使用 Azure Active Directory 对托管标识进行身份验证,以便访问 Azure 服务总线资源Authenticate a managed identity with Azure Active Directory to access Azure Service Bus resources

Azure 资源的托管标识是一项跨 Azure 功能,可便于用户创建与其中运行应用程序代码的部署关联的安全标识。Managed identities for Azure resources is a cross-Azure feature that enables you to create a secure identity associated with the deployment under which your application code runs. 然后可以将该标识与访问控制角色进行关联,后者授予的自定义权限可用于访问应用程序需要的特定 Azure 资源。You can then associate that identity with access-control roles that grant custom permissions for accessing specific Azure resources that your application needs.

借助托管标识,Azure 平台可管理此运行时标识。With managed identities, the Azure platform manages this runtime identity. 对于标识本身和需要访问的资源,都不需要在应用程序代码或配置中存储和保护访问密钥。You do not need to store and protect access keys in your application code or configuration, either for the identity itself, or for the resources you need to access. 如果服务总线客户端应用在 Azure 应用服务应用程序内或在虚拟机中运行,且启用了 Azure 资源的托管标识支持,则无需处理 SAS 规则和密钥或其他任何访问令牌。A Service Bus client app running inside an Azure App Service application or in a virtual machine with enabled managed entities for Azure resources support does not need to handle SAS rules and keys, or any other access tokens. 客户端应用只需要服务总线消息传递命名空间的终结点地址。The client app only needs the endpoint address of the Service Bus Messaging namespace. 当应用连接时,服务总线通过本文后面示例中展示的操作,将托管实体的上下文绑定到客户端。When the app connects, Service Bus binds the managed entity's context to the client in an operation that is shown in an example later in this article. 与托管标识关联后,服务总线客户端便能执行所有授权操作。Once it is associated with a managed identity, your Service Bus client can do all authorized operations. 授权是通过关联托管标识与服务总线角色进行授予。Authorization is granted by associating a managed entity with Service Bus roles.

概述Overview

当某个安全主体(用户、组或应用程序)尝试访问服务总线实体时,请求必须获得授权。When a security principal (a user, group, or application) attempts to access a Service Bus entity, the request must be authorized. 使用 Azure AD 是,访问资源的过程包括两个步骤。With Azure AD, access to a resource is a two-step process.

  1. 首先,验证安全主体的身份并返回 OAuth 2.0 令牌。First, the security principal’s identity is authenticated, and an OAuth 2.0 token is returned. 用于请求令牌的资源名称为 https://servicebus.chinacloudapi.cnThe resource name to request a token is https://servicebus.chinacloudapi.cn.
  2. 接下来,将该令牌作为请求的一部分传递给服务总线服务,用于授权访问指定的资源。Next, the token is passed as part of a request to the Service Bus service to authorize access to the specified resource.

身份验证步骤要求应用程序请求包含在运行时使用的 OAuth 2.0 访问令牌。The authentication step requires that an application request contains an OAuth 2.0 access token at runtime. 如果应用程序在 Azure 实体(如 Azure VM、虚拟机规模集或 Azure 函数应用)中运行,它可以使用托管标识来访问资源。If an application is running within an Azure entity such as an Azure VM, a virtual machine scale set, or an Azure Function app, it can use a managed identity to access the resources.

授权步骤需要将一个或多个 RBAC 角色分配给安全主体。The authorization step requires that one or more RBAC roles be assigned to the security principal. Azure 服务总线提供 RBAC 角色,这些角色涵盖了针对服务总线资源的权限集。Azure Service Bus provides RBAC roles that encompass sets of permissions for Service Bus resources. 分配给安全主体的角色确定了该主体拥有的权限。The roles that are assigned to a security principal determine the permissions that the principal will have. 若要详细了解如何向 Azure 服务总线分配 RBAC 角色,请参阅针对 Azure 服务总线的内置 RBAC 角色To learn more about assigning RBAC roles to Azure Service Bus, see Built-in RBAC roles for Azure Service Bus.

向服务总线发出请求的本机应用程序和 Web 应用程序也可以使用 Azure AD 进行授权。Native applications and web applications that make requests to Service Bus can also authorize with Azure AD. 本文介绍如何请求访问令牌,并使用它针对服务总线资源进行请求授权。This article shows you how to request an access token and use it to authorize requests for Service Bus resources.

