排查 Azure 自动化托管标识问题(预览)Troubleshoot Azure Automation managed identity issues (preview)

本文介绍将托管标识与自动化账户一起使用时可能会遇到的问题的解决方案。This article discusses solutions to problems that you might encounter when you use a managed identity with your Automation account. 有关将托管标识与自动化帐户一起使用的常规信息,请查看 Azure 自动化帐户身份验证概述For general information about using managed identity with Automation accounts, see Azure Automation account authentication overview.

方案:尝试将托管标识与自动化帐户一起使用时失败Scenario: Attempt to use managed identity with Automation account fails

问题Issue

尝试在自动化帐户中使用托管标识时,遇到如下错误:When you try to work with managed identities in your Automation account, you encounter an error like this:

Connect-AzureRMAccount : An error occurred while sending the request. At line:2 char:1 + Connect-AzureRMAccount -Identity + 
CategoryInfo : CloseError: (:) [Connect-AzureRmAccount], HttpRequestException + FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.ConnectAzureRmAccountCommand

原因Cause

导致这种情况的最常见原因是,在尝试使用标识之前未启用该标识。The most common cause for this is that you didn't enable the identity before trying to use it. 若要验证这一点,请在受影响的自动化帐户中运行以下 PowerShell Runbook。To verify this, run the following PowerShell runbook in the affected Automation account.

resource= "?resource=https://management.chinacloudapi.cn/"
$url = $env:IDENTITY_ENDPOINT + $resource
$Headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$Headers.Add("X-IDENTITY-HEADER", $env:IDENTITY_HEADER)
$Headers.Add("Metadata", "True")

try
{
    $Response = Invoke-RestMethod -Uri $url -Method 'GET' -Headers $Headers
}
catch
{
    $StatusCode = $_.Exception.Response.StatusCode.value__
    $stream = $_.Exception.Response.GetResponseStream()
    $reader = New-Object System.IO.StreamReader($stream)
    $responseBody = $reader.ReadToEnd()
    
    Write-Output "Request Failed with Status: $StatusCode, Message: $responseBody"
}

如果问题是你在尝试使用标识之前未启用该标识,则会看到如下所示的结果:If the issue is that you didn't enable the identity before trying to use it, you should see a result similar to this:

Request Failed with Status: 400, Message: {"Message":"No managed identity was found for Automation account xxxxxxxxxxxx"}

解决方法Resolution

必须为自动化帐户启用标识,然后才能使用托管标识服务。You must enable an identity for your Automation account before you can use the managed identity service. 请查看为 Azure 自动化帐户启用托管标识(预览)See Enable a managed identity for your Azure Automation account (preview)

后续步骤Next steps

如果本文未解决你的问题,请尝试通过以下渠道之一获取更多支持:If this article doesn't resolve your issue, try one of the following channels for additional support: