation_certificate("AzureRunAsCertificate")
    pks12_cert = crypto.load_pkcs12(cert)
    pem_pkey = crypto.dump_privatekey(
        crypto.FILETYPE_PEM, pks12_cert.get_privatekey())

    # Get Run As connection information for the Azure Automation service principal
    application_id = runas_connection["ApplicationId"]
    thumbprint = runas_connection["CertificateThumbprint"]
    tenant_id = runas_connection["TenantId"]

    # Authenticate with service principal certificate
    resource = "https://management.core.chinacloudapi.cn/"
    authority_url = ("https://login.partner.microsoftonline.cn/" + tenant_id)
    context = adal.AuthenticationContext(authority_url)
    return azure_active_directory.AdalAuthentication(
        lambda: context.acquire_token_with_client_certificate(
            resource,
            application_id,
            pem_pkey,
            thumbprint)
    )


# Authenticate to Azure using the Azure Automation Run As service principal
runas_connection = automationassets.get_automation_connection(
    "AzureRunAsConnection")
azure_credential = get_automation_runas_credential(runas_connection)

后续步骤Next steps