包含托管标识的 Azure 托管应用程序Azure Managed Application with Managed Identity

备注

托管应用程序的托管标识支持目前为预览版。Managed Identity support for Managed Applications is currently in preview. 请使用 2018-09-01-preview API 版本来利用托管标识。Please use the 2018-09-01-preview api version to utilize Managed Identity.

了解如何将托管应用程序配置为包含托管标识。Learn how to configure a Managed Application to contain a Managed Identity. 使用托管标识可让客户向托管应用程序授予对其他现有资源的访问权限。Managed Identity can be used to allow the customer to grant the Managed Application access to additional existing resources. 标识由 Azure 平台托管,无需设置或转交任何机密。The identity is managed by the Azure platform and does not require you to provision or rotate any secrets. 有关 Azure Active Directory (AAD) 中的托管标识的详细信息,请参阅 Azure 资源的托管标识For more about managed identities in Azure Active Directory (AAD), see Managed identities for Azure resources.

你的应用程序可以被授予两种类型的标识:Your application can be granted two types of identities:

  • 系统分配的标识与你的应用程序相绑定,如果删除应用,标识也会被删除****。A system-assigned identity is tied to your application and is deleted if your app is deleted. 一个应用只能具有一个系统分配的标识。An app can only have one system-assigned identity.
  • 用户分配的标识是可以分配给应用的独立 Azure 资源。A user-assigned identity is a standalone Azure resource that can be assigned to your app. 一个应用可以具有多个用户分配的标识。An app can have multiple user-assigned identities.

如何使用托管标识How to use Managed Identity

托管标识可以实现托管应用程序的多种方案。Managed Identity enables many scenarios for Managed Applications. 可解决的常见方案包括:Some common scenarios that can be solved are:

  • 部署链接到现有 Azure 资源的托管应用程序。Deploying a Managed Application linked to existing Azure resources. 例如,在托管应用程序中部署已附加到现有网络接口的 Azure 虚拟机 (VM)。An example is deploying an Azure virtual machine (VM) within the Managed Application that is attached to an existing network interface.
  • 向托管应用程序和发布者授予对托管资源组外部的 Azure 资源的访问权限。Granting the Managed Application and publisher access to Azure resources outside the managed resource group.
  • 为活动日志以及 Azure 中的其他服务提供托管应用程序的操作标识。Providing an operational identity of Managed Applications for Activity Log and other services within Azure.

添加托管标识Adding Managed Identity

创建包含托管标识的托管应用程序需要在 Azure 资源上设置一个附加的属性。Creating a Managed Application with a Managed Identity requires an additional property to be set on the Azure resource. 下面演示了一个示例标识属性:The following example shows a sample identity property:

{
"identity": {
    "type": "SystemAssigned, UserAssigned",
    "userAssignedIdentities": {
        "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testRG/providers/Microsoft.ManagedIdentity/userassignedidentites/myuserassignedidentity": {}
    }
}

可通过两种常用方法创建包含标识的托管应用程序:CreateUIDefinition.jsonAzure 资源管理器模板There are two common ways to create a Managed Application with identity: CreateUIDefinition.json and Azure Resource Manager templates. 对于简单的单一创建方案,应使用 CreateUIDefinition 来启用托管标识,因为它提供更丰富的体验。For simple single create scenarios, CreateUIDefinition should be used to enable Managed Identity, because it provides a richer experience. 但是,在处理需要自动化部署或多个托管应用程序部署的高级系统或复杂系统时,可以使用模板。However, when dealing with advanced or complex systems that require automated or multiple Managed Application deployments, templates can be used.

使用 CreateUIDefinitionUsing CreateUIDefinition

可以通过 CreateUIDefinition.json 为托管应用程序配置托管标识。A Managed Application can be configured with Managed Identity through the CreateUIDefinition.json. outputs 节中,键 managedIdentity 可用于替代托管应用程序模板的标识属性。In the outputs section, the key managedIdentity can be used to override the identity property of the Managed Application template. 以下示例将在托管应用程序中启用系统分配的标识。The sample bellow will enable system-assigned identity on the Managed Application. 可以通过使用 CreateUIDefinition 元素要求使用者提供输入,来构建更复杂的标识对象。More complex identity objects can be formed by using CreateUIDefinition elements to ask the consumer for inputs. 这些输入可用于构造包含用户分配的标识的托管应用程序。These inputs can be used to construct Managed Applications with user-assigned identity.

"outputs": {
    "managedIdentity": { "Type": "SystemAssigned" }
}

何时使用 CreateUIDefinition 来启用托管标识When to use CreateUIDefinition for Managed Identity

下面是有关何时使用 CreateUIDefinition 在托管应用程序中启用托管标识的一些建议。Below are some recommendations on when to use CreateUIDefinition for enabling Managed Identity on Managed Applications.

  • 通过 Azure 门户或市场创建托管应用程序。The Managed Application creation goes through the Azure portal or marketplace.
  • 托管标识需要复杂的使用者输入。The Managed Identity requires complex consumer input.
  • 创建托管应用程序时需要托管标识。The Managed Identity is needed on creation of the Managed Application.

托管标识 CreateUIDefinition 控件Managed Identity CreateUIDefinition control

CreateUIDefinition 支持内置的托管标识控件CreateUIDefinition supports a built-in Managed Identity control.

{
  "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
  "handler": "Microsoft.Azure.CreateUIDef",
  "version": "0.0.1-preview",
  "parameters": {
    "basics": [],
    "steps": [
      {
        "name": "applicationSettings",
        "label": "Application Settings",
        "subLabel": {
          "preValidation": "Configure your application settings",
          "postValidation": "Done"
        },
        "bladeTitle": "Application Settings",
        "elements": [
          {
            "name": "appName",
            "type": "Microsoft.Common.TextBox",
            "label": "Managed application Name",
            "toolTip": "Managed application instance name",
            "visible": true
          },
          {
            "name": "appIdentity",
            "type": "Microsoft.ManagedIdentity.IdentitySelector",
            "label": "Managed Identity Configuration",
            "toolTip": {
              "systemAssignedIdentity": "Enable system assigned identity to grant the managed application access to additional existing resources.",
              "userAssignedIdentity": "Add user assigned identities to grant the managed application access to additional existing resources."
            },
            "defaultValue": {
              "systemAssignedIdentity": "Off"
            },
            "options": {
              "hideSystemAssignedIdentity": false,
              "hideUserAssignedIdentity": false,
              "readOnlySystemAssignedIdentity": false
            },
            "visible": true
          }
        ]
      }
    ],
    "outputs": {
      "applicationResourceName": "[steps('applicationSettings').appName]",
      "location": "[location()]",
      "managedIdentity": "[steps('applicationSettings').appIdentity]"
    }
  }
}

托管标识 CreateUIDefinition

使用 Azure 资源管理器模板Using Azure Resource Manager templates

备注

将为经历 Azure 门户创建体验的客户自动生成市场托管应用程序模板。Marketplace Managed Application templates are automatically generated for customers going through the Azure portal create experience. 对于这些方案,必须使用 CreateUIDefinition 中的 managedIdentity 输出键来启用标识。For these scenarios, the managedIdentity output key on the CreateUIDefinition must be used to enabled identity.

也可以通过 Azure 资源管理器模板启用托管标识。The Managed Identity can also be enabled through Azure Resource Manager templates. 以下示例将在托管应用程序中启用系统分配的标识。The sample bellow will enable system-assigned identity on the Managed Application. 可以通过使用 Azure 资源管理器模板参数提供输入,来构建更复杂的标识对象。More complex identity objects can be formed by using Azure Resource Manager template parameters to provide inputs. 这些输入可用于构造包含用户分配的标识的托管应用程序。These inputs can be used to construct Managed Applications with user-assigned identity.

何时使用 Azure 资源管理器模板来启用托管标识When to use Azure Resource Manager templates for Managed Identity

下面是有关何时使用 Azure 资源管理器模板在托管应用程序中启用托管标识的一些建议。Below are some recommendations on when to use Azure Resource Manager templates for enabling Managed Identity on Managed Applications.

  • 可以基于模板以编程方式部署托管应用程序。Managed Applications can be programmatically deployed based on a template.
  • 预配托管应用程序需要托管标识的自定义角色分配。Custom role assignments for the Managed Identity are needed to provision the Managed Application.
  • 托管应用程序不需要 Azure 门户和市场创建流。The Managed Application does not need the Azure portal and marketplace creation flow.

SystemAssigned 模板SystemAssigned template

用于部署包含系统分配的标识的托管应用程序的基本 Azure 资源管理器模板。A basic Azure Resource Manager template that deploys a Managed Application with system-assigned identity.

"resources": [
    {
        "type": "Microsoft.Solutions/applications",
        "name": "[parameters('applicationName')]",
        "apiVersion": "2018-09-01-preview",
        "location": "[parameters('location')]",
        "identity": {
            "type": "SystemAssigned"
        },
        "properties": {
            "ManagedResourceGroupId": "[parameters('managedByResourceGroupId')]",
            "parameters": { }
        }
    }
]

UserAssigned 模板UserAssigned template

用于部署包含用户分配的标识的托管应用程序的基本 Azure 资源管理器模板。A basic Azure Resource Manager template that deploys a Managed Application with a user-assigned identity.

"resources": [
    {
      "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
      "name": "[parameters('managedIdentityName')]",
      "apiVersion": "2018-11-30",
      "location": "[parameters('location')]"
    },
    {
        "type": "Microsoft.Solutions/applications",
        "name": "[parameters('applicationName')]",
        "apiVersion": "2018-09-01-preview",
        "location": "[parameters('location')]",
        "identity": {
            "type": "UserAssigned",
            "userAssignedIdentities": {
                "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/',parameters('managedIdentityName'))]": {}
            }
        },
        "properties": {
            "ManagedResourceGroupId": "[parameters('managedByResourceGroupId')]",
            "parameters": { }
        }
    }
]

授予对 Azure 资源的访问权限Granting access to Azure resources

为托管应用程序授予标识后,可为该应用程序授予对现有 Azure 资源的访问权限。Once a Managed Application is granted an identity, it can be granted access to existing azure resources. 可以通过 Azure 门户中的“访问控制(IAM)”界面完成此过程。This process can be done through the Access control (IAM) interface in the Azure portal. 可以搜索托管应用程序或用户分配的标识的名称来添加角色分配。The name of the Managed Application or user-assigned identity can be searched to add a role assignment.

为托管应用程序添加角色分配

链接现有的 Azure 资源Linking existing Azure resources

备注

在部署托管应用程序之前,必须配置用户分配的标识A user-assigned identity must be configured before deploying the Managed Application. 此外,托管应用程序的链接资源部署仅支持市场类型。In addition, linked resource deployment of Managed Applications is only supported for the marketplace kind.

托管标识还可用于部署在部署期间需要访问现有资源的托管应用程序。Managed Identity can also be used to deploy a Managed Application that requires access to existing resources during its deployment. 如果客户预配了托管应用程序,可以添加用户分配的标识以在 mainTemplate 部署中提供更多的授权。When the Managed Application is provisioned by the customer, user-assigned identities can be added to provide additional authorizations to the mainTemplate deployment.

使用链接资源创作 CreateUIDefinitionAuthoring the CreateUIDefinition with a linked resource

将托管应用程序的部署链接到现有资源时,必须提供现有的 Azure 资源,以及在该资源中具有适用角色分配的用户分配的标识When linking the deployment of the Managed Application to existing resources, both the existing Azure resource and a user-assigned identity with the applicable role assignment on that resource must be provided.

需要两个输入的示例 CreateUIDefinition:网络接口资源 ID 和用户分配的标识资源 ID。A sample CreateUIDefinition that requires two inputs: a network interface resource ID and a user assigned identity resource id.

{
    "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
    "handler": "Microsoft.Compute.MultiVm",
    "version": "0.1.2-preview",
    "parameters": {
        "basics": [
            {}
        ],
        "steps": [
            {
                "name": "managedApplicationSetting",
                "label": "Managed Application Settings",
                "subLabel": {
                    "preValidation": "Managed Application Settings",
                    "postValidation": "Done"
                },
                "bladeTitle": "Managed Application Settings",
                "elements": [
                    {
                        "name": "networkInterfaceId",
                        "type": "Microsoft.Common.TextBox",
                        "label": "network interface resource id",
                        "defaultValue": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testRG/providers/Microsoft.Network/networkInterfaces/existingnetworkinterface",
                        "toolTip": "Must represent the identity as an Azure Resource Manager resource identifer format ex. /subscriptions/sub1/resourcegroups/myGroup/providers/Microsoft.Network/networkInterfaces/networkinterface1",
                        "visible": true
                    },
                    {
                        "name": "userAssignedId",
                        "type": "Microsoft.Common.TextBox",
                        "label": "user assigned identity resource id",
                        "defaultValue": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/testRG/providers/Microsoft.ManagedIdentity/userassignedidentites/myuserassignedidentity",
                        "toolTip": "Must represent the identity as an Azure Resource Manager resource identifer format ex. /subscriptions/sub1/resourcegroups/myGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity1",
                        "visible": true
                    }
                ]
            }
        ],
        "outputs": {
            "existingNetworkInterfaceId": "[steps('managedApplicationSetting').networkInterfaceId]",
            "managedIdentity": "[parse(concat('{\"Type\":\"UserAssigned\",\"UserAssignedIdentities\":{',string(steps('managedApplicationSetting').userAssignedId),':{}}}'))]"
        }
    }
}

此 CreateUIDefinition.json 生成包含两个字段的“创建用户”体验。This CreateUIDefinition.json generates a create user experience that has two fields. 第一个字段可让用户输入要链接到托管应用程序部署的资源的 Azure 资源 ID。The first field allows the user to enter in the Azure resource ID for the resource being linked to the Managed Application deployment. 第二个字段可让使用者输入有权访问所链接 Azure 资源的用户分配的标识 Azure 资源 ID。The second is for a consumer to enter the user-assigned identity Azure resource ID, which has access to the linked Azure resource. 生成的体验如下所示:The generated experience would look like:

包含两个输入的示例 CreateUIDefinition:网络接口资源 ID 和用户分配的标识资源 ID

使用链接资源创作 mainTemplateAuthoring the mainTemplate with a linked resource

除了更新 CreateUIDefinition 以外,还需要更新主要模板才能接受传入的链接资源 ID。In addition to updating the CreateUIDefinition, the main template also needs to be updated to accept the passed in linked resource ID. 可以通过添加新的参数来更新主要模板,以接受新的输出。The main template can be updated to accept the new output by adding a new parameter. 由于 managedIdentity 输出将替代生成的托管应用程序模板中的值,因此不会将其传递到主要模板,并且不应将其包含在 parameters 节中。Since the managedIdentity output overrides the value on the generated Managed Application template, it is not passed to the main template and should not be included in the parameters section.

一个示例主要模板,用于在 CreateUIDefinition 提供的现有网络接口中设置网络配置文件。A sample main template that sets the network profile to an existing network interface provided by the CreateUIDefinition.

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
      "existingNetworkInterfaceId": { "type": "string" }
    },
    "variables": {
    },
    "resources": [
        {
            "apiVersion": "2016-04-30-preview",
            "type": "Microsoft.Compute/virtualMachines",
            "name": "myLinkedResourceVM",
            "location": "[resourceGroup().location]",
            "properties": {
                …,
                "networkProfile": {
                    "networkInterfaces": [
                        {
                            "id": "[parameters('existingNetworkInterfaceId')]"
                        }
                    ]
                }
            }
        }
    ]
}

使用包含链接资源的托管应用程序Consuming the Managed Application with a linked resource

创建托管应用程序包后,可通过 Azure 门户使用该托管应用程序。Once the Managed Application package is created, the Managed Application can be consumed through the Azure portal. 需要完成几个前提步骤才能使用该应用程序。Before it can be consumed, there are several prerequisite steps.

访问托管标识令牌Accessing the Managed Identity token

现在,可以在发布者租户中通过 listTokens API 访问托管应用程序的令牌。The token of the Managed Application can now be accessed through the listTokens api from the publisher tenant. 示例请求可能如下所示:An example request might look like:

POST https://management.chinacloudapi.cn/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Solutions/applications/{applicationName}/listTokens?api-version=2018-09-01-preview HTTP/1.1

{
    "authorizationAudience": "https://management.chinacloudapi.cn/",
    "userAssignedIdentities": [
        "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{userAssignedIdentityName}"
    ]
}

请求正文参数:Request Body Parameters:

参数Parameter 必须Required 说明Description
authorizationAudienceauthorizationAudience 否**no 目标资源的应用 ID URI。The App ID URI of the target resource. 它也是颁发的令牌的 aud(受众)声明。It also is the aud (audience) claim of the issued token. 默认值为“https://management.chinacloudapi.cn/”The default value is "https://management.chinacloudapi.cn/"
userAssignedIdentitiesuserAssignedIdentities 否**no 要检索其令牌的用户分配托管标识的列表。The list of user-assigned managed identities to retrieve a token for. 如果未指定,listTokens 将返回系统分配的托管标识的令牌。If not specified, listTokens will return the token for the system-assigned managed identity.

示例响应可能如下所示:A sample response might look like:

HTTP/1.1 200 OK
Content-Type: application/json

{
    "value": [
        {
            "access_token": "eyJ0eXAi…",
            "expires_in": "2…",
            "expires_on": "1557…",
            "not_before": "1557…",
            "authorizationAudience": "https://management.chinacloudapi.cn/",
            "resourceId": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Solutions/applications/{applicationName}",
            "token_type": "Bearer"
        }
    ]
}

响应将在 value 属性下包含令牌数组:The response will contain an array of tokens under the value property:

参数Parameter 说明Description
access_tokenaccess_token 请求的访问令牌。The requested access token.
expires_inexpires_in 访问令牌的有效秒数。The number of seconds the access token will be valid.
expires_onexpires_on 访问令牌过期的时间范围。The timespan when the access token expires. 此值以从纪元算起的秒数表示。This is represented as the number of seconds from epoch.
not_beforenot_before 访问令牌生效的时间范围。The timespan when the access token takes effect. 此值以从纪元算起的秒数表示。This is represented as the number of seconds from epoch.
authorizationAudienceauthorizationAudience 请求其访问令牌的 aud(受众)。The aud (audience) the access token was request for. 这与 listTokens 请求中提供的值相同。This is the same as what was provided in the listTokens request.
ResourceIdresourceId 颁发的令牌的 Azure 资源 ID。The Azure resource ID for the issued token. 此值为托管应用程序 ID 或用户分配的标识 ID。This is either the managed application ID or the user-assigned identity ID.
token_typetoken_type 令牌的类型。The type of the token.