在 ACR 任务中使用 Azure 托管标识Use an Azure-managed identity in ACR Tasks

ACR 任务中启用 Azure 资源的托管标识,使该任务无需提供或管理凭据即可访问其他 Azure 资源。Enable a managed identity for Azure resources in an ACR task, so the task can access other Azure resources, without needing to provide or manage credentials. 例如,使用托管标识可让某个任务步骤将容器映像提取或推送到其他注册表。For example, use a managed identity to enable a task step to pull or push container images to another registry.

本文介绍如何使用 Azure CLI 在 ACR 任务中启用用户分配的或系统分配的托管标识。In this article, you learn how to use the Azure CLI to enable a user-assigned or system-assigned managed identity on an ACR task. 你也可以使用 Azure 本地 Shell 或本地安装的 Azure CLI。You can use the Azure local Shell or a local installation of the Azure CLI. 若要在本地使用 Azure CLI,需要安装 2.0.68 或更高版本。If you'd like to use it locally, version 2.0.68 or later is required. 运行 az --version 即可查找版本。Run az --version to find the version. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

为了进行说明,本文中的示例命令使用 az acr task create 创建一个基本映像生成任务,该任务启用了托管标识。For illustration purposes, the example commands in this article use az acr task create to create a basic image build task that enables a managed identity. 有关使用托管标识从 ACR 任务访问受保护资源的示例方案,请参阅:For sample scenarios to access secured resources from an ACR task using a managed identity, see:

为什么使用托管标识?Why use a managed identity?

Azure 资源的托管标识可在 Azure Active Directory 中为选定的 Azure 服务提供一个自动托管标识。A managed identity for Azure resources provides selected Azure services with an automatically managed identity in Azure Active Directory. 可以在 ACR 任务中配置托管标识,使该任务无需在任务步骤中传递凭据即可访问其他受保护的 Azure 资源。You can configure an ACR task with a managed identity so that the task can access other secured Azure resources, without passing credentials in the task steps.

托管标识有两种类型:Managed identities are of two types:

  • 用户分配的标识:可将其分配给多个资源,并保留任意长的时间。 User-assigned identities, which you can assign to multiple resources and persist for as long as you want. 用户分配的标识现提供预览版。User-assigned identities are currently in preview.

  • 系统分配的标识:特定资源(例如 ACR 任务)的唯一标识,其保留时间与该资源的生存期相同。 A system-assigned identity, which is unique to a specific resource such as an ACR task and lasts for the lifetime of that resource.

可以在 ACR 任务中启用上述一种或两种标识。You can enable either or both types of identity in an ACR task. 可为标识授予对其他资源的访问权限,就像为任何安全主体授权一样。Grant the identity access to another resource, just like any security principal. 任务运行时,将使用标识来访问任何需要访问权限的任务步骤中的资源。When the task runs, it uses the identity to access the resource in any task steps that require access.

使用托管标识的步骤Steps to use a managed identity

请遵循以下概要步骤将托管标识与 ACR 任务配合使用。Follow these high-level steps to use a managed identity with an ACR task.

1.(可选)创建用户分配的标识1. (Optional) Create a user-assigned identity

如果计划使用用户分配的标识,请使用现有标识,或者使用 Azure CLI 或其他 Azure 工具创建标识。If you plan to use a user-assigned identity, use an existing identity, or create the identity using the Azure CLI or other Azure tools. 例如,使用 az identity create 命令。For example, use the az identity create command.

如果你打算只使用系统分配的标识,请跳过此步骤。If you plan to use only a system-assigned identity, skip this step. 你将在创建 ACR 任务时创建系统分配的标识。You create a system-assigned identity when you create the ACR task.

2.在 ACR 任务中启用标识2. Enable identity on an ACR task

创建 ACR 任务时,可以选择性地启用用户分配的标识和/或系统分配的标识。When you create an ACR task, optionally enable a user-assigned identity, a system-assigned identity, or both. 例如,在 Azure CLI 中运行 az acr task create 命令时传递 --assign-identity 参数。For example, pass the --assign-identity parameter when you run the az acr task create command in the Azure CLI.

若要启用系统分配的标识,请传递不带任何值或带 assign-identity [system] 值的 --assign-identityTo enable a system-assigned identity, pass --assign-identity with no value or assign-identity [system]. 以下示例命令基于一个公共 GitHub 存储库创建一个 Linux 任务,该任务生成 hello-world 映像并启用系统分配的托管标识:The following example command creates a Linux task from a public GitHub repository which builds the hello-world image and enables a system-assigned managed identity:

az acr task create \
    --image hello-world:{{.Run.ID}} \
    --name hello-world --registry MyRegistry \
    --context https://github.com/Azure-Samples/acr-build-helloworld-node.git \
    --file Dockerfile \
    --commit-trigger-enabled false \
    --assign-identity