分配 RBAC 角色以授予访问权限Assigning RBAC roles for access rights

Azure Active Directory (Azure AD) 通过基于角色的访问控制 (RBAC) 授权访问受保护的资源。Azure Active Directory (Azure AD) authorizes access rights to secured resources through role-based access control (RBAC). Azure 服务总线定义了一组内置的 RBAC 角色,它们包含用于访问服务总线实体的通用权限集。你也可以定义用于访问数据的自定义角色。Azure Service Bus defines a set of built-in RBAC roles that encompass common sets of permissions used to access Service Bus entities and you can also define custom roles for accessing the data.

将 RBAC 角色分配到 Azure AD 安全主体后,Azure 会向该安全主体授予对这些资源的访问权限。When an RBAC role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. 访问权限可以局限到订阅、资源组或服务总线命名空间级别。Access can be scoped to the level of subscription, the resource group, or the Service Bus namespace. Azure AD 安全主体可以是用户、组、应用程序服务主体,也可以是 Azure 资源的托管标识。An Azure AD security principal may be a user, a group, an application service principal, or a managed identity for Azure resources.

适用于 Azure 服务总线的内置 RBAC 角色Built-in RBAC roles for Azure Service Bus

对于 Azure 服务总线,通过 Azure 门户和 Azure 资源管理 API 对命名空间和所有相关资源的管理已使用基于角色的访问控制 (RBAC) 模型进行了保护。For Azure Service Bus, the management of namespaces and all related resources through the Azure portal and the Azure resource management API is already protected using the role-based access control (RBAC) model. Azure 提供以下内置 RBAC 角色,用于授权对服务总线命名空间的访问:Azure provides the below built-in RBAC roles for authorizing access to a Service Bus namespace:

资源范围Resource scope

在将 RBAC 角色分配到某个安全主体之前,请确定该安全主体应该获取的访问范围。Before you assign an RBAC role to a security principal, determine the scope of access that the security principal should have. 最佳做法指出,最好是授予尽可能小的范围。Best practices dictate that it's always best to grant only the narrowest possible scope.

以下列表描述了可将服务总线资源访问权限限定到哪些级别,从最小的范围开始:The following list describes the levels at which you can scope access to Service Bus resources, starting with the narrowest scope:

  • 队列主题订阅:角色分配适用于特定的服务总线实体。Queue, topic, or subscription: Role assignment applies to the specific Service Bus entity. 目前,Azure 门户不支持在订阅级别为服务总线 RBAC 角色分配用户/组/托管标识。Currently, the Azure portal doesn't support assigning users/groups/managed identities to Service Bus RBAC roles at the subscription level. 下面是使用 Azure CLI 命令 az-role-assignment-create 为服务总线 RBAC 角色分配标识的示例:Here's an example of using the Azure CLI command: az-role-assignment-create to assign an identity to a Service Bus RBAC role:

    az role assignment create \
        --role $service_bus_role \
        --assignee $assignee_id \
        --scope /subscriptions/$subscription_id/resourceGroups/$resource_group/providers/Microsoft.ServiceBus/namespaces/$service_bus_namespace/topics/$service_bus_topic/subscriptions/$service_bus_subscription
    
  • 服务总线命名空间:角色分配横跨命名空间中服务总线的整个拓扑,并延伸至与之关联的使用者组。Service Bus namespace: Role assignment spans the entire topology of Service Bus under the namespace and to the consumer group associated with it.

  • 资源组:角色分配适用于资源组下的所有服务总线资源。Resource group: Role assignment applies to all the Service Bus resources under the resource group.

  • 订阅:角色分配适用于订阅的所有资源组中的所有服务总线资源。Subscription: Role assignment applies to all the Service Bus resources in all of the resource groups in the subscription.

Note

请记住,RBAC 角色分配可能需要最多五分钟的时间进行传播。Keep in mind that RBAC role assignments may take up to five minutes to propagate.

有关如何定义内置角色的详细信息,请参阅了解角色定义For more information about how built-in roles are defined, see Understand role definitions. 若要了解如何创建自定义 RBAC 角色,请参阅针对 Azure 基于角色的访问控制创建自定义角色For information about creating custom RBAC roles, see Create custom roles for Azure Role-Based Access Control.

