自动化帐户身份验证概述Automation account authentication overview

Azure 自动化让可以通过其他云提供程序(如 Amazon Web Services (AWS))针对 Azure、本地中的资源来自动执行任务。Azure Automation allows you to automate tasks against resources in Azure, on-premises, and with other cloud providers such as Amazon Web Services (AWS). 可以使用 Runbook 来自动完成任务;如果你有要在 Azure 外部管理的业务或操作过程,也可以使用混合 Runbook 辅助角色。You can use runbooks to automate your tasks, or a Hybrid Runbook Worker if you have business or operational processes to manage outside of Azure. 在上述任一环境中工作都需要权限,以使用所需的最小权限安全地访问资源。Working in any one of these environments require permissions to securely access the resources with the minimal rights required.

本文介绍了 Azure 自动化支持的身份验证方案,以及如何基于你需要管理的一个或多个环境开始操作。This article covers authentication scenarios supported by Azure Automation and tells how to get started based on the environment or environments that you need to manage.

自动化帐户Automation account

首次启动 Azure 自动化时,必须创建至少一个自动化帐户。When you start Azure Automation for the first time, you must create at least one Automation account. 使用自动化帐户,你可以将自动化资源、Runbook、资产、配置与其他帐户的资源相隔离。Automation accounts allow you to isolate your Automation resources, runbooks, assets, configurations, from the resources of other accounts. 可以使用自动化帐户将资源隔离到独立的逻辑环境中。You can use Automation accounts to separate resources into separate logical environments. 例如,可以在开发环境中使用一个帐户,在生产环境中使用另一个帐户,并在本地环境中使用另一个账户。For example, you might use one account for development, another for production, and another for your on-premises environment. Azure 自动化帐户不同于 Microsoft 帐户或在 Azure 订阅中创建的帐户。An Azure Automation account is different from your Microsoft account or accounts created in your Azure subscription. 有关创建自动化帐户的介绍,请参阅创建自动化帐户For an introduction to creating an Automation account, see Create an Automation account.

自动化资源Automation resources

每个自动化帐户的自动化资源都与单个 Azure 区域相关联,但该帐户可以管理 Azure 订阅中的所有资源。The Automation resources for each Automation account are associated with a single Azure region, but the account can manage all the resources in your Azure subscription. 如果你的策略要求将数据和资源隔离到特定的区域,则这是在不同区域中创建自动化帐户的主要原因。The main reason to create Automation accounts in different regions is if you have policies that require data and resources to be isolated to a specific region.

在 Azure 自动化中使用 Azure 资源管理器和 PowerShell cmdlet 针对资源创建的所有任务必须使用基于 Azure Active Directory (Azure AD) 组织标识凭据的身份验证向 Azure 进行身份验证。All tasks that you create against resources using Azure Resource Manager and the PowerShell cmdlets in Azure Automation must authenticate to Azure using Azure Active Directory (Azure AD) organizational identity credential-based authentication.

运行方式帐户Run As accounts

Azure 自动化中的运行方式帐户提供的身份验证适用于管理 Azure 资源管理器资源或在经典部署模型上部署的资源。Run As accounts in Azure Automation provide authentication for managing Azure Resource Manager resources or resources deployed on the classic deployment model. Azure 自动化中有两种类型的运行方式帐户:There are two types of Run As accounts in Azure Automation:

  • Azure 运行方式帐户Azure Run As account
  • Azure 经典运行方式帐户Azure Classic Run As account

若要详细了解这两种部署模型,请参阅资源管理器部署和经典部署To learn more about these two deployment models, see Resource Manager and classic deployment.

运行方式帐户Run As account

Azure 运行方式帐户基于 Azure 的 Azure 资源管理器部署和管理服务来管理 Azure 资源。The Azure Run As account manages Azure resources based on the Azure Resource Manager deployment and management service for Azure.

创建运行方式帐户时,它会执行以下任务:When you create a Run As account, it performs the following tasks:

  • 创建使用自签名证书的 Azure AD 应用程序,在 Azure AD 中为此应用程序创建服务主体帐户,并在当前订阅中为此帐户分配参与者角色。Creates an Azure AD application with a self-signed certificate, creates a service principal account for the application in Azure AD, and assigns the Contributor role for the account in your current subscription. 可将证书设置更改为“所有者”或其他任何角色。You can change the certificate setting to Owner or any other role. 有关详细信息,请参阅 Azure 自动化中基于角色的访问控制For more information, see Role-based access control in Azure Automation.