若要启用用户分配的标识,请传递带有标识资源 ID 值的 --assign-identityTo enable a user-assigned identity, pass --assign-identity with a value of the resource ID of the identity. 以下示例命令基于一个公共 GitHub 存储库创建一个 Linux 任务,该任务生成 hello-world 映像并启用用户分配的托管标识:The following example command creates a Linux task from a public GitHub repository which builds the hello-world image and enables a user-assigned managed identity:

az acr task create \
    --image hello-world:{{.Run.ID}} \
    --name hello-world --registry MyRegistry \
    --context https://github.com/Azure-Samples/acr-build-helloworld-node.git \
    --file Dockerfile \
    --commit-trigger-enabled false
    --assign-identity <resourceID>

可以运行 az identity show 命令来获取标识的资源 ID。You can get the resource ID of the identity by running the az identity show command. 资源组 myResourceGroup 中 ID myUserAssignedIdentity 对应的资源 ID 格式如下:The resource ID for the ID myUserAssignedIdentity in resource group myResourceGroup is of the form:

"/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myUserAssignedIdentity"

3.为标识授予对其他 Azure 资源的访问权限3. Grant the identity permissions to access other Azure resources

根据任务的要求,为标识授予对其他 Azure 资源的访问权限。Depending on the requirements of your task, grant the identity permissions to access other Azure resources. 示例包括:Examples include:

  • 为托管标识分配角色,该角色对 Azure 中的目标容器注册表拥有提取、提取/推送或其他权限。Assign the managed identity a role with pull, push and pull, or other permissions to a target container registry in Azure. 有关完整的注册表角色列表,请参阅 Azure 容器注册表角色和权限For a complete list of registry roles, see Azure Container Registry roles and permissions.
  • 为托管标识分配一个有权在 Azure Key Vault 中读取机密的角色。Assign the managed identity a role to read secrets in an Azure key vault.

使用 Azure CLI 或其他 Azure 工具来管理对资源的基于角色的访问。Use the Azure CLI or other Azure tools to manage role-based access to resources. 例如,运行 az role assignment create 命令为标识分配对资源的角色。For example, run the az role assignment create command to assign the identity a role to the resource.

以下示例为托管标识分配从容器注册表中提取内容的权限。The following example assigns a managed identity the permissions to pull from a container registry. 此命令指定了该任务标识的主体 ID 以及目标注册表的资源 ID。 The command specifies the principal ID of the task identity and the resource ID of the target registry.

az role assignment create \
  --assignee <principalID> \
  --scope <registryID> \
  --role acrpull

4.(可选)将凭据添加到任务4. (Optional) Add credentials to the task

如果你的任务需要使用凭据来拉取映像或将其推送到另一个自定义注册表,或者访问其他资源,请向该任务添加凭据。If your task needs credentials to pull or push images to another custom registry, or to access other resources, add credentials to the task. 运行 az acr task credential add 命令来添加凭据,传递 --use-identity 参数来指示此标识可以访问凭据。Run the az acr task credential add command to add credentials, and pass the --use-identity parameter to indicate that the identity can access the credentials.

例如,若要为系统分配的标识添加凭据以便在 Azure 容器注册表 targetregistry 中进行身份验证,请传递 use-identity [system]For example, to add credentials for a system-assigned identity to authenticate with the Azure container registry targetregistry, pass use-identity [system]:

az acr task credential add \
    --name helloworld \
    --registry myregistry \
    --login-server targetregistry.azurecr.cn \
    --use-identity [system]

若要添加用户分配的标识的凭据以便在注册表 targetregistry 中进行身份验证,请传递带有标识客户端 ID 值的 use-identityTo add credentials for a user-assigned identity to authenticate with the registry targetregistry, pass use-identity with a value of the client ID of the identity. 例如:For example:

az acr task credential add \
    --name helloworld \
    --registry myregistry \
    --login-server targetregistry.azurecr.cn \
    --use-identity <clientID>

可以运行 az identity show 命令来获取标识的客户端 ID。You can get the client ID of the identity by running the az identity show command. 客户端 ID 是采用 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 格式的 GUID。The client ID is a GUID of the form xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.

5.运行任务5. Run the task

使用托管标识配置任务后,运行该任务。After configuring a task with a managed identity, run the task. 例如,若要测试本文中创建的任务之一,请使用 az acr task run 命令手动触发该任务。For example, to test one of the tasks created in this article, manually trigger it using the az acr task run command. 如果配置了其他自动化任务触发器,则该任务会在自动触发时运行。If you configured additional, automated task triggers, the task runs when automatically triggered.

后续步骤Next steps

本文已介绍如何在 ACR 任务中启用和使用用户分配的或系统分配的托管标识。In this article, you learned how to enable and use a user-assigned or system-assigned managed identity on an ACR task. 有关使用托管标识从 ACR 任务访问受保护资源的方案,请参阅:For scenarios to access secured resources from an ACR task using a managed identity, see: