自动化帐户身份验证概述Automation account authentication overview

Azure 自动化让可以通过其他云提供程序(如 Amazon Web Services (AWS))针对 Azure、本地中的资源来自动执行任务。Azure Automation allows you to automate tasks against resources in Azure, on-premises, and with other cloud providers such as Amazon Web Services (AWS). 可以使用 Runbook 来自动完成任务;如果你有要在 Azure 外部管理的业务或操作过程,也可以使用混合 Runbook 辅助角色。You can use runbooks to automate your tasks, or a Hybrid Runbook Worker if you have business or operational processes to manage outside of Azure. 在上述任一环境中工作都需要权限,以使用所需的最小权限安全地访问资源。Working in any one of these environments require permissions to securely access the resources with the minimal rights required.

本文介绍了 Azure 自动化支持的身份验证方案,以及如何基于你需要管理的一个或多个环境开始操作。This article covers authentication scenarios supported by Azure Automation and tells how to get started based on the environment or environments that you need to manage.

自动化帐户Automation account

首次启动 Azure 自动化时,必须创建至少一个自动化帐户。When you start Azure Automation for the first time, you must create at least one Automation account. 使用 Azure 自动化帐户,你可以将 Azure 自动化资源、Runbook、资产、配置与其他帐户的资源相隔离。Automation accounts allow you to isolate your Automation resources, runbooks, assets, and configurations from the resources of other accounts. 可以使用 Azure 自动化帐户将资源分成单独的逻辑环境或委派的职责。You can use Automation accounts to separate resources into separate logical environments or delegated responsibilities. 例如,可以在开发环境中使用一个帐户,在生产环境中使用另一个帐户,并在本地环境中使用另一个账户。For example, you might use one account for development, another for production, and another for your on-premises environment. 也可以使用更新管理来指定一个 Azure 自动化帐户管理所有计算机上的操作系统更新。Or you might dedicate an Automation account to manage operating system updates across all of your machines with Update Management.

Azure 自动化帐户不同于 Azure 帐户或在 Azure 订阅中创建的帐户。An Azure Automation account is different from your Azure account or accounts created in your Azure subscription. 有关创建自动化帐户的介绍,请参阅创建自动化帐户For an introduction to creating an Automation account, see Create an Automation account.

自动化资源Automation resources

每个自动化帐户的自动化资源都与单个 Azure 区域相关联,但该帐户可以管理 Azure 订阅中的所有资源。The Automation resources for each Automation account are associated with a single Azure region, but the account can manage all the resources in your Azure subscription. 如果你的策略要求将数据和资源隔离到特定的区域,则这是在不同区域中创建自动化帐户的主要原因。The main reason to create Automation accounts in different regions is if you have policies that require data and resources to be isolated to a specific region.

在 Azure 自动化中使用 Azure 资源管理器和 PowerShell cmdlet 针对资源创建的所有任务必须使用基于 Azure Active Directory (Azure AD) 组织标识凭据的身份验证向 Azure 进行身份验证。All tasks that you create against resources using Azure Resource Manager and the PowerShell cmdlets in Azure Automation must authenticate to Azure using Azure Active Directory (Azure AD) organizational identity credential-based authentication.

运行方式帐户Run As accounts

Azure 自动化中的运行方式帐户提供的身份验证适用于管理 Azure 资源管理器资源或在经典部署模型上部署的资源。Run As accounts in Azure Automation provide authentication for managing Azure Resource Manager resources or resources deployed on the classic deployment model. Azure 自动化中有两种类型的运行方式帐户:There are two types of Run As accounts in Azure Automation:

  • 使用 Azure 运行方式帐户,你可以基于 Azure 的 Azure 资源管理器部署和管理服务来管理 Azure 资源。Azure Run As account: Allows you to manage Azure resources based on the Azure Resource Manager deployment and management service for Azure.
  • 使用 Azure 经典运行方式帐户,你可以根据经典部署模型管理 Azure 经典资源。Azure Classic Run As account: Allows you to manage Azure classic resources based on the Classic deployment model.

若要了解有关 Azure 资源管理器和经典部署模型的详细信息,请参阅资源管理器与经典部署To learn more about the Azure Resource Manager and Classic deployment models, see Resource Manager and classic deployment.

默认情况下,创建 Azure 自动化帐户时,会同时创建运行方式帐户。When you create an Automation account, the Run As account is created by default at the same time. 如果选择不与 Azure 自动化帐户一起创建运行方式帐户,则可以稍后单独创建它。If you chose not to create it along with the Automation account, it can be created individually at a later time. Azure 经典运行方式帐户是可选的,如果需要管理经典资源,则可以单独创建。An Azure Classic Run As Account is optional, and is created separately if you need to manage classic resources.

运行方式帐户Run As account

创建运行方式帐户时,它会执行以下任务:When you create a Run As account, it performs the following tasks:

  • 创建使用自签名证书的 Azure AD 应用程序,在 Azure AD 中为此应用程序创建服务主体帐户,并在当前订阅中为此帐户分配参与者角色。Creates an Azure AD application with a self-signed certificate, creates a service principal account for the application in Azure AD, and assigns the Contributor role for the account in your current subscription. 可将证书设置更改为读取者或其他任何角色。You can change the certificate setting to Reader or any other role. 有关详细信息,请参阅 Azure 自动化中基于角色的访问控制For more information, see Role-based access control in Azure Automation.

  • 在指定的自动化帐户中创建名为 AzureRunAsCertificate 的自动化证书资产。Creates an Automation certificate asset named AzureRunAsCertificate in the specified Automation account. 该证书资产保存 Azure AD 应用程序使用的证书私钥。The certificate asset holds the certificate private key that the Azure AD application uses.

  • 在指定的自动化帐户中创建名为 AzureRunAsConnection 的自动化连接资产。Creates an Automation connection asset named AzureRunAsConnection in the specified Automation account. 该连接资产保存应用程序 ID、租户 ID、订阅 ID 和证书指纹。The connection asset holds the application ID, tenant ID, subscription ID, and certificate thumbprint.

Azure 经典运行方式帐户Azure Classic Run As account

创建 Azure 经典运行方式帐户时会执行以下任务:When you create an Azure Classic Run As account, it performs the following tasks:

备注

只有订阅的共同管理员才能创建或续订这种类型的运行方式帐户。You must be a co-administrator on the subscription to create or renew this type of Run As account.

  • 在订阅中创建管理证书。Creates a management certificate in the subscription.

  • 在指定的自动化帐户中创建名为 AzureClassicRunAsCertificate 的自动化证书资产。Creates an Automation certificate asset named AzureClassicRunAsCertificate in the specified Automation account. 该证书资产保存管理证书使用的证书私钥。The certificate asset holds the certificate private key used by the management certificate.

  • 在指定的自动化帐户中创建名为 AzureClassicRunAsConnection 的自动化连接资产。Creates an Automation connection asset named AzureClassicRunAsConnection in the specified Automation account. 该连接资产保存订阅名称、订阅 ID 和证书资产名称。The connection asset holds the subscription name, subscription ID, and certificate asset name.

运行方式帐户的服务主体Service principal for Run As account

默认情况下,运行方式帐户的服务主体对 Azure AD 没有读取权限。The service principal for a Run As account does not have permissions to read Azure AD by default. 如果你希望添加读取或管理 Azure AD 的权限,需要在“API 权限”下对服务主体授予该权限。If you want to add permissions to read or manage Azure AD, you must grant the permissions on the service principal under API permissions. 若要了解详细信息,请参阅添加用于访问 Web API 的权限To learn more, see Add permissions to access your web API.

运行方式帐户的权限Run As account permissions

本部分定义普通运行方式帐户和经典运行方式帐户的权限。This section defines permissions for both regular Run As accounts and Classic Run As accounts.

  • 若要创建或更新运行方式帐户,Azure Active Directory 中的应用程序管理员和订阅中的所有者可以完成所有任务。To create or update a Run As account, an Application administrator in Azure Active Directory and an Owner in the subscription can complete all the tasks.
  • 若要配置或续订经典运行方式帐户,需要在订阅级别具有共同管理员角色。To configure or renew Classic Run As accounts, you must have the Co-administrator role at the subscription level. 若要详细了解有关经典订阅权限,请参阅 Azure 经典订阅管理员To learn more about classic subscription permissions, see Azure classic subscription administrators.

下表显示了在实施职责分离的情况下,所需的任务、等效 cmdlet 和权限的列表:In a situation where you have separation of duties, the following table shows a listing of the tasks, the equivalent cmdlet, and permissions needed:

任务Task CmdletCmdlet 最低权限Minimum Permissions 设置权限的位置Where you set the permissions
创建 Azure AD 应用程序Create Azure AD Application New-AzADApplicationNew-AzADApplication 应用程序开发人员角色1Application Developer role1 Azure ADAzure AD
主页 > Azure AD > 应用注册Home > Azure AD > App Registrations
将凭据添加到应用程序。Add a credential to the application. New-AzADAppCredentialNew-AzADAppCredential 应用程序管理员或全局管理员1Application Administrator or Global Administrator1 Azure ADAzure AD
主页 > Azure AD > 应用注册Home > Azure AD > App Registrations
创建和获取 Azure AD 服务主体Create and get an Azure AD service principal New-AzADServicePrincipalNew-AzADServicePrincipal
Get-AzADServicePrincipalGet-AzADServicePrincipal
应用程序管理员或全局管理员1Application Administrator or Global Administrator1 Azure ADAzure AD
主页 > Azure AD > 应用注册Home > Azure AD > App Registrations
分配或获取指定主体的 Azure 角色Assign or get the Azure role for the specified principal New-AzRoleAssignmentNew-AzRoleAssignment
Get-AzRoleAssignmentGet-AzRoleAssignment
用户访问管理员或所有者,或具有以下权限:User Access Administrator or Owner, or have the following permissions:

