如何将托管标识用于 Azure 应用程序配置How to use managed identities for Azure App Configuration

本主题介绍如何为 Azure 应用程序配置创建托管标识。This topic shows you how to create a managed identity for Azure App Configuration. 借助 Azure Active Directory (AAD) 的托管标识,Azure 应用程序配置可以轻松访问其他受 AAD 保护的资源(如 Azure Key Vault)。A managed identity from Azure Active Directory (AAD) allows Azure App Configuration to easily access other AAD-protected resources, such as Azure Key Vault. 标识由 Azure 平台管理。The identity is managed by the Azure platform. 无需预配或轮换任何机密。It does not require you to provision or rotate any secrets. 有关 AAD 中的托管标识的详细信息,请参阅 Azure 资源的托管标识For more about managed identities in AAD, see Managed identities for Azure resources.

你的应用程序可以被授予两种类型的标识:Your application can be granted two types of identities:

  • 配置存储区绑定了一个系统分配的标识。A system-assigned identity is tied to your configuration store. 如果删除配置存储区,则标识将一并删除。It's deleted if your configuration store is deleted. 一个配置存储区只能有一个系统分配的标识。A configuration store can only have one system-assigned identity.
  • 用户分配的标识是可以分配给配置存储区的独立 Azure 资源。A user-assigned identity is a standalone Azure resource that can be assigned to your configuration store. 一个配置存储区可以有多个用户分配的标识。A configuration store can have multiple user-assigned identities.

添加系统分配的标识Adding a system-assigned identity

若要创建带有系统分配的标识的应用程序配置存储区,需要在该存储区上设置一个额外的属性。Creating an App Configuration store with a system-assigned identity requires an additional property to be set on the store.

使用 Azure CLIUsing the Azure CLI

若要使用 Azure CLI 设置托管标识,请对现有配置存储区使用 az appconfig identity assign 命令。To set up a managed identity using the Azure CLI, use the az appconfig identity assign command against an existing configuration store. 运行本部分中的示例有三个选项:You have three options for running the examples in this section:

以下步骤将指导你完成使用 CLI 创建应用程序配置存储区并为其分配标识的操作:The following steps will walk you through creating an App Configuration store and assigning it an identity using the CLI:

  1. 如果在本地控制台中使用 Azure CLI,首先请使用 az login 登录到 Azure。If you're using the Azure CLI in a local console, first sign in to Azure using az login. 请使用与 Azure 订阅关联的帐户:Use an account that is associated with your Azure subscription:

    az login
    
  2. 使用 CLI 创建应用程序配置存储区。Create an App Configuration store using the CLI. 有关如何将 CLI 与 Azure 应用程序配置结合使用的更多示例,请参阅应用程序配置 CLI 示例For more examples of how to use the CLI with Azure App Configuration, see App Configuration CLI samples:

    az group create --name myResourceGroup --location chinaeast2
    az appconfig create --name myTestAppConfigStore --location chinaeast2 --resource-group myResourceGroup --sku Free
    
  3. 运行 az appconfig identity assign 命令,为此配置存储区创建系统分配的标识:Run the az appconfig identity assign command to create the system-assigned identity for this configuration store:

    az appconfig identity assign --name myTestAppConfigStore --resource-group myResourceGroup
    

添加用户分配的标识Adding a user-assigned identity

若要创建带有用户分配的标识的应用程序配置存储区,需要先创建该标识,然后将其资源标识符分配到你的存储区。Creating an App Configuration store with a user-assigned identity requires that you create the identity and then assign its resource identifier to your store.

使用 Azure CLIUsing the Azure CLI

若要使用 Azure CLI 设置托管标识,请对现有配置存储区使用 az appconfig identity assign 命令。To set up a managed identity using the Azure CLI, use the az appconfig identity assign command against an existing configuration store. 运行本部分中的示例有三个选项:You have three options for running the examples in this section:

以下步骤演示如何创建用户分配的标识和应用程序配置存储区,然后使用 CLI 将该标识分配给存储:The following steps will walk you through creating a user-assigned identity and an App Configuration store, then assigning the identity to the store using the CLI:

  1. 如果在本地控制台中使用 Azure CLI,首先请使用 az login 登录到 Azure。If you're using the Azure CLI in a local console, first sign in to Azure using az login. 请使用与 Azure 订阅关联的帐户:Use an account that is associated with your Azure subscription:

    az login
    
  2. 使用 CLI 创建应用程序配置存储区。Create an App Configuration store using the CLI. 有关如何将 CLI 与 Azure 应用程序配置结合使用的更多示例,请参阅应用程序配置 CLI 示例For more examples of how to use the CLI with Azure App Configuration, see App Configuration CLI samples:

    az group create --name myResourceGroup --location chinaeast2
    az appconfig create --name myTestAppConfigStore --location chinaeast2 --resource-group myResourceGroup --sku Free
    
  3. 使用 CLI 创建名为 myUserAssignedIdentity 的用户分配的标识。Create a user-assigned identity called myUserAssignedIdentity using the CLI.

    az identity create -resource-group myResourceGroup --name myUserAssignedIdentity
    

    记下此命令的输出中 id 属性的值。In the output of this command, note the value of the id property.

  4. 运行 az appconfig identity assign 命令,向此配置存储区分配新的用户分配的标识。Run the az appconfig identity assign command to assign the new user-assigned identity to this configuration store. 使用在上一步中记下的 id 属性的值。Use the value of the id property that you noted in the previous step.

    az appconfig identity assign --name myTestAppConfigStore --resource-group myResourceGroup --identities /subscriptions/[subscription id]/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myUserAssignedIdentity
    

删除标识Removing an identity

可通过使用 Azure CLI 中的 az appconfig identity remove 命令禁用此功能来删除系统分配的标识。A system-assigned identity can be removed by disabling the feature by using the az appconfig identity remove command in the Azure CLI. 可以单独删除用户分配的标识。User-assigned identities can be removed individually. 以这种方式删除系统分配的标识也会将它从 AAD 中删除。Removing a system-assigned identity in this way will also delete it from AAD. 删除应用资源时,也将自动从 AAD 中删除系统分配的标识。System-assigned identities are also automatically removed from AAD when the app resource is deleted.

后续步骤Next steps