管理 Azure 自动化运行方式帐户Manage an Azure Automation Run As account

Azure 自动化中的运行方式帐户提供身份验证,以使用 Azure cmdlet 管理 Azure 中的资源。Run As accounts in Azure Automation provide authentication for managing resources in Azure using the Azure cmdlets. 创建运行方式帐户时,将在 Azure Active Directory (AD) 中创建新的服务主体用户,并在订阅级别向此用户分配“参与者”角色。When you create a Run As account, it creates a new service principal user in Azure Active Directory (AD) and assigns the Contributor role to this user at the subscription level.

运行方式帐户的类型Types of Run As accounts

Azure 自动化使用两种类型的运行方式帐户:Azure Automation uses two types of Run As accounts:

  • Azure 运行方式帐户Azure Run As account
  • Azure 经典运行方式帐户Azure Classic Run As account

默认情况下,运行方式帐户的服务主体没有读取 Azure AD 的权限。The service principal for a Run as Account does not have permissions to read Azure AD by default. 如果希望添加读取或管理 Azure AD 的权限,则需要在“API 权限”下对服务主体授予该权限。If you want to add permissions to read or manage Azure AD, you'll need to grant the permissions on the service principal under API permissions. 有关详细信息,请参阅添加用于访问 Web API 的权限To learn more, see Add permissions to access web APIs.

运行方式帐户Run As account

运行方式帐户管理资源管理器部署模型资源。The Run As account manages Resource Manager deployment model resources. 它可执行以下任务。It does the following tasks.

  • 将创建使用自签名证书的 Azure AD 应用程序,在 Azure AD 中为此应用程序创建服务主体帐户,并在当前订阅中为此帐户分配“参与者”角色。Creates an Azure AD application with a self-signed certificate, creates a service principal account for the application in Azure AD, and assigns the Contributor role for the account in your current subscription. 可将证书设置更改为“所有者”或其他任何角色。You can change the certificate setting to Owner or any other role. 有关详细信息,请参阅 Azure 自动化中基于角色的访问控制For more information, see Role-based access control in Azure Automation.

  • 在指定的自动化帐户中创建名为 AzureRunAsCertificate 的自动化证书资产。Creates an Automation certificate asset named AzureRunAsCertificate in the specified Automation account. 该证书资产保存 Azure AD 应用程序使用的证书私钥。The certificate asset holds the certificate private key that the Azure AD application uses.

  • 在指定的自动化帐户中创建名为 AzureRunAsConnection 的自动化连接资产。Creates an Automation connection asset named AzureRunAsConnection in the specified Automation account. 该连接资产保存应用程序 ID、租户 ID、订阅 ID 和证书指纹。The connection asset holds the application ID, tenant ID, subscription ID, and certificate thumbprint.

Azure 经典运行方式帐户Azure Classic Run As Account

Azure 经典运行方式帐户管理经典部署模型资源。The Azure Classic Run As account manages Classic deployment model resources. 必须是订阅的共同管理员才能创建或续订此类帐户。You must be a co-administrator on the subscription to create or renew this type of account.

Azure 经典运行方式帐户执行以下任务。The Azure Classic Run As account performs the following tasks.

  • 在订阅中创建管理证书。Creates a management certificate in the subscription.

  • 在指定的自动化帐户中创建名为 AzureClassicRunAsCertificate 的自动化证书资产。Creates an Automation certificate asset named AzureClassicRunAsCertificate in the specified Automation account. 该证书资产保存管理证书使用的证书私钥。The certificate asset holds the certificate private key used by the management certificate.

  • 在指定的自动化帐户中创建名为 AzureClassicRunAsConnection 的自动化连接资产。Creates an Automation connection asset named AzureClassicRunAsConnection in the specified Automation account. 该连接资产保存订阅名称、订阅 ID 和证书资产名称。The connection asset holds the subscription name, subscription ID, and certificate asset name.

备注

创建自动化帐户时,默认情况下不会同时创建 Azure 经典运行方式帐户。Azure Classic Run As account is not created by default at the same time when you create an Automation account. 该帐户是按照本文后面所述步骤单独创建的。This account is created individually following the steps described later in this article.