Microsoft.Authorization/Operations/read
Microsoft.Authorization/permissions/read
Microsoft.Authorization/roleDefinitions/read
Microsoft.Authorization/roleAssignments/write
Microsoft.Authorization/roleAssignments/read
Microsoft.Authorization/roleAssignments/delete


订阅Subscription
主页 > 订阅 > <subscription name> - 访问控制 (IAM)Home > Subscriptions > <subscription name> - Access Control (IAM)
创建或删除自动化证书Create or remove an Automation certificate New-AzAutomationCertificateNew-AzAutomationCertificate
Remove-AzAutomationCertificateRemove-AzAutomationCertificate
资源组中的参与者Contributor on resource group 自动化帐户资源组Automation account resource group
创建或删除自动化连接Create or remove an Automation connection New-AzAutomationConnectionNew-AzAutomationConnection
Remove-AzAutomationConnectionRemove-AzAutomationConnection
资源组中的参与者Contributor on resource group 自动化帐户资源组Automation account resource group

1 Azure AD 租户中的非管理员用户可以注册 AD 应用程序,前提是 Azure AD 租户的“用户设置”页中的“用户可以注册应用程序”选项已设置为“是” 。1 Non-administrator users in your Azure AD tenant can register AD applications if the Azure AD tenant's Users can register applications option on the User settings page is set to Yes. 如果应用程序注册设置为“否”,则执行此操作的用户必须具有此表中定义的角色。If the application registration setting is No, the user performing this action must be as defined in this table.

如果你在被添加到订阅的全局管理员角色之前不是订阅的 Active Directory 实例的成员,则会将你添加为来宾。If you aren't a member of the subscription's Active Directory instance before you're added to the Global Administrator role of the subscription, you're added as a guest. 在这种情况下,“添加自动化帐户”页上会显示 You do not have permissions to create... 警告。In this situation, you receive a You do not have permissions to create... warning on the Add Automation Account page.

若要验证生成错误消息的情况是否已解决:To verify that the situation producing the error message has been remedied:

  1. 在 Azure 门户的“Azure Active Directory”窗格中,选择“用户和组”。From the Azure Active Directory pane in the Azure portal, select Users and groups.
  2. 选择“所有用户”。Select All users.
  3. 选择名称,然后选择“配置文件”。Choose your name, then select Profile.
  4. 请确保用户配置文件下“用户类型”属性的值未设置为“来宾” 。Ensure that the value of the User type attribute under your user's profile is not set to Guest.

基于角色的访问控制Role-based access control

基于角色的访问控制在 Azure 资源管理器中可用,用于向 Azure AD 用户帐户和运行方式帐户授予允许的操作,并对服务主体进行身份验证。Role-based access control is available with Azure Resource Manager to grant permitted actions to an Azure AD user account and Run As account, and authenticate the service principal. 请阅读 Azure 自动化中基于角色的访问控制一文,详细了解如何开发自动化权限管理模型。Read Role-based access control in Azure Automation article for further information to help develop your model for managing Automation permissions.

如果对资源组中的权限分配具有严格的安全控制,则需要将运行方式帐户成员身份分配给资源组中的“参与者”角色。If you have strict security controls for permission assignment in resource groups, you need to assign the Run As account membership to the Contributor role in the resource group.

使用混合 Runbook 辅助角色的 Runbook 身份验证Runbook authentication with Hybrid Runbook Worker

在数据中心的混合 Runbook 辅助角色上运行的或针对其他云环境(如 AWS)中的计算服务运行的 Runbook 不能使用通常用于向 Azure 资源进行Runbook 身份验证的方法。Runbooks running on a Hybrid Runbook Worker in your datacenter or against computing services in other cloud environments like AWS, cannot use the same method that is typically used for runbooks authenticating to Azure resources. 这是因为这些资源在 Azure 外部运行,因此,它们需要在自动化中定义自己的安全凭据,以便向需要在本地访问的资源进行身份验证。This is because those resources are running outside of Azure and therefore, requires their own security credentials defined in Automation to authenticate to resources that they access locally. 有关使用 Runbook 辅助角色的 Runbook 身份验证的详细信息,请参阅在混合 Runbook 辅助角色上运行 RunbookFor more information about runbook authentication with runbook workers, see Run runbooks on a Hybrid Runbook Worker.

对于在 Azure VM 上使用混合 Runbook 辅助角色的 Runbook,可以通过使用托管标识的 Runbook 身份验证而不是运行方式帐户来向 Azure 资源进行身份验证。For runbooks that use Hybrid Runbook Workers on Azure VMs, you can use runbook authentication with managed identities instead of Run As accounts to authenticate to your Azure resources.

后续步骤Next steps