管理 Azure 自动化运行方式帐户Manage an Azure Automation Run As account

Azure 自动化中的运行方式帐户提供身份验证,以使用自动化 runbook 和其他自动化功能管理 Azure 资源管理器或 Azure 经典部署模型上的资源。Run As accounts in Azure Automation provide authentication for managing resources on the Azure Resource Manager or Azure Classic deployment model using Automation runbooks and other Automation features. 本文提供有关如何管理运行方式帐户或经典运行方式帐户的指导。This article provides guidance on how to manage a Run As or Classic Run As account.

若要详细了解 Azure 自动化帐户身份验证以及有关流程自动化方案的指导,请参阅自动化帐户身份验证概述To learn more about Azure Automation account authentication and guidance related to process automation scenarios, see Automation Account authentication overview.

续订自签名证书Renew a self-signed certificate

为运行方式帐户创建的自签名证书自创建日期算起的一年后过期。The self-signed certificate that you have created for the Run As account expires one year from the date of creation. 在运行方式帐户过期之前的某个时间点,必须续订证书。At some point before your Run As account expires, you must renew the certificate. 可以在该证书过期之前的任何时间续订。You can renew it any time before it expires.

续订自签名证书时,将保留当前的有效证书,以确保已排队等候或正在主动运行且使用运行方式帐户进行身份验证的任何 Runbook 不会受到负面影响。When you renew the self-signed certificate, the current valid certificate is retained to ensure that any runbooks that are queued up or actively running, and that authenticate with the Run As account, aren't negatively affected. 该证书在过期之前将保持有效。The certificate remains valid until its expiration date.

备注

如果认为运行方式帐户已遭到入侵,可以删除该自签名证书然后重新创建。If you think that the Run As account has been compromised, you can delete and re-create the self-signed certificate.

备注

如果已将运行方式帐户配置为使用企业证书颁发机构颁发的证书,并使用此选项来续订自签名证书选项,该企业证书会被自签名证书替换。If you have configured your Run As account to use a certificate issued by your enterprise certificate authority and you use the option to renew a self-signed certificate option, the enterprise certificate is replaced by a self-signed certificate.

使用以下步骤来续订自签名证书。Use the following steps to renew the self-signed certificate.

  1. 登录到 Azure 门户Sign-in to the Azure portal.

  2. 转到自动化帐户,然后在帐户设置部分中选择“运行方式帐户”。Go to your Automation account and select Run As Accounts in the account settings section.

    自动化帐户属性窗格。

  3. 在“运行方式帐户”属性页上选择“运行方式帐户”或“经典运行方式帐户”,具体取决于你需要为其续订证书的帐户 。On the Run As Accounts properties page, select either Run As Account or Classic Run As Account depending on which account you need to renew the certificate for.

  4. 在所选帐户的属性页中,选择“续订证书” 。On the Properties page for the selected account, select Renew certificate.

    续订运行方式帐户的证书。

  5. 证书续订过程中,可以在菜单的“通知”下面跟踪进度。While the certificate is being renewed, you can track the progress under Notifications from the menu.

限制运行方式帐户权限Limit Run As account permissions

若要针对 Azure 中的资源控制自动化的目标,可以运行 Update-AutomationRunAsAccountRoleAssignments.ps1 脚本。To control the targeting of Automation against resources in Azure, you can run the Update-AutomationRunAsAccountRoleAssignments.ps1 script. 此脚本将更改现有运行方式帐户服务主体,以创建和使用自定义角色定义。This script changes your existing Run As account service principal to create and use a custom role definition. 该角色具有除了 Key Vault 之外的所有资源的权限。The role has permissions for all resources except Key Vault.

重要

运行 Update-AutomationRunAsAccountRoleAssignments.ps1 脚本后,通过使用运行方式帐户访问 Key Vault 的 Runbook 将不再工作。After you run the Update-AutomationRunAsAccountRoleAssignments.ps1 script, runbooks that access Key Vault through the use of Run As accounts no longer work. 在运行该脚本之前,应查看帐户中的 Runbook,以便调用 Azure Key Vault。Before running the script, you should review runbooks in your account for calls to Azure Key Vault. 若要实现从 Azure 自动化 Runbook 对 Key Vault 的访问,必须将运行方式帐户添加到 Key Vault 的权限To enable access to Key Vault from Azure Automation runbooks, you must add the Run As account to Key Vault's permissions.

如需进一步限制运行方式服务主体可执行的操作,可将其他资源类型添加到自定义角色定义的 NotActions 元素。If you need to further restrict what the Run As service principal can do, you can add other resource types to the NotActions element of the custom role definition. 下面的示例限制对 Microsoft.Compute/* 的访问。The following example restricts access to Microsoft.Compute/*. 如果将此资源类型添加到角色定义的 NotActions,则该角色将不能访问任何计算资源。If you add this resource type to NotActions for the role definition, the role will not be able to access any Compute resource. 若要详细了解角色定义,请参阅了解 Azure 资源的角色定义To learn more about role definitions, see Understand role definitions for Azure resources.

$roleDefinition = Get-AzRoleDefinition -Name 'Automation RunAs Contributor'
$roleDefinition.NotActions.Add("Microsoft.Compute/*")
$roleDefinition | Set-AzRoleDefinition

可确定向运行方式帐户使用的服务主体分配了“参与者”角色还是自定义角色。You can determine if the service principal used by your Run As account assigned the Contributor role or a custom one.

  1. 登录 Azure 门户Sign in to the Azure portal.
  2. 转到自动化帐户,然后在帐户设置部分中选择“运行方式帐户”。Go to your Automation account and select Run As Accounts in the account settings section.
  3. 选择“Azure 运行方式帐户”。Select Azure Run As Account.
  4. 选择“角色”以查找正在使用的角色定义。Select Role to locate the role definition that is being used.

验证运行方式帐户角色。

还可以为多个订阅或自动化帐户确定运行方式帐户使用的角色定义。You can also determine the role definition used by the Run As accounts for multiple subscriptions or Automation accounts. 为此,请使用 PowerShell 库中的 Check-AutomationRunAsAccountRoleAssignments.ps1 脚本。Do this by using the Check-AutomationRunAsAccountRoleAssignments.ps1 script in the PowerShell Gallery.

添加 Key Vault 权限Add permissions to Key Vault

可以允许 Azure 自动化验证 Key Vault 和运行方式帐户服务主体是否正在使用自定义角色定义。You can allow Azure Automation to verify if Key Vault and your Run As account service principal are using a custom role definition. 必须具备以下条件:You must:

  • 授予 Key Vault 权限。Grant permissions to Key Vault.
  • 设置访问策略。Set the access policy.

可使用 PowerShell 库中的 Extend-AutomationRunAsAccountRoleAssignmentToKeyVault.ps1 脚本向运行方式帐户授予对 Key Vault 的权限。You can use the Extend-AutomationRunAsAccountRoleAssignmentToKeyVault.ps1 script in the PowerShell Gallery to grant your Run As account permissions to Key Vault. 有关设置对 Key Vault 的权限的详细信息,请参阅分配 Key Vault 访问策略See Assign a Key Vault access policy for more details on setting permissions on Key Vault.

解决运行方式帐户的错误配置问题Resolve misconfiguration issues for Run As accounts

在初始设置期间,运行方式帐户或经典运行方式帐户所需的某些配置项可能已被删除或未正确创建。Some configuration items necessary for a Run As or Classic Run As account might have been deleted or created improperly during initial setup. 错误配置的实例可能包括:Possible instances of misconfiguration include:

  • 证书资产Certificate asset
  • 连接资产Connection asset
  • 已从参与者角色中删除的运行方式帐户Run As account removed from the Contributor role
  • Azure AD 中的服务主体或应用程序Service principal or application in Azure AD

对于此类错误配置实例,自动化帐户将检测更改,并在该帐户的“运行方式帐户”属性窗格中显示“不完整”状态。For such misconfiguration instances, the Automation account detects the changes and displays a status of Incomplete on the Run As Accounts properties pane for the account.

运行方式帐户的配置不完整。

选择该运行方式帐户时,该帐户的“属性”窗格中会显示以下错误消息:When you select the Run As account, the account properties pane displays the following error message:

The Run As account is incomplete. Either one of these was deleted or not created - Azure Active Directory Application, Service Principal, Role, Automation Certificate asset, Automation Connect asset - or the Thumbprint is not identical between Certificate and Connection. Please delete and then re-create the Run As Account.

可先删除重新创建运行方式帐户,来快速解决这些运行方式帐户问题。You can quickly resolve these Run As account issues by deleting and re-creating the Run As account.

后续步骤Next steps