获取运行方式帐户权限Obtain Run As account permissions

本部分定义常规运行方式帐户和经典运行方式帐户的权限。This section defines permissions for both regular Run As accounts and Classic Run As accounts.

获取配置运行方式帐户时所需的权限Get permissions to configure Run As accounts

若要创建或更新运行方式帐户,必须拥有特定的特权和权限。To create or update a Run As account, you must have specific privileges and permissions. Azure Active Directory 中的应用程序管理员和订阅中的所有者都可以完成所有任务。An Application administrator in Azure Active Directory and an Owner in a subscription can complete all the tasks. 下表显示了在实施职责分离的情况下,所需的任务、等效 cmdlet 和权限的列表:In a situation where you have separation of duties, the following table shows a listing of the tasks, the equivalent cmdlet, and permissions needed:

任务Task CmdletCmdlet 最低权限Minimum Permissions 设置权限的位置Where you set the permissions
创建 Azure AD 应用程序Create Azure AD Application New-AzADApplicationNew-AzADApplication 应用程序开发人员角色1Application Developer role1 Azure ADAzure AD
主页 > Azure AD > 应用注册Home > Azure AD > App Registrations
将凭据添加到应用程序。Add a credential to the application. New-AzADAppCredentialNew-AzADAppCredential 应用程序管理员或全局管理员1Application Administrator or Global Administrator1 Azure ADAzure AD
主页 > Azure AD > 应用注册Home > Azure AD > App Registrations
创建和获取 Azure AD 服务主体Create and get an Azure AD service principal New-AzADServicePrincipalNew-AzADServicePrincipal
Get-AzADServicePrincipalGet-AzADServicePrincipal
应用程序管理员或全局管理员1Application Administrator or Global Administrator1 Azure ADAzure AD
主页 > Azure AD > 应用注册Home > Azure AD > App Registrations
分配或获取指定主体的 Azure 角色Assign or get the Azure role for the specified principal New-AzRoleAssignmentNew-AzRoleAssignment
Get-AzRoleAssignmentGet-AzRoleAssignment
用户访问管理员或所有者,或具有以下权限:User Access Administrator or Owner, or have the following permissions:

Microsoft.Authorization/Operations/read
Microsoft.Authorization/permissions/read
Microsoft.Authorization/roleDefinitions/read
Microsoft.Authorization/roleAssignments/write
Microsoft.Authorization/roleAssignments/read
Microsoft.Authorization/roleAssignments/delete


订阅Subscription
主页 > 订阅 > <subscription name> - 访问控制 (IAM)Home > Subscriptions > <subscription name> - Access Control (IAM)
创建或删除自动化证书Create or remove an Automation certificate New-AzAutomationCertificateNew-AzAutomationCertificate
Remove-AzAutomationCertificateRemove-AzAutomationCertificate
资源组中的参与者Contributor on resource group 自动化帐户资源组Automation account resource group
创建或删除自动化连接Create or remove an Automation connection New-AzAutomationConnectionNew-AzAutomationConnection
Remove-AzAutomationConnectionRemove-AzAutomationConnection
资源组中的参与者Contributor on resource group 自动化帐户资源组Automation account resource group

1 Azure AD 租户中的非管理员用户可以注册 AD 应用程序,前提是 Azure AD 租户的“用户设置”页中的“用户可以注册应用程序”选项已设置为“是” 。1 Non-administrator users in your Azure AD tenant can register AD applications if the Azure AD tenant's Users can register applications option on the User settings page is set to Yes. 如果应用程序注册设置为“否”,则执行此操作的用户必须具有此表中定义的角色。If the application registration setting is No, the user performing this action must be as defined in this table.

如果你在被添加到订阅的全局管理员角色之前不是订阅的 Active Directory 实例的成员,则会将你添加为来宾。If you aren't a member of the subscription's Active Directory instance before you're added to the Global Administrator role of the subscription, you're added as a guest. 在这种情况下,“添加自动化帐户”页上会显示 You do not have permissions to create… 警告。In this situation, you receive a You do not have permissions to create… warning on the Add Automation Account page.

如果在分配全局管理员角色时,你是订阅的 Active Directory 实例的成员,则“添加自动化帐户”页面上还会显示 You do not have permissions to create… 警告。If you are a member of the subscription's Active Directory instance when the Global Administrator role is assigned, you can also receive a You do not have permissions to create… warning on the Add Automation Account page. 在这种情况下,可以请求从订阅的 Active Directory 实例中删除,然后请求重新添加,以便成为 Active Directory 中的完整用户。In this case, you can request removal from the subscription's Active Directory instance and then request to be re-added, so that you become a full user in Active Directory.

若要验证是否修正了生成该错误消息的原因:To verify that the situation producing the error message has been remedied:

  1. 在 Azure 门户上的“Azure Active Directory”窗格中,选择“用户”。From the Azure Active Directory pane in the Azure portal, select Users.
  2. 选择“所有用户”。Select All users.
  3. 选择名称,然后选择“配置文件”。Choose your name, then select Profile.
  4. 请确保用户配置文件下“用户类型”属性的值未设置为“来宾” 。Ensure that the value of the User type attribute under your user's profile is not set to Guest.

获取配置经典运行方式帐户时所需的权限Get permissions to configure Classic Run As accounts

若要配置或续订经典运行方式帐户,需要在订阅级别具有共同管理员角色。To configure or renew Classic Run As accounts, you must have the Co-administrator role at the subscription level. 若要详细了解有关经典订阅权限,请参阅 Azure 经典订阅管理员To learn more about classic subscription permissions, see Azure classic subscription administrators.

在 Azure 门户中创建运行方式帐户Create a Run As account in Azure portal

请执行以下步骤,在 Azure 门户中更新 Azure 自动化帐户。Perform the following steps to update your Azure Automation account in the Azure portal. 可以单独创建运行方式帐户和经典运行方式帐户。Create the Run As and Classic Run As accounts individually. 如果不需管理经典资源,可以只创建 Azure 运行方式帐户。If you don't need to manage classic resources, you can just create the Azure Run As account.

  1. 以订阅管理员角色成员和订阅共同管理员的帐户登录到 Azure 门户。Log in to the Azure portal with an account that is a member of the Subscription Admins role and co-administrator of the subscription.

  2. 搜索并选择“自动化帐户”。Search for and select Automation Accounts.

  3. 在“自动化帐户”页,选择列表中的自动化帐户。On the Automation Accounts page, select your Automation account from the list.

  4. 在左侧窗格中,选择帐户设置部分中的“运行方式帐户”。In the left pane, select Run As Accounts in the account settings section.

  5. 根据所需帐户,选择“Azure 运行方式帐户”或“Azure 经典运行方式帐户” 。Depending on which account you require, select either Azure Run As Account or Azure Classic Run As Account.

  6. 根据所需的帐户,使用“添加 Azure 运行方式帐户”或“添加 Azure 经典运行方式帐户”窗格 。Depending on the account of interest, use the Add Azure Run As or Add Azure Classic Run As Account pane. 查看概述信息后,单击“创建”。After reviewing the overview information, click Create.

  7. 在 Azure 创建运行方式帐户时,可以在菜单的“通知”下面跟踪进度。While Azure creates the Run As account, you can track the progress under Notifications from the menu. 此外还显示一个横幅,指出正在创建帐户。A banner is also displayed stating that the account is being created. 此过程可能需要几分钟才能完成。The process can take a few minutes to complete.

删除运行方式帐户或经典运行方式帐户Delete a Run As or Classic Run As account

本部分介绍如何删除运行方式帐户或经典运行方式帐户。This section describes how to delete a Run As or Classic Run As account. 执行此操作时,将保留自动化帐户。When you perform this action, the Automation account is retained. 删除帐户后,可在 Azure 门户中重新创建。After you delete the account, you can re-create it in the Azure portal.

  1. 在 Azure 门户中,打开自动化帐户。In the Azure portal, open the Automation account.

  2. 在左侧窗格中,选择帐户设置部分中的“运行方式帐户”。In the left pane, select Run As Accounts in the account settings section.

  3. 在“运行方式帐户”属性页上,选择要删除的运行方式帐户或经典运行方式帐户。On the Run As Accounts properties page, select either the Run As account or Classic Run As account that you want to delete.