在 VM 上启用托管标识Enable managed identities on a VM

在使用 Azure 资源的托管标识对 VM 中的服务总线资源授权之前,必须首先在 VM 上启用 Azure 资源的托管标识。Before you can use managed identities for Azure Resources to authorize Service Bus resources from your VM, you must first enable managed identities for Azure Resources on the VM. 若要了解如何为 Azure 资源启用托管标识,请参阅下述文章之一:To learn how to enable managed identities for Azure Resources, see one of these articles:

向 Azure AD 中的托管标识授予权限Grant permissions to a managed identity in Azure AD

若要通过应用程序中的托管标识授权对服务总线服务的请求,请先为该托管标识配置基于角色的访问控制 (RBAC) 设置。To authorize a request to the Service Bus service from a managed identity in your application, first configure role-based access control (RBAC) settings for that managed identity. Azure 服务总线定义 RBAC 角色,这些角色涵盖了从服务总线进行发送和读取操作所需的权限。Azure Service Bus defines RBAC roles that encompass permissions for sending and reading from Service Bus. 将 RBAC 角色分配到某个托管标识后,将在适当的范围授予该托管标识访问服务总线实体的权限。When the RBAC role is assigned to a managed identity, the managed identity is granted access to Service Bus entities at the appropriate scope.

若要详细了解如何分配 RBAC 角色,请参阅使用 Azure Active Directory 进行身份验证和授权以访问服务总线资源For more information about assigning RBAC roles, see Authenticate and authorize with Azure Active Directory for access to Service Bus resources.

结合使用服务总线与 Azure 资源的托管标识Use Service Bus with managed identities for Azure resources

若要将服务总线与托管标识配合使用,需为标识分配角色和相应的范围。To use Service Bus with managed identities, you need to assign the identity the role and the appropriate scope. 此部分的过程使用一个简单的应用程序,该应用程序在托管标识下运行并访问服务总线资源。The procedure in this section uses a simple application that runs under a managed identity and accesses Service Bus resources.

在这里,我们将使用一个在 Azure 应用服务中托管的示例 Web 应用程序。Here we're using a sample web application hosted in Azure App Service. 有关如何创建 Web 应用程序的分步说明,请参阅在 Azure 中创建 ASP.NET Core Web 应用For step-by-step instructions for creating a web application, see Create an ASP.NET Core web app in Azure

创建应用程序后,请执行以下步骤:Once the application is created, follow these steps:

  1. 转到“设置”,然后选择“标识” 。 Go to Settings and select Identity.

  2. 选择“状态” ,将其切换到“启用” 。Select the Status to be On.

  3. 选择“保存” ,保存设置。Select Save to save the setting.

    Web 应用的托管标识

启用此设置后,会在 Azure Active Directory (Azure AD) 中创建一个新的服务标识并将其配置到应用服务主机中。Once you've enabled this setting, a new service identity is created in your Azure Active Directory (Azure AD) and configured into the App Service host.

现在,请将此服务标识分配给服务总线资源中所需范围中的某个角色。Now, assign this service identity to a role in the required scope in your Service Bus resources.

使用 Azure 门户分配 RBAC 角色To Assign RBAC roles using the Azure portal

若要为服务总线命名空间分配角色,请导航到 Azure 门户中的该命名空间。To assign a role to a Service Bus namespace, navigate to the namespace in the Azure portal. 显示资源的“访问控制(标识和访问管理)”设置,并按以下说明管理角色分配:Display the Access Control (IAM) settings for the resource, and follow these instructions to manage role assignments:

Note

以下步骤为服务总线命名空间分配服务标识角色。The following steps assigns a service identity role to your Service Bus namespaces. 可以按照相同的步骤在其他受支持的范围(资源组和订阅)分配角色。You can follow the same steps to assign a role at other supported scopes (resource group and subscription).

创建服务总线消息传递命名空间(如果没有该空间)。Create a Service Bus Messaging namespace if you don't have one.

  1. 在 Azure 门户中导航到服务总线命名空间,显示该命名空间的“概览”。 In the Azure portal, navigate to your Service Bus namespace and display the Overview for the namespace.

  2. 选择左侧菜单上的“访问控制(标识和访问管理)”,显示服务总线命名空间的访问控制设置 。Select Access Control (IAM) on the left menu to display access control settings for the Service Bus namespace.

  3. 选择“角色分配” 选项卡以查看角色分配列表。Select the Role assignments tab to see the list of role assignments.

  4. 选择“添加”以添加新角色。 Select Add to add a new role.

  5. 在“添加角色分配”页上,选择要分配的 Azure 服务总线角色 。On the Add role assignment page, select the Azure Service Bus roles that you want to assign. 然后通过搜索找到已注册的服务标识,以便分配该角色。Then search to locate the service identity you had registered to assign the role.

    “添加角色分配”页

  6. 选择“保存” 。Select Save. 分配有该角色的标识列出在该角色下。The identity to whom you assigned the role appears listed under that role. 例如,下图显示服务标识有 Azure 服务总线数据所有者。For example, the following image shows that service identity has Azure Service Bus Data owner.

    分配给角色的标识

分配此角色后,Web 应用程序即可访问已定义范围内的服务总线实体。Once you've assigned the role, the web application will have access to the Service Bus entities under the defined scope.

运行应用程序Run the app

现在,修改你创建的 ASP.NET 应用程序的默认页面。Now, modify the default page of the ASP.NET application you created. 可以使用此 GitHub 存储库中的 Web 应用程序代码。You can use the web application code from this GitHub repository.

Default.aspx 页是登陆页面。The Default.aspx page is your landing page. 可以在 Default.aspx.cs 文件中找到代码。The code can be found in the Default.aspx.cs file. 结果是一个最小的 Web 应用程序,其中包含几个输入字段以及用来连接到服务总线以发送或接收消息的 sendreceive 按钮。The result is a minimal web application with a few entry fields, and with send and receive buttons that connect to Service Bus to either send or receive messages.

注意 MessagingFactory 对象是如何初始化的。Note how the MessagingFactory object is initialized. 此代码通过 var msiTokenProvider = TokenProvider.CreateManagedIdentityTokenProvider(); 调用为托管标识创建令牌提供程序,而不是使用共享访问令牌 (SAS) 令牌提供程序。Instead of using the Shared Access Token (SAS) token provider, the code creates a token provider for the managed identity with the var msiTokenProvider = TokenProvider.CreateManagedIdentityTokenProvider(); call. 因此,不需要保留和使用任何机密。As such, there are no secrets to retain and use. 从托管标识上下文到服务总线的流以及授权握手都是由令牌提供程序自动处理。The flow of the managed identity context to Service Bus and the authorization handshake are automatically handled by the token provider. 这是比使用 SAS 更简单的模型。It is a simpler model than using SAS.

进行这些更改后,发布并运行应用程序。After you make these changes, publish and run the application. 若要轻松获取正确的发布数据,可下载发布配置文件,并在 Visual Studio 中导入它:You can obtain the correct publishing data easily by downloading and then importing a publishing profile in Visual Studio:

获取发布配置文件

若要发送或接收消息,请输入所创建的命名空间和实体的名称。To send or receive messages, enter the name of the namespace and the name of the entity you created. 然后,单击“发送” 或“接收” 。Then, click either send or receive.

Note

  • 托管标识仅适用于 Azure 环境、应用服务、Azure VM 和规模集。The managed identity works only inside the Azure environment, on App services, Azure VMs, and scale sets. 对于 .NET 应用程序,Microsoft.Azure.Services.AppAuthentication 库(由服务总线 NuGet 包使用)提供此协议的摘要并支持本地开发体验。For .NET applications, the Microsoft.Azure.Services.AppAuthentication library, which is used by the Service Bus NuGet package, provides an abstraction over this protocol and supports a local development experience. 此库还允许通过 Visual Studio、Azure CLI 2.0 或 Active Directory 集成身份验证使用用户帐户,在开发计算机上对代码进行本地测试。This library also allows you to test your code locally on your development machine, using your user account from Visual Studio, Azure CLI 2.0 or Active Directory Integrated Authentication. 有关此库的本地开发选项的详细信息,请参阅使用 .NET 向 Azure Key Vault 进行服务到服务身份验证For more on local development options with this library, see Service-to-service authentication to Azure Key Vault using .NET.

  • 目前,托管标识无法用于应用服务部署槽位。Currently, managed identities do not work with App Service deployment slots.

后续步骤Next steps

若要了解有关服务总线消息传送的详细信息,请参阅以下主题:To learn more about Service Bus messaging, see the following topics: