Azure 自动化中的凭据资产Credential assets in Azure Automation

自动化凭据资产包含一个对象,该对象包含用户名和密码等安全凭据。An Automation credential asset holds an object, which contains security credentials such as a username and password. Runbook 和 DSC 配置可能会使用在身份验证时接受 PSCredential 对象的 cmdlet,也可能会提取 PSCredential 对象的用户名和密码,以便提供给需要进行身份验证的某些应用程序或服务。Runbooks and DSC configurations may use cmdlets that accept a PSCredential object for authentication, or they may extract the username and password of the PSCredential object to provide to some application or service requiring authentication. 在 Azure 自动化中安全地存储凭据的属性,并可以在 Runbook 或 DSC 配置中通过 Get-AutomationPSCredential 活动访问这些属性。The properties for a credential are stored securely in Azure Automation and can be accessed in the runbook or DSC configuration with the Get-AutomationPSCredential activity.

备注

Azure 自动化中的安全资产包括凭据、证书、连接和加密的变量。Secure assets in Azure Automation include credentials, certificates, connections, and encrypted variables. 这些资产已使用针对每个自动化帐户生成的唯一密钥加密并存储在 Azure 自动化中。These assets are encrypted and stored in Azure Automation using a unique key that is generated for each automation account. 此密钥存储在密钥保管库中。This key is stored in Key Vault. 在存储安全资产之前,从密钥保管库加载密钥,然后使用该密钥加密资产。Before storing a secure asset, the key is loaded from Key Vault and then used to encrypt the asset.

AzureRM PowerShell cmdletAzureRM PowerShell cmdlets

对于 AzureRM,下表中的 cmdlet 用于通过 Windows PowerShell 创建和管理自动化凭据资产。For AzureRM, the cmdlets in the following table are used to create and manage automation credential assets with Windows PowerShell. 可在自动化 Runbook 和 DSC 配置中使用的 AzureRM.Automation 模块已随附了这些 cmdlet。They ship as part of the AzureRM.Automation module, which is available for use in Automation runbooks and DSC configurations.

CmdletCmdlets 说明Description
Get-AzureRmAutomationCredentialGet-AzureRmAutomationCredential 检索有关凭据资产的信息。Retrieves information about a credential asset. 此 cmdlet 不会返回 PSCredential 对象。This does not return a PSCredential object.
New-AzureRmAutomationCredentialNew-AzureRmAutomationCredential 创建新的自动化凭据。Creates a new Automation credential.
Remove-AzureRmAutomationCredentialRemove-AzureRmAutomationCredential 删除自动化凭据。Removes an Automation credential.
Set-AzureRmAutomationCredentialSet-AzureRmAutomationCredential 设置现有自动化凭据的属性。Sets the properties for an existing Automation credential.

活动Activities

下表中的活动用于在 Runbook 和 DSC 配置中访问凭据。The activities in the following table are used to access credentials in a runbook and DSC configurations.

活动Activities 说明Description
Get-AutomationPSCredentialGet-AutomationPSCredential 在 Runbook 或 DSC 配置中获取要使用的凭据。Gets a credential to use in a runbook or DSC configuration. 返回 System.Management.Automation.PSCredential 对象。Returns a System.Management.Automation.PSCredential object.

备注

应避免在 Get-AutomationPSCredential 的 -Name 参数中使用变量,因为这可能会使设计时发现 Runbook 或 DSC 配置与凭据资产之间的依赖关系变得复杂化。You should avoid using variables in the -Name parameter of Get-AutomationPSCredential since this can complicate discovering dependencies between runbooks or DSC configurations, and credential assets at design time.

Python2 函数Python2 functions

下表中的函数用于在 Python2 Runbook 中访问凭据。The function in the following table is used to access credentials in a Python2 runbook.

函数Function 说明Description
automationassets.get_automation_credentialautomationassets.get_automation_credential 检索有关凭据资产的信息。Retrieves information about a credential asset.

备注

必须在 Python Runbook 顶部导入“automationassets”模块才能访问资产函数。You must import the "automationassets" module at the top of your Python runbook in order to access the asset functions.

创建新凭据资产Creating a new credential asset

使用 Azure 门户新建凭据资产To create a new credential asset with the Azure portal

  1. 从自动化帐户中,选择“共享资源” 下的“凭据” 。From your automation account, select Credentials under Shared Resources.
  2. 选择“添加凭据” 。Select Add a credential.
  3. 完成表单,并选择“创建”以保存新凭据 。Complete the form and select Create to save the new credential.

备注

不支持将使用多重身份验证的用户帐户用于 Azure 自动化。User accounts that use multi-factor authentication are not supported for use in Azure Automation.

使用 Windows PowerShell 创建新的凭据资产To create a new credential asset with Windows PowerShell

以下示例命令演示了如何创建新的自动化凭据。The following sample commands show how to create a new automation credential. 首先创建了一个具有名称和密码的 PSCredential 对象,然后使用该对象创建凭据资产。A PSCredential object is first created with the name and password and then used to create the credential asset. 或者,可以使用 Get-Credential cmdlet,会提示键入名称和密码。Alternatively, you could use the Get-Credential cmdlet to be prompted to type in a name and password.