  4. 在所选帐户的“属性”窗格中单击“删除”。On the Properties pane for the selected account, click Delete.

    删除运行方式帐户

  5. 帐户删除过程中,可以在菜单的“通知”下面跟踪进度。While the account is being deleted, you can track the progress under Notifications from the menu.

  6. 删除该帐户后,可以通过在“运行方式帐户”属性页中选择创建选项“Azure 运行方式帐户”来重新创建该帐户。After the account has been deleted, you can re-create it on the Run As Accounts properties page by selecting the create option Azure Run As Account.

    重新创建自动化运行方式帐户

续订自签名证书Renew a self-signed certificate

为运行方式帐户创建的自签名证书自创建日期算起的一年后过期。The self-signed certificate that you have created for the Run As account expires one year from the date of creation. 在运行方式帐户过期之前的某个时间点,必须续订证书。At some point before your Run As account expires, you must renew the certificate. 可以在该证书过期之前的任何时间续订。You can renew it any time before it expires.

续订自签名证书时,将保留当前的有效证书,以确保已排队等候或正在主动运行且使用运行方式帐户进行身份验证的任何 Runbook 不会受到负面影响。When you renew the self-signed certificate, the current valid certificate is retained to ensure that any runbooks that are queued up or actively running, and that authenticate with the Run As account, aren't negatively affected. 该证书在过期之前将保持有效。The certificate remains valid until its expiration date.

备注

如果认为运行方式帐户已遭到入侵,可以删除该自签名证书然后重新创建。If you think that the Run As account has been compromised, you can delete and re-create the self-signed certificate.

备注

如果已将运行方式帐户配置为使用企业证书颁发机构颁发的证书,并使用此选项来续订自签名证书选项,该企业证书会被自签名证书替换。If you have configured your Run As account to use a certificate issued by your enterprise certificate authority and you use the option to renew a self-signed certificate option, the enterprise certificate is replaced by a self-signed certificate.

使用以下步骤来续订自签名证书。Use the following steps to renew the self-signed certificate.

  1. 在 Azure 门户中,打开自动化帐户。In the Azure portal, open the Automation account.

  2. 选择帐户设置部分中的“运行方式帐户”。Select Run As Accounts in the account settings section.

    自动化帐户属性窗格

  3. 在“运行方式帐户”属性页上,选择要为其续订证书的运行方式帐户或经典运行方式帐户。On the Run As Accounts properties page, select either the Run As account or the Classic Run As account for which to renew the certificate.

  4. 在所选帐户的“属性”窗格中,单击“续订证书”。On the properties pane for the selected account, click Renew certificate.

    续订运行方式帐户的证书

  5. 证书续订过程中,可以在菜单的“通知”下面跟踪进度。While the certificate is being renewed, you can track the progress under Notifications from the menu.

限制运行方式帐户权限Limit Run As account permissions

若要针对 Azure 中的资源控制自动化的目标,可以运行 Update-AutomationRunAsAccountRoleAssignments.ps1 脚本。To control the targeting of Automation against resources in Azure, you can run the Update-AutomationRunAsAccountRoleAssignments.ps1 script. 此脚本将更改现有运行方式帐户服务主体,以创建和使用自定义角色定义。This script changes your existing Run As account service principal to create and use a custom role definition. 该角色具有除了 Key Vault 之外的所有资源的权限。The role has permissions for all resources except Key Vault.

重要

运行 Update-AutomationRunAsAccountRoleAssignments.ps1 脚本后,通过使用运行方式帐户访问 Key Vault 的 Runbook 将不再工作。After you run the Update-AutomationRunAsAccountRoleAssignments.ps1 script, runbooks that access Key Vault through the use of Run As accounts no longer work. 在运行该脚本之前,应查看帐户中的 Runbook,以便调用 Azure Key Vault。Before running the script, you should review runbooks in your account for calls to Azure Key Vault. 若要实现从 Azure 自动化 Runbook 对 Key Vault 的访问,必须将运行方式帐户添加到 Key Vault 的权限To enable access to Key Vault from Azure Automation runbooks, you must add the Run As account to Key Vault's permissions.

如果需要进一步限制运行方式服务主体可执行的内容,可将其他资源类型添加到自定义角色定义的 NotActions 元素。If you need to restrict, further what the Run As service principal can do, you can add other resource types to the NotActions element of the custom role definition. 下面的示例限制对 Microsoft.Compute/* 的访问。The following example restricts access to Microsoft.Compute/*. 如果将此资源类型添加到角色定义的 NotActions,则该角色将不能访问任何计算资源。If you add this resource type to NotActions for the role definition, the role will not be able to access any Compute resource. 若要详细了解角色定义,请参阅了解 Azure 资源的角色定义To learn more about role definitions, see Understand role definitions for Azure resources.

$roleDefinition = Get-AzRoleDefinition -Name 'Automation RunAs Contributor'
$roleDefinition.NotActions.Add("Microsoft.Compute/*")
$roleDefinition | Set-AzRoleDefinition

可确定运行方式帐户使用的服务主体是在参与者角色定义中还是在自定义角色定义中。You can determine if the service principal used by your Run As account is in the Contributor role definition or a custom one.

  1. 转到自动化帐户,然后在帐户设置部分中选择“运行方式帐户”。Go to your Automation account and select Run As Accounts in the account settings section.
  2. 选择“Azure 运行方式帐户”。Select Azure Run As Account.
  3. 选择“角色”以查找正在使用的角色定义。Select Role to locate the role definition that is being used.

验证运行方式帐户角色。

还可以为多个订阅或自动化帐户确定运行方式帐户使用的角色定义。You can also determine the role definition used by the Run As accounts for multiple subscriptions or Automation accounts. 为此,请使用 PowerShell 库中的 Check-AutomationRunAsAccountRoleAssignments.ps1 脚本。Do this by using the Check-AutomationRunAsAccountRoleAssignments.ps1 script in the PowerShell Gallery.

添加 Key Vault 权限Add permissions to Key Vault

可以允许 Azure 自动化验证 Key Vault 和运行方式帐户服务主体是否正在使用自定义角色定义。You can allow Azure Automation to verify if Key Vault and your Run As account service principal are using a custom role definition. 必须具备以下条件:You must:

  • 授予 Key Vault 权限。Grant permissions to Key Vault.
  • 设置访问策略。Set the access policy.

可以使用 PowerShell 库中的 Extend-AutomationRunAsAccountRoleAssignmentToKeyVault.ps1 脚本,向运行方式帐户授予 Key Vault 权限。You can use the Extend-AutomationRunAsAccountRoleAssignmentToKeyVault.ps1 script in the PowerShell Gallery to give your Run As account permissions to Key Vault. 有关设置 Key Vault 权限的详细信息,请参阅授予应用程序访问密钥保管库的权限See Grant applications access to a key vault for more details on setting permissions on Key Vault.

解决运行方式帐户的错误配置问题Resolve misconfiguration issues for Run As accounts

在初始设置期间,运行方式帐户或经典运行方式帐户所需的某些配置项可能已被删除或未正确创建。Some configuration items necessary for a Run As or Classic Run As account might have been deleted or created improperly during initial setup. 错误配置的实例可能包括:Possible instances of misconfiguration include:

  • 证书资产Certificate asset
  • 连接资产Connection asset
  • 已从参与者角色中删除的运行方式帐户Run As account removed from the Contributor role
  • Azure AD 中的服务主体或应用程序Service principal or application in Azure AD

对于此类错误配置实例,自动化帐户将检测更改,并在该帐户的“运行方式帐户”属性窗格中显示“不完整”状态。For such misconfiguration instances, the Automation account detects the changes and displays a status of Incomplete on the Run As Accounts properties pane for the account.

不完整的运行方式帐户配置状态

选择该运行方式帐户时,该帐户的“属性”窗格中会显示以下错误消息:When you select the Run As account, the account properties pane displays the following error message:

The Run As account is incomplete. Either one of these was deleted or not created - Azure Active Directory Application, Service Principal, Role, Automation Certificate asset, Automation Connect asset - or the Thumbprint is not identical between Certificate and Connection. Please delete and then re-create the Run As Account.

可通过删除并重新创建运行方式帐户来快速解决该帐户的问题。You can quickly resolve these Run As account issues by deleting and re-creating the account.

后续步骤Next steps