Azure 自动化中的身份验证简介Introduction to authentication in Azure Automation

Azure 自动化让可以通过其他云提供程序(如 Amazon Web Services (AWS))针对 Azure、本地中的资源来自动执行任务。Azure Automation allows you to automate tasks against resources in Azure, on-premises, and with other cloud providers such as Amazon Web Services (AWS). 为了使 Runbook 执行所需操作,Runbook 必须有权使用订阅中所需的最小权限来安全地访问资源。In order for a runbook to perform its required actions, it must have permissions to securely access the resources with the minimal rights required within the subscription.

本文介绍 Azure 自动化支持的各种身份验证方案,并介绍如何根据需要管理的单个或多个环境来入门。This article will cover the various authentication scenarios supported by Azure Automation and will show you how to get started based on the environment or environments you need to manage.

自动化帐户概述Automation Account overview

首次启动 Azure 自动化时,必须创建至少一个自动化帐户。When you start Azure Automation for the first time, you must create at least one Automation account. 使用自动化帐户,可以将自动化资源(Runbook、资产、配置)与其他自动化帐户中包含的资源隔离。Automation accounts allow you to isolate your Automation resources (runbooks, assets, configurations) from the resources contained in other Automation accounts. 可以使用自动化帐户将资源隔离到独立的逻辑环境中。You can use Automation accounts to separate resources into separate logical environments. 例如,可以在开发环境中使用一个帐户,在生产环境中使用另一个帐户,并在本地环境中使用另一个账户。For example, you might use one account for development, another for production, and another for your on-premises environment. Azure 自动化帐户不同于 Azure 帐户或在 Azure 订阅中创建的帐户。An Azure Automation account is different from your Azure account or accounts created in your Azure subscription.

每个自动化帐户的自动化资源都与单个 Azure 区域关联,但自动化帐户可以管理订阅中的所有资源。The Automation resources for each Automation account are associated with a single Azure region, but Automation accounts can manage all the resources in your subscription. 在不同区域中创建自动化帐户的主要原因是,策略要求数据和资源隔离到特定的区域。The main reason to create Automation accounts in different regions would be if you have policies that require data and resources to be isolated to a specific region.

所有使用 Azure Resource Manager 和 Azure 自动化中的 Azure cmdlet 对资源执行的任务必须使用 Azure Active Directory 组织标识基于凭据的身份验证向 Azure 进行身份验证。All of the tasks that you perform against resources using Azure Resource Manager and the Azure cmdlets in Azure Automation must authenticate to Azure using Azure Active Directory organizational identity credential-based authentication. 基于证书的身份验证是使用 Azure 经典部署的原始身份验证方法,但设置很复杂。Certificate-based authentication was the original authentication method with Azure classic, but it was complicated to set up. 在 2014 年引入了使用 Azure AD 用户向 Azure 进行身份验证,不仅简化了配置身份验证帐户的过程,也支持使用在 Azure Resource Manager 和经典资源模式下均可使用的单个用户帐户向 Azure 进行非交互式身份验证的功能。Authenticating to Azure with Azure AD user was introduced back in 2014 to not only simplify the process to configure an Authentication account, but also support the ability to non-interactively authenticate to Azure with a single user account that worked with both Azure Resource Manager and classic resources.

目前,在 Azure 门户中创建新的自动化帐户时,还会自动创建以下帐户:Currently when you create a new Automation account in the Azure portal, it automatically creates:

  • 运行方式帐户(用于在 Azure Active Directory 中创建新的服务主体)、证书以及分配参与者基于角色的访问控制 (RBAC)(用于使用 Runbook 管理资源管理器资源)。Run As account which creates a new service principal in Azure Active Directory, a certificate, and assigns the Contributor role-based access control (RBAC), which is used to manage Resource Manager resources using runbooks.
  • 经典运行方式帐户(只需上传管理证书即可),用于通过 Runbook 管理 Azure 经典资源。Classic Run As account by uploading a management certificate, which is used to manage Azure classic resources using runbooks.

基于角色的访问控制在 Azure Resource Manager 中可用,向 Azure AD 用户帐户和运行方式帐户授予允许的操作,并对该服务主体进行身份验证。Role-based access control is available with Azure Resource Manager to grant permitted actions to an Azure AD user account and Run As account, and authenticate that service principal. 请阅读 Azure 自动化中基于角色的访问控制 一文,了解帮助开发用于管理自动化权限的模型的详细信息。Please read Role-based access control in Azure Automation article for further information to help develop your model for managing Automation permissions.

在数据中心的混合 Runbook 辅助角色上运行或针对 AWS 中的计算服务的 Runbook 不能使用通常用于针对 Azure 资源进行 Runbook 身份验证的相同方法。Runbooks running on a Hybrid Runbook Worker in your datacenter or against computing services in AWS cannot use the same method that is typically used for runbooks authenticating to Azure resources. 这是因为这些资源在 Azure 外部运行,因此,它们需要在自动化中定义自己的安全凭据,以便向需要在本地访问的资源进行身份验证。This is because those resources are running outside of Azure and therefore, requires their own security credentials defined in Automation to authenticate to resources that they access locally.

身份验证方法Authentication methods

下表总结了适用于 Azure 自动化所支持的每个环境的不同身份验证方法,文章描述了如何为 Runbook 设置身份验证。The following table summarizes the different authentication methods for each environment supported by Azure Automation and the article describing how to setup authentication for your runbooks.

方法Method 环境Environment 文章Article
Azure AD 用户帐户Azure AD User Account Azure 资源管理器和 Azure 经典Azure Resource Manager and Azure classic 使用 Azure AD 用户帐户进行 Runbook 身份验证Authenticate Runbooks with Azure AD User account
Azure 运行方式帐户Azure Run As Account Azure Resource ManagerAzure Resource Manager Authenticate Runbooks with Azure Run As account(使用 Azure 运行方式帐户进行 Runbook 身份验证)Authenticate Runbooks with Azure Run As account
Azure 经典运行方式帐户Azure Classic Run As Account Azure 经典Azure classic Authenticate Runbooks with Azure Run As account(使用 Azure 运行方式帐户进行 Runbook 身份验证)Authenticate Runbooks with Azure Run As account
Windows 身份验证Windows Authentication 本地数据中心On-Premises Datacenter 对混合 Runbook 辅助角色进行 Runbook 身份验证Authenticate Runbooks for Hybrid Runbook Workers