$user = "MyDomain\MyUser"
$pw = ConvertTo-SecureString "PassWord!" -AsPlainText -Force
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user, $pw
New-AzureAutomationCredential -AutomationAccountName "MyAutomationAccount" -Name "MyCredential" -Value $cred

使用 PowerShell 凭据Using a PowerShell credential

在 Runbook 或 DSC 配置中使用 Get-AutomationPSCredential 活动检索凭据资产。You retrieve a credential asset in a runbook or DSC configuration with the Get-AutomationPSCredential activity. 此操作将返回 PSCredential 对象,可将其用于需要 PSCredential 参数的活动或 cmdlet。This returns a PSCredential object that you can use with an activity or cmdlet that requires a PSCredential parameter. 还可以检索要单独使用的凭据对象的属性。You can also retrieve the properties of the credential object to use individually. 该对象具有一个用于用户名和安全密码的属性,或者可以使用 GetNetworkCredential 方法返回 NetworkCredential 对象,该对象将提供该密码的不安全版本 。The object has a property for the username and the secure password, or you can use the GetNetworkCredential method to return a NetworkCredential object that will provide an unsecured version of the password.

备注

Get-AzureRmAutomationCredential 不会返回可用于身份验证的 PSCredentialGet-AzureRmAutomationCredential does not return a PSCredential that can be used for authentication. 它仅提供有关凭据的信息。It only provides information about the credential. 如果需要在 runbook 中使用凭据,则必须使用 Get-AutomationPSCredential 检索 PSCredential 对象。If you need to use a credential in a runbook you must use the Get-AutomationPSCredential to retrieve the PSCredential object.

文本 Runbook 示例Textual runbook sample

下面的示例命令演示如何在 Runbook 中使用 PowerShell 凭据。The following sample commands show how to use a PowerShell credential in a runbook. 在此示例中,检索了凭据并将其用户名和密码分配到变量。In this example, the credential is retrieved and its username and password assigned to variables.

$myCredential = Get-AutomationPSCredential -Name 'MyCredential'
$userName = $myCredential.UserName
$securePassword = $myCredential.Password
$password = $myCredential.GetNetworkCredential().Password

也可使用凭据通过 Connect-AzureRmAccount 向 Azure 进行身份验证。You can also use a credential to authenticate to Azure with Connect-AzureRmAccount. 大多数情况下,应使用运行方式帐户并使用 Get-AutomationConnection 来检索它。Under most circumstances, you should use a Run As account and retrieve it with Get-AutomationConnection.

$myCred = Get-AutomationPSCredential -Name 'MyCredential'
$userName = $myCred.UserName
$securePassword = $myCred.Password

$myPsCred = New-Object System.Management.Automation.PSCredential ($userName,$securePassword)

Connect-AzureRmAccount -Credential $myPsCred

图形 Runbook 示例Graphical runbook sample

通过在图形编辑器的“库”窗格中右键单击凭据并选择“添加到画布” ,将 Get-AutomationPSCredential 活动添加到图形 Runbook。You add a Get-AutomationPSCredential activity to a graphical runbook by right-clicking on the credential in the Library pane of the graphical editor and selecting Add to canvas.

将凭据添加到画布

下图显示了在图形 Runbook 中使用凭据的示例。The following image shows an example of using a credential in a graphical runbook. 在这种情况下,它被该 Runbook 用来对 Azure 资源提供身份验证,如使用 Azure AD 用户帐户进行 Runbook 身份验证中所述。In this case, it's being used to provide authentication for a runbook to Azure resources as described in Authenticate Runbooks with Azure AD User account. 第一个活动检索有权访问 Azure 订阅的凭据。The first activity retrieves the credential that has access to the Azure subscription. 然后,Connect-AzureRmAccount 活动使用此凭据为它之后的任何活动提供身份验证。The Connect-AzureRmAccount activity then uses this credential to provide authentication for any activities that come after it. 此处是一个 管道链接 ,因为 Get-AutomationPSCredential 要求是单个对象。A pipeline link is here since Get-AutomationPSCredential is expecting a single object.

将凭据添加到画布

在 DSC 中使用 PowerShell 凭据Using a PowerShell credential in DSC

尽管 Azure 自动化中的 DSC 配置可以使用 Get-AutomationPSCredential引用凭据资产,但如果需要,也可以通过参数传入凭据资产。While DSC configurations in Azure Automation can reference credential assets using Get-AutomationPSCredential, credential assets can also be passed in via parameters, if wanted. 有关详细信息,请参阅 Compiling configurations in Azure Automation DSC(在 Azure 自动化 DSC 中编译配置)。For more information, see Compiling configurations in Azure Automation DSC.

在 Python2 中使用凭据Using credentials in Python2

以下示例演示了如何在 Python2 Runbook 中访问凭据。The following sample shows an example of accessing credentials in Python2 runbooks.

import automationassets
from automationassets import AutomationAssetNotFound

# get a credential
cred = automationassets.get_automation_credential("credtest")
print cred["username"]
print cred["password"]

后续步骤Next steps