管理 Azure 自动化运行方式帐户Manage an Azure Automation Run As account

Azure 自动化中的运行方式帐户提供身份验证,以使用自动化 runbook 和其他自动化功能管理 Azure 资源管理器或 Azure 经典部署模型上的资源。Run As accounts in Azure Automation provide authentication for managing resources on the Azure Resource Manager or Azure Classic deployment model using Automation runbooks and other Automation features. 本文提供有关如何管理运行方式帐户或经典运行方式帐户的指导。This article provides guidance on how to manage a Run As or Classic Run As account.

若要详细了解 Azure 自动化帐户身份验证以及有关流程自动化方案的指导,请参阅自动化帐户身份验证概述To learn more about Azure Automation account authentication and guidance related to process automation scenarios, see Automation Account authentication overview.

运行方式帐户的权限Run As account permissions

本部分定义普通运行方式帐户和经典运行方式帐户的权限。This section defines permissions for both regular Run As accounts and Classic Run As accounts.

若要创建或更新运行方式帐户,必须拥有特定的特权和权限。To create or update a Run As account, you must have specific privileges and permissions. Azure Active Directory 中的应用程序管理员和订阅中的所有者都可以完成所有任务。An Application administrator in Azure Active Directory and an Owner in a subscription can complete all the tasks. 下表显示了在实施职责分离的情况下,所需的任务、等效 cmdlet 和权限的列表:In a situation where you have separation of duties, the following table shows a listing of the tasks, the equivalent cmdlet, and permissions needed:

任务Task CmdletCmdlet 最低权限Minimum Permissions 设置权限的位置Where you set the permissions
创建 Azure AD 应用程序Create Azure AD Application New-AzADApplicationNew-AzADApplication 应用程序开发人员角色1Application Developer role1 Azure ADAzure AD
主页 > Azure AD > 应用注册Home > Azure AD > App Registrations
将凭据添加到应用程序。Add a credential to the application. New-AzADAppCredentialNew-AzADAppCredential 应用程序管理员或全局管理员1Application Administrator or Global Administrator1 Azure ADAzure AD
主页 > Azure AD > 应用注册Home > Azure AD > App Registrations
创建和获取 Azure AD 服务主体Create and get an Azure AD service principal New-AzADServicePrincipalNew-AzADServicePrincipal
Get-AzADServicePrincipalGet-AzADServicePrincipal
应用程序管理员或全局管理员1Application Administrator or Global Administrator1 Azure ADAzure AD
主页 > Azure AD > 应用注册Home > Azure AD > App Registrations
分配或获取指定主体的 Azure 角色Assign or get the Azure role for the specified principal New-AzRoleAssignmentNew-AzRoleAssignment
Get-AzRoleAssignmentGet-AzRoleAssignment
用户访问管理员或所有者,或具有以下权限:User Access Administrator or Owner, or have the following permissions:

Microsoft.Authorization/Operations/read
Microsoft.Authorization/permissions/read
Microsoft.Authorization/roleDefinitions/read
Microsoft.Authorization/roleAssignments/write
Microsoft.Authorization/roleAssignments/read
Microsoft.Authorization/roleAssignments/delete


订阅Subscription
主页 > 订阅 > <subscription name> - 访问控制 (IAM)Home > Subscriptions > <subscription name> - Access Control (IAM)
创建或删除自动化证书Create or remove an Automation certificate New-AzAutomationCertificateNew-AzAutomationCertificate
Remove-AzAutomationCertificateRemove-AzAutomationCertificate
资源组中的参与者Contributor on resource group 自动化帐户资源组Automation account resource group
创建或删除自动化连接Create or remove an Automation connection New-AzAutomationConnectionNew-AzAutomationConnection
Remove-AzAutomationConnectionRemove-AzAutomationConnection
资源组中的参与者Contributor on resource group 自动化帐户资源组Automation account resource group

1 Azure AD 租户中的非管理员用户可以注册 AD 应用程序,前提是 Azure AD 租户的“用户设置”页中的“用户可以注册应用程序”选项已设置为“是” 。1 Non-administrator users in your Azure AD tenant can register AD applications if the Azure AD tenant's Users can register applications option on the User settings page is set to Yes. 如果应用程序注册设置为“否”,则执行此操作的用户必须具有此表中定义的角色。If the application registration setting is No , the user performing this action must be as defined in this table.

如果你在被添加到订阅的全局管理员角色之前不是订阅的 Active Directory 实例的成员,则会将你添加为来宾。If you aren't a member of the subscription's Active Directory instance before you're added to the Global Administrator role of the subscription, you're added as a guest. 在这种情况下,“添加自动化帐户”页上会显示 You do not have permissions to create… 警告。In this situation, you receive a You do not have permissions to create… warning on the Add Automation Account page.

如果在分配全局管理员角色时,你是订阅的 Active Directory 实例的成员,则“添加自动化帐户”页面上还会显示 You do not have permissions to create… 警告。If you are a member of the subscription's Active Directory instance where the Global Administrator role is assigned, you can also receive a You do not have permissions to create… warning on the Add Automation Account page. 在这种情况下,可以请求从订阅的 Active Directory 实例中删除,然后请求重新添加,以便成为 Active Directory 中的完整用户。In this case, you can request removal from the subscription's Active Directory instance and then request to be re-added, so that you become a full user in Active Directory.

若要验证是否修正了生成该错误消息的原因:To verify that the situation producing the error message has been remedied:

  1. 在 Azure 门户上的“Azure Active Directory”窗格中,选择“用户”。From the Azure Active Directory pane in the Azure portal, select Users.
  2. 选择“所有用户”。Select All users.
  3. 选择名称,然后选择“配置文件”。Choose your name, then select Profile.
  4. 请确保用户配置文件下“用户类型”属性的值未设置为“来宾” 。Ensure that the value of the User type attribute under your user's profile is not set to Guest.

创建或管理经典运行方式帐户所需的权限Permissions required to create or manage Classic Run As accounts

若要配置或续订经典运行方式帐户,需要在订阅级别具有共同管理员角色。To configure or renew Classic Run As accounts, you must have the Co-administrator role at the subscription level. 若要详细了解有关经典订阅权限,请参阅 Azure 经典订阅管理员To learn more about classic subscription permissions, see Azure classic subscription administrators.

在 Azure 门户中创建运行方式帐户Create a Run As account in Azure portal

请执行以下步骤,在 Azure 门户中更新 Azure 自动化帐户。Perform the following steps to update your Azure Automation account in the Azure portal. 可以单独创建运行方式帐户和经典运行方式帐户。Create the Run As and Classic Run As accounts individually. 如果不需管理经典资源,可以只创建 Azure 运行方式帐户。If you don't need to manage classic resources, you can just create the Azure Run As account.

  1. 以订阅管理员角色成员和订阅共同管理员的帐户登录到 Azure 门户。Log in to the Azure portal with an account that is a member of the Subscription Admins role and co-administrator of the subscription.

  2. 搜索并选择“自动化帐户”。Search for and select Automation Accounts.

  3. 在“自动化帐户”页,选择列表中的自动化帐户。On the Automation Accounts page, select your Automation account from the list.

  4. 在左侧窗格中的“帐户设置”部分选择“运行方式帐户” 。In the left pane, select Run As Accounts in the Account Settings section.

    选择“运行方式帐户”选项。

  5. 根据所需帐户,使用“+ Azure 运行方式帐户”或“+ Azure 经典运行方式帐户”窗格 。Depending on the account you require, use the + Azure Run As Account or + Azure Classic Run As Account pane. 查看概述信息后,单击“创建”。After reviewing the overview information, click Create.

    选择创建运行方式帐户的选项

  6. 在 Azure 创建运行方式帐户时,可以在菜单的“通知”下面跟踪进度。While Azure creates the Run As account, you can track the progress under Notifications from the menu. 此外还显示一个横幅,指出正在创建帐户。A banner is also displayed stating that the account is being created. 此过程可能需要几分钟才能完成。The process can take a few minutes to complete.

删除运行方式帐户或经典运行方式帐户Delete a Run As or Classic Run As account

本部分介绍如何删除运行方式帐户或经典运行方式帐户。This section describes how to delete a Run As or Classic Run As account. 执行此操作时,将保留自动化帐户。When you perform this action, the Automation account is retained. 删除运行方式帐户后,可以在 Azure 门户中重新创建它。After you delete the Run As account, you can re-create it in the Azure portal.

