数据工厂的托管标识Managed identity for Data Factory

适用于:是 Azure 数据工厂否 Azure Synapse Analytics(预览版)APPLIES TO: yesAzure Data Factory noAzure Synapse Analytics (Preview)

本文将帮助你了解什么是数据工厂的托管标识(以前称为托管服务标识/MSI)及其工作原理。This article helps you understand what is managed identity for Data Factory (formerly known as Managed Service Identity/MSI) and how it works.

Note

本文进行了更新,以便使用新的 Azure PowerShell Az 模块。This article has been updated to use the new Azure PowerShell Az module. 你仍然可以使用 AzureRM 模块,至少在 2020 年 12 月之前,它将继续接收 bug 修补程序。You can still use the AzureRM module, which will continue to receive bug fixes until at least December 2020. 若要详细了解新的 Az 模块和 AzureRM 兼容性,请参阅新 Azure Powershell Az 模块简介To learn more about the new Az module and AzureRM compatibility, see Introducing the new Azure PowerShell Az module. 有关 Az 模块安装说明,请参阅安装 Azure PowerShellFor Az module installation instructions, see Install Azure PowerShell.

概述Overview

创建数据工厂时,可在创建工厂的同时创建托管标识。When creating a data factory, a managed identity can be created along with factory creation. 托管标识是注册到 Azure Active Directory 的托管应用程序,表示此特定数据工厂。The managed identity is a managed application registered to Azure Active Directory, and represents this specific data factory.

数据工厂的托管标识对以下功能有益:Managed identity for Data Factory benefits the following features:

生成托管标识Generate managed identity

数据工厂的托管标识是如下所述生成的:Managed identity for Data Factory is generated as follows:

  • 通过 Azure 门户或 PowerShell 创建数据工厂时,始终会自动创建托管标识。When creating data factory through Azure portal or PowerShell, managed identity will always be created automatically.
  • 通过 SDK 创建数据工厂时,仅当在要创建的工厂对象中指定了“Identity = new FactoryIdentity()”时,才会创建托管标识。When creating data factory through SDK, managed identity will be created only if you specify "Identity = new FactoryIdentity()" in the factory object for creation. 请参阅 .NET 快速入门 - 创建数据工厂中的示例。See example in .NET quickstart - create data factory.
  • 通过 REST API 创建数据工厂时,仅当在请求正文中指定了 "identity" 节时,才会创建托管标识。When creating data factory through REST API, managed identity will be created only if you specify "identity" section in request body. 请参阅 REST 快速入门 - 创建数据工厂中的示例。See example in REST quickstart - create data factory.

如果发现数据工厂没有与以下检索托管标识说明相关的托管标识,可以使用标识发起程序以编程方式更新数据工厂,从而显式生成一个服务标识:If you find your data factory doesn't have a managed identity associated following retrieve managed identity instruction, you can explicitly generate one by updating the data factory with identity initiator programmatically:

Note

  • 无法修改托管标识。Managed identity cannot be modified. 更新已带有托管标识的数据工厂不会产生任何影响,托管标识将保持不变。Updating a data factory which already have a managed identity won't have any impact, the managed identity is kept unchanged.
  • 如果更新已带有托管标识的数据工厂,但未在工厂对象中指定 "identity" 参数,或者未在 REST 请求正文中指定 "identity" 节,将会收到错误。If you update a data factory which already have a managed identity without specifying "identity" parameter in the factory object or without specifying "identity" section in REST request body, you will get an error.
  • 删除某个数据工厂时,会一并删除关联的托管标识。When you delete a data factory, the associated managed identity will be deleted along.

使用 PowerShell 生成托管标识Generate managed identity using PowerShell

再次调用 Set-AzDataFactoryV2 命令,然后你会看到正在生成新的 "identity" 字段:Call Set-AzDataFactoryV2 command again, then you see "Identity" fields being newly generated:

PS C:\WINDOWS\system32> Set-AzDataFactoryV2 -ResourceGroupName <resourceGroupName> -Name <dataFactoryName> -Location <region>

DataFactoryName   : ADFV2DemoFactory
DataFactoryId     : /subscriptions/<subsID>/resourceGroups/<resourceGroupName>/providers/Microsoft.DataFactory/factories/ADFV2DemoFactory
ResourceGroupName : <resourceGroupName>
Location          : China East 2
Tags              : {}
Identity          : Microsoft.Azure.Management.DataFactory.Models.FactoryIdentity
ProvisioningState : Succeeded

使用 REST API 生成托管标识Generate managed identity using REST API

调用以下 API 并在请求正文中包含 "identity" 节:Call below API with "identity" section in the request body:

PATCH https://management.chinacloudapi.cn/subscriptions/<subsID>/resourceGroups/<resourceGroupName>/providers/Microsoft.DataFactory/factories/<data factory name>?api-version=2018-06-01

请求正文:添加 "identity": { "type": "SystemAssigned" }。Request body: add "identity": { "type": "SystemAssigned" }.

{
    "name": "<dataFactoryName>",
    "location": "<region>",
    "properties": {},
    "identity": {
        "type": "SystemAssigned"
    }
}

响应:自动创建托管标识并相应地填充 "identity" 部分。Response: managed identity is created automatically, and "identity" section is populated accordingly.

