在 Azure 自动化中管理连接Manage connections in Azure Automation

Azure 自动化连接资产包含下面列出的信息。An Azure Automation connection asset contains the information listed below. 从 Runbook 或 DSC 配置连接到外部服务或应用程序所需的信息。This information is required for connection to an external service or application from a runbook or DSC configuration.

  • 身份验证所需的信息,如用户名和密码Information needed for authentication, such as user name and password
  • 连接信息,如 URL 或端口Connection information, such as URL or port

连接资产将用于与特定应用程序进行连接的所有属性汇集在一起,这样就不必创建多个变量。The connection asset keeps together all properties for connecting to a particular application, making it unnecessary to create multiple variables. 你可以从一个位置编辑连接的值,并且可以在单个参数中将连接名称传递给 Runbook 或 DSC 配置。You can edit the values for a connection in one place, and you can pass the name of a connection to a runbook or DSC configuration in a single parameter. runbook 或配置会使用内部 Get-AutomationConnectioncmdlet 访问连接的属性。The runbook or configuration accesses the properties for a connection using the internal Get-AutomationConnection cmdlet.

创建连接时,必须指定“连接类型”。When you create a connection, you must specify a connection type. 连接类型是定义了一组属性的模板。The connection type is a template that defines a set of properties. 可以使用带有元数据文件的集成模块向 Azure 自动化添加连接类型。You can add a connection type to Azure Automation using an integration module with a metadata file. 如果集成模块包含连接类型并导入到自动化帐户中,也可以使用 Azure 自动化 API 创建连接类型。It's also possible to create a connection type using the Azure Automation API if the integration module includes a connection type and is imported into your Automation account.

备注

Azure 自动化中的安全资产包括凭据、证书、连接和加密的变量。Secure assets in Azure Automation include credentials, certificates, connections, and encrypted variables. 这些资产已使用针对每个自动化帐户生成的唯一密钥进行加密并存储在 Azure 自动化中。These assets are encrypted and stored in Azure Automation using a unique key that is generated for each Automation account. Azure 自动化将密钥存储在系统管理的 Key Vault 中。Azure Automation stores the key in the system-managed Key Vault. 在存储安全资产之前,自动化会从 Key Vault 加载密钥,然后使用该密钥加密资产。Before storing a secure asset, Automation loads the key from Key Vault and then uses it to encrypt the asset.

连接类型Connection types

Azure 自动化提供了以下内置连接类型:Azure Automation makes the following built-in connection types available:

  • Azure - 表示用于管理经典资源的连接。Azure - Represents a connection used to manage classic resources.
  • AzureServicePrincipal -表示 Azure 运行方式帐户使用的连接。AzureServicePrincipal - Represents a connection used by the Azure Run As account.
  • AzureClassicCertificate -表示经典 Azure 运行方式帐户使用的连接。AzureClassicCertificate - Represents a connection used by the classic Azure Run As account.

在大多数情况下不需要创建连接资源,因为在创建 RunAs 帐户时已经创建了该连接。In most cases, you don't need to create a connection resource because it is created when you create a Run As account.

用于访问连接的 PowerShell cmdletPowerShell cmdlets to access connections

下表中的 cmdlet 使用 PowerShell 创建和管理自动化连接。The cmdlets in the following table create and manage Automation connections with PowerShell. 它们作为 Az 模块的一部分提供。They ship as part of the Az modules.

CmdletCmdlet 说明Description
Get-AzAutomationConnectionGet-AzAutomationConnection 检索有关连接的信息。Retrieves information about a connection.
New-AzAutomationConnectionNew-AzAutomationConnection 创建新连接。Creates a new connection.
Remove-AzAutomationConnectionRemove-AzAutomationConnection 删除现有连接。Removes an existing connection.
Set-AzAutomationConnectionFieldValueSet-AzAutomationConnectionFieldValue 设置现有连接的一个特定字段的值。Sets the value of a particular field for an existing connection.

用于访问连接的内部 cmdletInternal cmdlets to access connections

下表中的内部 cmdlet 用于访问 runbook 和 DSC 配置中的连接。The internal cmdlet in the following table is used to access connections in your runbooks and DSC configurations. 此 cmdlet 附带全局模块 Orchestrator.AssetManagement.CmdletsThis cmdlet comes with the global module Orchestrator.AssetManagement.Cmdlets. 有关详细信息,请参阅内部 cmdletFor more information, see Internal cmdlets.

内部 CmdletInternal Cmdlet 说明Description
Get-AutomationConnection 检索连接中不同字段的值,并将其作为哈希表返回。Retrieves the values of the different fields in the connection and returns them as a hashtable. 然后,可以将此哈希表与 runbook 或 DSC 配置中的相应命令一起使用。You can then use this hashtable with the appropriate commands in the runbook or DSC configuration.

备注

避免将变量与 Get-AutomationConnectionName 参数一起使用。Avoid using variables with the Name parameter of Get-AutomationConnection. 如果这样使用变量,可能会导致在设计时尝试发现 runbook 或 DSC 配置与连接资产之间的依赖关系变得复杂。Use of variables in this case can complicate discovery of dependencies between runbooks or DSC configurations and connection assets at design time.

用于访问连接的 Python 函数Python functions to access connections

下表中的函数用于在 Python 2 Runbook 和 Python 3 Runbook 中访问连接。The function in the following table is used to access connections in a Python 2 and 3 runbook. Python 3 runbook 目前处于预览阶段。Python 3 runbooks are currently in preview.

函数Function 说明Description
automationassets.get_automation_connection 检索连接。Retrieves a connection. 返回包括该连接属性的字典。Returns a dictionary with the properties of the connection.

备注

必须在 Python Runbook 顶部导入 automationassets 模块才能访问资产函数。You must import the automationassets module at the top of your Python runbook to access the asset functions.

创建新连接Create a new connection

使用 Azure 门户创建新连接Create a new connection with the Azure portal

使用 Azure 门户创建新连接:To create a new connection in the Azure portal:

  1. 在自动化帐户中,单击“共享资源”下的“连接” 。From your Automation account, click Connections under Shared Resources.
  2. 单击“连接”页上的“+ 添加连接”。Click + Add a connection on the Connections page.
  3. 在“新建连接”窗格的“类型”字段中,选择要创建的连接类型。In the Type field on the New Connection pane, select the type of connection to create. 你的选择是 AzureAzureServicePrincipalAzureClassicCertificateYour choices are Azure, AzureServicePrincipal, and AzureClassicCertificate.
  4. 该窗体显示所选连接类型的属性。The form presents properties for the connection type that you've chosen. 完成该表单,并单击“创建”以保存新连接。Complete the form and click Create to save the new connection.

使用 Windows PowerShell 创建新连接Create a new connection with Windows PowerShell

使用 New-AzAutomationConnection cmdlet 通过 Windows PowerShell 创建新连接。Create a new connection with Windows PowerShell using the New-AzAutomationConnection cmdlet. 此 cmdlet 有一个 ConnectionFieldValues 参数,预期值为哈希表,用于为连接类型定义的每个属性定义值。This cmdlet has a ConnectionFieldValues parameter that expects a hashtable defining values for each of the properties defined by the connection type.

可以使用以下示例命令作为“从门户创建运行方式帐户”的替代方法,以创建新的连接资产。You can use the following example commands as an alternative to creating the Run As account from the portal to create a new connection asset.

$ConnectionAssetName = "AzureRunAsConnection"
$ConnectionFieldValues = @{"ApplicationId" = $Application.ApplicationId; "TenantId" = $TenantID.TenantId; "CertificateThumbprint" = $Cert.Thumbprint; "SubscriptionId" = $SubscriptionId}
New-AzAutomationConnection -ResourceGroupName $ResourceGroup -AutomationAccountName $AutomationAccountName -Name $ConnectionAssetName -ConnectionTypeName AzureServicePrincipal -ConnectionFieldValues $ConnectionFieldValues

创建自动化帐户时,默认情况下,它包括几个全局模块,以及用于创建 AzureRunAsConnection 连接资产的连接类型 AzureServicePrincipalWhen you create your Automation account, it includes several global modules by default, along with the connection type AzureServicePrincipal to create the AzureRunAsConnection connection asset. 如果尝试使用其他身份验证方法创建新的连接资产来连接到服务或应用程序,操作将失败,原因在于连接类型尚未在自动化帐户中定义。If you try to create a new connection asset to connect to a service or application with a different authentication method, the operation fails because the connection type is not already defined in your Automation account. 有关为自定义模块创建自己的连接类型的详细信息,请参阅添加连接类型For more information on creating your own connection type for a custom module, see Add a connection type.

添加连接类型Add a connection type

如果 runbook 或 DSC 配置连接到外部服务,需要在名为集成模块的自定义模块中定义连接类型。If your runbook or DSC configuration connects to an external service, you must define a connection type in a custom module called an integration module. 此模块包含一个元数据文件,该文件名为“<ModuleName>-Automation.json”,用于指定连接类型属性,位于 .zip 压缩文件的模块文件夹中 。This module includes a metadata file that specifies connection type properties and is named <ModuleName>-Automation.json, located in the module folder of your compressed .zip file. 此文件包含连接到模块所代表的系统或服务所需的连接的字段。This file contains the fields of a connection that are required to connect to the system or service that the module represents. 使用此文件,可以设置连接类型的字段名、数据类型、加密状态和可选状态。Using this file, you can set the field names, data types, encryption status, and optional status for the connection type.

以下示例是“.json”文件格式的模板,该模板定义名为 MyModuleConnection 的自定义连接类型的用户名和密码属性:The following example is a template in the .json file format that defines user name and password properties for a custom connection type called MyModuleConnection:

{
   "ConnectionFields": [
   {
      "IsEncrypted":  false,
      "IsOptional":  true,
      "Name":  "Username",
      "TypeName":  "System.String"
   },
   {
      "IsEncrypted":  true,
      "IsOptional":  false,
      "Name":  "Password",
      "TypeName":  "System.String"
   }
   ],
   "ConnectionTypeName":  "MyModuleConnection",
   "IntegrationModuleName":  "MyModule"
}

在 Runbook 或 DSC 配置中获取连接Get a connection in a runbook or DSC configuration

请使用 Get-AutomationConnection cmdlet 检索 Runbook 或 DSC 配置中的连接。Retrieve a connection in a runbook or DSC configuration with the internal Get-AutomationConnection cmdlet. 此 cmdlet 优先于 Get-AzAutomationConnection cmdlet,因为它检索连接值而不是有关连接的信息。This cmdlet is preferred over the Get-AzAutomationConnection cmdlet, as it retrieves the connection values instead of information about the connection.

以下示例演示如何使用运行方式帐户在 runbook 中通过 Azure 资源管理器资源进行身份验证。The following example shows how to use the Run As account to authenticate with Azure Resource Manager resources in your runbook. 此示例使用代表运行方式帐户的连接资产,该帐户引用基于证书的服务主体。It uses a connection asset representing the Run As account, which references the certificate-based service principal.

$Conn = Get-AutomationConnection -Name AzureRunAsConnection
Connect-AzAccount -ServicePrincipal -Tenant $Conn.TenantID -ApplicationId $Conn.ApplicationID -CertificateThumbprint $Conn.CertificateThumbprint -Environment "AzureChinaCloud" 

图形 Runbook 示例Graphical runbook examples

可以为内部 Get-AutomationConnection cmdlet 添加一个活动到图形 runbook 中。You can add an activity for the internal Get-AutomationConnection cmdlet to a graphical runbook. 右键单击图形编辑器库窗格中的连接,然后选择“添加到画布”。Right-click the connection in the Library pane of the graphical editor and select Add to canvas.

添加到画布

下图显示了在图形 Runbook 中使用连接对象的示例。The following image shows an example of using a connection object in a graphical runbook. 此示例使用 Constant value 数据集执行 Get RunAs Connection 活动,该活动使用连接对象进行身份验证。This example uses the Constant value data set for the Get RunAs Connection activity, which uses a connection object for authentication. 此处使用了一个管道链接,因为 ServicePrincipalCertificate 参数需要单个对象。A pipeline link is used here since the ServicePrincipalCertificate parameter set is expecting a single object.

获取连接

后续步骤Next steps