  1. 在 Azure 门户中,打开自动化帐户。In the Azure portal, open the Automation account.

  2. 在左侧窗格中,选择帐户设置部分中的“运行方式帐户”。In the left pane, select Run As Accounts in the account settings section.

  3. 在“运行方式帐户”属性页上,选择要删除的运行方式帐户或经典运行方式帐户。On the Run As Accounts properties page, select either the Run As account or Classic Run As account that you want to delete.

  4. 在所选帐户的“属性”窗格中单击“删除”。On the Properties pane for the selected account, click Delete.

    删除运行方式帐户

  5. 帐户删除过程中,可以在菜单的“通知”下面跟踪进度。While the account is being deleted, you can track the progress under Notifications from the menu.

续订自签名证书Renew a self-signed certificate

为运行方式帐户创建的自签名证书自创建日期算起的一年后过期。The self-signed certificate that you have created for the Run As account expires one year from the date of creation. 在运行方式帐户过期之前的某个时间点,必须续订证书。At some point before your Run As account expires, you must renew the certificate. 可以在该证书过期之前的任何时间续订。You can renew it any time before it expires.

续订自签名证书时,将保留当前的有效证书,以确保已排队等候或正在主动运行且使用运行方式帐户进行身份验证的任何 Runbook 不会受到负面影响。When you renew the self-signed certificate, the current valid certificate is retained to ensure that any runbooks that are queued up or actively running, and that authenticate with the Run As account, aren't negatively affected. 该证书在过期之前将保持有效。The certificate remains valid until its expiration date.

备注

如果认为运行方式帐户已遭到入侵,可以删除该自签名证书然后重新创建。If you think that the Run As account has been compromised, you can delete and re-create the self-signed certificate.

备注

如果已将运行方式帐户配置为使用企业证书颁发机构颁发的证书,并使用此选项来续订自签名证书选项,该企业证书会被自签名证书替换。If you have configured your Run As account to use a certificate issued by your enterprise certificate authority and you use the option to renew a self-signed certificate option, the enterprise certificate is replaced by a self-signed certificate.

使用以下步骤来续订自签名证书。Use the following steps to renew the self-signed certificate.

  1. 在 Azure 门户中,打开自动化帐户。In the Azure portal, open the Automation account.

  2. 选择帐户设置部分中的“运行方式帐户”。Select Run As Accounts in the account settings section.

    自动化帐户属性窗格

  3. 在“运行方式帐户”属性页上,选择要为其续订证书的运行方式帐户或经典运行方式帐户。On the Run As Accounts properties page, select either the Run As account or the Classic Run As account for which to renew the certificate.

  4. 在所选帐户的“属性”窗格中,单击“续订证书”。On the properties pane for the selected account, click Renew certificate.

    续订运行方式帐户的证书

  5. 证书续订过程中,可以在菜单的“通知”下面跟踪进度。While the certificate is being renewed, you can track the progress under Notifications from the menu.

限制运行方式帐户权限Limit Run As account permissions

若要针对 Azure 中的资源控制自动化的目标,可以运行 Update-AutomationRunAsAccountRoleAssignments.ps1 脚本。To control the targeting of Automation against resources in Azure, you can run the Update-AutomationRunAsAccountRoleAssignments.ps1 script. 此脚本将更改现有运行方式帐户服务主体,以创建和使用自定义角色定义。This script changes your existing Run As account service principal to create and use a custom role definition. 该角色具有除了 Key Vault 之外的所有资源的权限。The role has permissions for all resources except Key Vault.

重要

运行 Update-AutomationRunAsAccountRoleAssignments.ps1 脚本后,通过使用运行方式帐户访问 Key Vault 的 Runbook 将不再工作。After you run the Update-AutomationRunAsAccountRoleAssignments.ps1 script, runbooks that access Key Vault through the use of Run As accounts no longer work. 在运行该脚本之前,应查看帐户中的 Runbook,以便调用 Azure Key Vault。Before running the script, you should review runbooks in your account for calls to Azure Key Vault. 若要实现从 Azure 自动化 Runbook 对 Key Vault 的访问,必须将运行方式帐户添加到 Key Vault 的权限To enable access to Key Vault from Azure Automation runbooks, you must add the Run As account to Key Vault's permissions.

如果需要进一步限制运行方式服务主体可执行的内容,可将其他资源类型添加到自定义角色定义的 NotActions 元素。If you need to restrict, further what the Run As service principal can do, you can add other resource types to the NotActions element of the custom role definition. 下面的示例限制对 Microsoft.Compute/* 的访问。The following example restricts access to Microsoft.Compute/*. 如果将此资源类型添加到角色定义的 NotActions,则该角色将不能访问任何计算资源。If you add this resource type to NotActions for the role definition, the role will not be able to access any Compute resource. 若要详细了解角色定义,请参阅了解 Azure 资源的角色定义To learn more about role definitions, see Understand role definitions for Azure resources.

$roleDefinition = Get-AzRoleDefinition -Name 'Automation RunAs Contributor'
$roleDefinition.NotActions.Add("Microsoft.Compute/*")
$roleDefinition | Set-AzRoleDefinition

可确定运行方式帐户使用的服务主体是在参与者角色定义中还是在自定义角色定义中。You can determine if the service principal used by your Run As account is in the Contributor role definition or a custom one.

  1. 转到自动化帐户,然后在帐户设置部分中选择“运行方式帐户”。Go to your Automation account and select Run As Accounts in the account settings section.
  2. 选择“Azure 运行方式帐户”。Select Azure Run As Account.
  3. 选择“角色”以查找正在使用的角色定义。Select Role to locate the role definition that is being used.

验证运行方式帐户角色。

还可以为多个订阅或自动化帐户确定运行方式帐户使用的角色定义。You can also determine the role definition used by the Run As accounts for multiple subscriptions or Automation accounts. 为此,请使用 PowerShell 库中的 Check-AutomationRunAsAccountRoleAssignments.ps1 脚本。Do this by using the Check-AutomationRunAsAccountRoleAssignments.ps1 script in the PowerShell Gallery.

添加 Key Vault 权限Add permissions to Key Vault

可以允许 Azure 自动化验证 Key Vault 和运行方式帐户服务主体是否正在使用自定义角色定义。You can allow Azure Automation to verify if Key Vault and your Run As account service principal are using a custom role definition. 必须具备以下条件:You must:

  • 授予 Key Vault 权限。Grant permissions to Key Vault.
  • 设置访问策略。Set the access policy.

可以使用 PowerShell 库中的 Extend-AutomationRunAsAccountRoleAssignmentToKeyVault.ps1 脚本,向运行方式帐户授予 Key Vault 权限。You can use the Extend-AutomationRunAsAccountRoleAssignmentToKeyVault.ps1 script in the PowerShell Gallery to give your Run As account permissions to Key Vault. 有关设置对 Key Vault 的权限的详细信息,请参阅分配 Key Vault 访问策略See Assign a Key Vault access policy for more details on setting permissions on Key Vault.

解决运行方式帐户的错误配置问题Resolve misconfiguration issues for Run As accounts

在初始设置期间,运行方式帐户或经典运行方式帐户所需的某些配置项可能已被删除或未正确创建。Some configuration items necessary for a Run As or Classic Run As account might have been deleted or created improperly during initial setup. 错误配置的实例可能包括:Possible instances of misconfiguration include:

  • 证书资产Certificate asset
  • 连接资产Connection asset
  • 已从参与者角色中删除的运行方式帐户Run As account removed from the Contributor role
  • Azure AD 中的服务主体或应用程序Service principal or application in Azure AD

对于此类错误配置实例,自动化帐户将检测更改,并在该帐户的“运行方式帐户”属性窗格中显示“不完整”状态。For such misconfiguration instances, the Automation account detects the changes and displays a status of Incomplete on the Run As Accounts properties pane for the account.

不完整的运行方式帐户配置状态

选择该运行方式帐户时,该帐户的“属性”窗格中会显示以下错误消息:When you select the Run As account, the account properties pane displays the following error message:

The Run As account is incomplete. Either one of these was deleted or not created - Azure Active Directory Application, Service Principal, Role, Automation Certificate asset, Automation Connect asset - or the Thumbprint is not identical between Certificate and Connection. Please delete and then re-create the Run As Account.

可通过删除并重新创建运行方式帐户来快速解决这些运行方式帐户问题。You can quickly resolve these Run As account issues by deleting and re-creating the Run As account.

后续步骤Next steps