{
    "name": "<dataFactoryName>",
    "tags": {},
    "properties": {
        "provisioningState": "Succeeded",
        "loggingStorageAccountKey": "**********",
        "createTime": "2017-09-26T04:10:01.1135678Z",
        "version": "2018-06-01"
    },
    "identity": {
        "type": "SystemAssigned",
        "principalId": "765ad4ab-XXXX-XXXX-XXXX-51ed985819dc",
        "tenantId": "72f988bf-XXXX-XXXX-XXXX-2d7cd011db47"
    },
    "id": "/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.DataFactory/factories/ADFV2DemoFactory",
    "type": "Microsoft.DataFactory/factories",
    "location": "<region>"
}

使用 Azure 资源管理器模板生成托管标识Generate managed identity using an Azure Resource Manager template

模版:添加 "identity": { "type": "SystemAssigned" }。Template: add "identity": { "type": "SystemAssigned" }.

{
    "contentVersion": "1.0.0.0",
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "resources": [{
        "name": "<dataFactoryName>",
        "apiVersion": "2018-06-01",
        "type": "Microsoft.DataFactory/factories",
        "location": "<region>",
        "identity": {
            "type": "SystemAssigned"
        }
    }]
}

使用 SDK 生成托管标识Generate managed identity using SDK

结合 Identity=new FactoryIdentity() 调用数据工厂 create_or_update 函数。Call the data factory create_or_update function with Identity=new FactoryIdentity(). 使用 .NET 的示例代码:Sample code using .NET:

Factory dataFactory = new Factory
{
    Location = <region>,
    Identity = new FactoryIdentity()
};
client.Factories.CreateOrUpdate(resourceGroup, dataFactoryName, dataFactory);

检索托管标识Retrieve managed identity

可以通过 Azure 门户或以编程方式检索托管标识。You can retrieve the managed identity from Azure portal or programmatically. 以下部分演示了一些示例。The following sections show some samples.

Tip

如果看不到托管标识,请通过更新工厂来生成托管标识If you don't see the managed identity, generate managed identity by updating your factory.

使用 Azure 门户检索托管标识Retrieve managed identity using Azure portal

可以从 Azure 门户 -> 数据工厂 ->“属性”找到托管标识信息。You can find the managed identity information from Azure portal -> your data factory -> Properties.

  • 托管标识对象 IDManaged Identity Object ID
  • 托管标识租户Managed Identity Tenant
  • 托管标识应用程序 IDManaged Identity Application ID

当你创建支持托管标识身份验证的链接服务(如 Azure Blob、Azure Data Lake Storage、Azure Key Vault 等)时,托管标识信息也会显示。The managed identity information will also show up when you create linked service which supports managed identity authentication, like Azure Blob, Azure Data Lake Storage, Azure Key Vault, etc.

授予权限时,请使用对象 ID 或数据工厂名称(作为托管标识名称)来查找此标识。When granting permission, use object ID or data factory name (as managed identity name) to find this identity.

使用 PowerShell 检索托管标识Retrieve managed identity using PowerShell

获取特定的数据工厂时,会返回托管标识主体 ID 和租户 ID,如下所示。The managed identity principal ID and tenant ID will be returned when you get a specific data factory as follows. 使用 PrincipalId 授予访问权限:Use the PrincipalId to grant access:

PS C:\WINDOWS\system32> (Get-AzDataFactoryV2 -ResourceGroupName <resourceGroupName> -Name <dataFactoryName>).Identity

PrincipalId                          TenantId
-----------                          --------
765ad4ab-XXXX-XXXX-XXXX-51ed985819dc 72f988bf-XXXX-XXXX-XXXX-2d7cd011db47

可以通过以下方法获取应用程序 ID:复制上面的主体 ID,然后以主体 ID 作为参数运行以下 Azure Active Directory 命令。You can get the application ID by copying above principal ID, then running below Azure Active Directory command with principal ID as parameter.

PS C:\WINDOWS\system32> Get-AzADServicePrincipal -ObjectId 765ad4ab-XXXX-XXXX-XXXX-51ed985819dc

ServicePrincipalNames : {76f668b3-XXXX-XXXX-XXXX-1b3348c75e02, https://identity.chinacloudapi.cn/P86P8g6nt1QxfPJx22om8MOooMf/Ag0Qf/nnREppHkU=}
ApplicationId         : 76f668b3-XXXX-XXXX-XXXX-1b3348c75e02
DisplayName           : ADFV2DemoFactory
Id                    : 765ad4ab-XXXX-XXXX-XXXX-51ed985819dc
Type                  : ServicePrincipal

后续步骤Next steps

参阅以下主题,其中介绍了何时以及如何使用数据工厂托管标识:See the following topics which introduce when and how to use data factory managed identity:

有关数据工厂托管标识所基于的 Azure 资源的托管标识的更多背景信息,请参阅 Azure 资源的托管标识概述See Managed Identities for Azure Resources Overview for more background on managed identities for Azure resources, which data factory managed identity is based upon.