  • 在指定的自动化帐户中创建名为 AzureRunAsCertificate 的自动化证书资产。Creates an Automation certificate asset named AzureRunAsCertificate in the specified Automation account. 该证书资产保存 Azure AD 应用程序使用的证书私钥。The certificate asset holds the certificate private key that the Azure AD application uses.

  • 在指定的自动化帐户中创建名为 AzureRunAsConnection 的自动化连接资产。Creates an Automation connection asset named AzureRunAsConnection in the specified Automation account. 该连接资产保存应用程序 ID、租户 ID、订阅 ID 和证书指纹。The connection asset holds the application ID, tenant ID, subscription ID, and certificate thumbprint.

Azure 经典运行方式帐户Azure Classic Run As Account

Azure 经典运行方式帐户根据经典部署模型管理 Azure 经典资源。The Azure Classic Run As account manages Azure classic resources based on the Classic deployment model. 只有订阅的共同管理员才能创建或续订这种类型的运行方式帐户。You must be a co-administrator on the subscription to create or renew this type of Run As account.

创建 Azure 经典运行方式帐户时,它会执行以下任务。When you create an Azure Classic Run As account, it performs the following tasks.

  • 在订阅中创建管理证书。Creates a management certificate in the subscription.

  • 在指定的自动化帐户中创建名为 AzureClassicRunAsCertificate 的自动化证书资产。Creates an Automation certificate asset named AzureClassicRunAsCertificate in the specified Automation account. 该证书资产保存管理证书使用的证书私钥。The certificate asset holds the certificate private key used by the management certificate.

  • 在指定的自动化帐户中创建名为 AzureClassicRunAsConnection 的自动化连接资产。Creates an Automation connection asset named AzureClassicRunAsConnection in the specified Automation account. 该连接资产保存订阅名称、订阅 ID 和证书资产名称。The connection asset holds the subscription name, subscription ID, and certificate asset name.

备注

创建自动化帐户时,默认情况下不会同时创建 Azure 经典运行方式帐户。Azure Classic Run As account is not created by default at the same time when you create an Automation account. 此帐户是按照管理运行方式帐户一文所述步骤单独创建的。This account is created individually following the steps described in the Manage Run As account article.

运行方式帐户的服务主体Service principal for Run As account

默认情况下,运行方式帐户的服务主体对 Azure AD 没有读取权限。The service principal for a Run As account does not have permissions to read Azure AD by default. 如果你希望添加读取或管理 Azure AD 的权限,需要在“API 权限”下对服务主体授予该权限。If you want to add permissions to read or manage Azure AD, you must grant the permissions on the service principal under API permissions. 若要了解详细信息,请参阅添加用于访问 Web API 的权限To learn more, see Add permissions to access your web API.

基于角色的访问控制Role-based access control

基于角色的访问控制在 Azure 资源管理器中可用,用于向 Azure AD 用户帐户和运行方式帐户授予允许的操作,并对服务主体进行身份验证。Role-based access control is available with Azure Resource Manager to grant permitted actions to an Azure AD user account and Run As account, and authenticate the service principal. 请阅读 Azure 自动化中基于角色的访问控制一文,详细了解如何开发自动化权限管理模型。Read Role-based access control in Azure Automation article for further information to help develop your model for managing Automation permissions.

使用混合 Runbook 辅助角色的 Runbook 身份验证Runbook authentication with Hybrid Runbook Worker

在数据中心的混合 Runbook 辅助角色上运行的或针对其他云环境(如 AWS)中的计算服务运行的 Runbook 不能使用通常用于向 Azure 资源进行Runbook 身份验证的方法。Runbooks running on a Hybrid Runbook Worker in your datacenter or against computing services in other cloud environments like AWS, cannot use the same method that is typically used for runbooks authenticating to Azure resources. 这是因为这些资源在 Azure 外部运行,因此,它们需要在自动化中定义自己的安全凭据,以便向需要在本地访问的资源进行身份验证。This is because those resources are running outside of Azure and therefore, requires their own security credentials defined in Automation to authenticate to resources that they access locally. 有关使用 Runbook 辅助角色的 Runbook 身份验证的详细信息,请参阅在混合 Runbook 辅助角色上运行 RunbookFor more information about runbook authentication with runbook workers, see Run runbooks on a Hybrid Runbook Worker.

对于在 Azure VM 上使用混合 Runbook 辅助角色的 Runbook,可以通过使用托管标识的 Runbook 身份验证而不是运行方式帐户来向 Azure 资源进行身份验证。For runbooks that use Hybrid Runbook Workers on Azure VMs, you can use runbook authentication with managed identities instead of Run As accounts to authenticate to your Azure resources.

后续步骤Next steps