在 Azure 自动化中管理凭据Manage credentials in Azure Automation

自动化凭据资产包含一个对象,该对象包含用户名和密码等安全凭据。An Automation credential asset holds an object that contains security credentials, such as a user name and a password. Runbook 和 DSC 配置使用接受 PSCredential 对象的 cmdlet 进行身份验证。Runbooks and DSC configurations use cmdlets that accept a PSCredential object for authentication. 或者,他们可以提取 PSCredential 对象的用户名和密码,以便提供给某些需要进行身份验证的应用程序或服务。Alternatively, they can extract the user name and password of the PSCredential object to provide to some application or service requiring authentication.

备注

Azure 自动化中的安全资产包括凭据、证书、连接和加密的变量。Secure assets in Azure Automation include credentials, certificates, connections, and encrypted variables. 这些资产已使用针对每个自动化帐户生成的唯一密钥进行加密并存储在 Azure 自动化中。These assets are encrypted and stored in Azure Automation using a unique key that is generated for each Automation account. Azure 自动化将密钥存储在系统管理的 Key Vault 中。Azure Automation stores the key in the system-managed Key Vault. 在存储安全资产之前,自动化会从 Key Vault 加载密钥,然后使用该密钥加密资产。Before storing a secure asset, Automation loads the key from Key Vault and then uses it to encrypt the asset.

备注

有关查看或删除个人数据的信息,请参阅 GDPR 的 Azure 数据使用者请求For information about viewing or deleting personal data, see Azure Data Subject Requests for the GDPR. 有关 GDPR 的详细信息,请参阅服务信任门户的 GDPR 部分For more information about GDPR, see the GDPR section of the Service Trust portal.

用于访问凭据的 PowerShell cmdletPowerShell cmdlets used to access credentials

下表中的 cmdlet 使用 PowerShell 创建和管理自动化凭据。The cmdlets in the following table create and manage Automation credentials with PowerShell. 它们作为 Az 模块的一部分提供。They ship as part of the Az modules.

CmdletCmdlet 说明Description
Get-AzAutomationCredentialGet-AzAutomationCredential 检索包含有关凭据的元数据的 CredentialInfo 对象。Retrieves a CredentialInfo object containing metadata about the credential. 该 cmdlet 不检索 PSCredential 对象本身。The cmdlet doesn't retrieve the PSCredential object itself.
New-AzAutomationCredentialNew-AzAutomationCredential 创建新的自动化凭据。Creates a new Automation credential.
Remove-AzAutomationCredentialRemove-AzAutomationCredential 删除自动化凭据。Removes an Automation credential.
Set-AzAutomationCredentialSet-AzAutomationCredential 设置现有自动化凭据的属性。Sets the properties for an existing Automation credential.

用于访问凭据的其他 cmdletOther cmdlets used to access credentials

下表中的 cmdlet 用于在 Runbook 和 DSC 配置中访问凭据。The cmdlets in the following table are used to access credentials in your runbooks and DSC configurations.

CmdletCmdlet 说明Description
Get-AutomationPSCredential 获取要在 Runbook 或 DSC 配置中使用的 PSCredential 对象。Gets a PSCredential object to use in a runbook or DSC configuration. 大多数情况下,应使用此 内部 cmdlet 而不是 Get-AzAutomationCredential cmdlet,因为后者仅检索凭据信息。Most often, you should use this internal cmdlet instead of the Get-AzAutomationCredential cmdlet, as the latter only retrieves credential information. 此信息通常对传递到另一个 cmdlet 没有帮助。This information isn't normally helpful to pass to another cmdlet.
Get-CredentialGet-Credential 通过提示输入用户名和密码来获取凭据。Gets a credential with a prompt for user name and password. 此 cmdlet 是默认 Microsoft.PowerShell.Security 模块的一部分。This cmdlet is part of the default Microsoft.PowerShell.Security module. 请参阅默认模块See Default modules.
New-AzureAutomationCredentialNew-AzureAutomationCredential 创建凭据资产。Creates a credential asset. 此 cmdlet 是默认 Azure 模块的一部分。This cmdlet is part of the default Azure module. 请参阅默认模块See Default modules.

若要在代码中检索 PSCredential 对象,必须导入 Orchestrator.AssetManagement.Cmdlets 模块。To retrieve PSCredential objects in your code, you must import the Orchestrator.AssetManagement.Cmdlets module. 有关详细信息,请参阅在 Azure 自动化中管理模块For more information, see Manage modules in Azure Automation.

Import-Module Orchestrator.AssetManagement.Cmdlets -ErrorAction SilentlyContinue

备注

应避免在 Get-AutomationPSCredentialName 参数中使用变量。You should avoid using variables in the Name parameter of Get-AutomationPSCredential. 使用变量在设计时可能会导致难以厘清 Runbook 或 DSC 配置与凭据资产之间的依赖关系。Their use can complicate discovery of dependencies between runbooks or DSC configurations and credential assets at design time.

用于访问凭据的 Python 函数Python functions that access credentials

下表中的函数用于在 Python 2 Runbook 和 Python 3 Runbook 中访问凭据。The function in the following table is used to access credentials in a Python 2 and 3 runbook. Python 3 Runbook 目前处于预览阶段。Python 3 runbooks are currently in preview.

函数Function 说明Description
automationassets.get_automation_credential 检索有关凭据资产的信息。Retrieves information about a credential asset.

备注

在 Python Runbook 顶部导入 automationassets 模块以访问资产函数。Import the automationassets module at the top of your Python runbook to access the asset functions.

创建新的凭据资产Create a new credential asset

可以使用 Azure 门户或使用 Windows PowerShell 来创建新的凭据资产。You can create a new credential asset using the Azure portal or using Windows PowerShell.

使用 Azure 门户创建新的凭据资产Create a new credential asset with the Azure portal

  1. 在自动化帐户的左侧窗格中,选择“共享资源”下的“凭据” 。From your Automation account, on the left-hand pane select Credentials under Shared Resources.

  2. 在“凭据”页上,选择“添加凭据” 。On the Credentials page, select Add a credential.

  3. 在“新建凭据”窗格中,根据你的命名标准输入合适的凭据名称。In the New Credential pane, enter an appropriate credential name following your naming standards.

  4. 在“用户名”字段中键入你的访问 ID。Type your access ID in the User name field.

  5. 对于两个密码字段,请输入机密访问密钥。For both password fields, enter your secret access key.

    创建新凭据

  6. 如果选中了“多重身份验证”框,请将其取消选中。If the multi-factor authentication box is checked, uncheck it.

  7. 单击“创建”以保存新的凭据资产。Click Create to save the new credential asset.

备注

Azure 自动化不支持使用多重身份验证的用户帐户。Azure Automation does not support user accounts that use multi-factor authentication.

使用 Windows PowerShell 创建新的凭据资产Create a new credential asset with Windows PowerShell

以下示例演示了如何创建新的自动化凭据资产。The following example shows how to create a new Automation credential asset. 首先创建了一个具有名称和密码的 PSCredential 对象,然后使用该对象创建凭据资产。A PSCredential object is first created with the name and password, and then used to create the credential asset. 可以改为使用 Get-Credential cmdlet 来提示用户键入名称和密码。Instead, you can use the Get-Credential cmdlet to prompt the user to type in a name and password.

$user = "MyDomain\MyUser"
$pw = ConvertTo-SecureString "PassWord!" -AsPlainText -Force
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user, $pw
New-AzureAutomationCredential -AutomationAccountName "MyAutomationAccount" -Name "MyCredential" -Value $cred

获取凭据资产Get a credential asset

Runbook 或 DSC 配置使用内部 Get-AutomationPSCredential cmdlet 检索凭据资产。A runbook or DSC configuration retrieves a credential asset with the internal Get-AutomationPSCredential cmdlet. 此 cmdlet 会获取一个 PSCredential 对象,它可用于需要凭据的 cmdlet。This cmdlet gets a PSCredential object that you can use with a cmdlet that requires a credential. 还可以检索要单独使用的凭据对象的属性。You can also retrieve the properties of the credential object to use individually. 该对象包含用于用户名和安全密码的属性。The object has properties for the user name and the secure password.

备注

Get-AzAutomationCredential cmdlet 不检索可用于身份验证的 PSCredential 对象。The Get-AzAutomationCredential cmdlet does not retrieve a PSCredential object that can be used for authentication. 它仅提供有关凭据的信息。It only provides information about the credential. 如果需要在 Runbook 中使用凭据,则必须使用 Get-AutomationPSCredential 将它作为 PSCredential 对象进行检索。If you need to use a credential in a runbook, you must retrieve it as a PSCredential object using Get-AutomationPSCredential.

或者,可以使用 GetNetworkCredential 方法检索表示不安全的密码版本的 NetworkCredential 对象。Alternatively, you can use the GetNetworkCredential method to retrieve a NetworkCredential object that represents an unsecured version of the password.

文本 Runbook 示例Textual runbook example

下面的示例演示如何在 Runbook 中使用 PowerShell 凭据。The following example shows how to use a PowerShell credential in a runbook. 它检索凭据并将其用户名和密码分配给变量。It retrieves the credential and assigns its user name and password to variables.

$myCredential = Get-AutomationPSCredential -Name 'MyCredential'
$userName = $myCredential.UserName
$securePassword = $myCredential.Password
$password = $myCredential.GetNetworkCredential().Password

还可以使用凭据通过 Connect-AzAccount 向 Azure 进行身份验证。You can also use a credential to authenticate to Azure with Connect-AzAccount. 在大多数情况下,应使用运行方式帐户并使用 Get-AzAutomationConnection 检索连接。Under most circumstances, you should use a Run As account and retrieve the connection with Get-AzAutomationConnection.

$myCred = Get-AutomationPSCredential -Name 'MyCredential'
$userName = $myCred.UserName
$securePassword = $myCred.Password
$password = $myCred.GetNetworkCredential().Password

$myPsCred = New-Object System.Management.Automation.PSCredential ($userName,$password)

Connect-AzAccount -Credential $myPsCred

图形 Runbook 示例Graphical runbook example

可以通过在图形编辑器的“库”窗格中右键单击凭据并选择“添加到画布”,将内部 Get-AutomationPSCredential cmdlet 的活动添加到图形 Runbook。You can add an activity for the internal Get-AutomationPSCredential cmdlet to a graphical runbook by right-clicking on the credential in the Library pane of the graphical editor and selecting Add to canvas.

将凭据 cmdlet 添加到画布

下图显示了在图形 Runbook 中使用凭据的示例。The following image shows an example of using a credential in a graphical runbook. 第一个活动检索有权访问 Azure 订阅的凭据。The first activity retrieves the credential that has access to the Azure subscription. 然后,帐户连接活动使用此凭据为它之后的任何活动提供身份验证。The account connection activity then uses this credential to provide authentication for any activities that come after it. 此处使用了一个管道链接,因为 Get-AutomationPSCredential 需要单个对象。A pipeline link is used here since Get-AutomationPSCredential is expecting a single object.

带有管道链接示例的凭据工作流

在 DSC 配置中使用凭据Use credentials in a DSC configuration

虽然 Azure 自动化中的 DSC 配置可以使用 Get-AutomationPSCredential 处理凭据资产,但它们也可以通过参数传递凭据资产。While DSC configurations in Azure Automation can work with credential assets using Get-AutomationPSCredential, they can also pass credential assets via parameters. 有关详细信息,请参阅在 Azure 自动化 DSC 中编译配置For more information, see Compiling configurations in Azure Automation DSC.

后续步骤Next steps