通过 Service Fabric 使用 Azure 的托管标识Using Managed identities for Azure with Service Fabric

在构建云应用程序时,一个常见难题是如何安全地管理代码中的凭据,以便向各种服务进行身份验证,而无需将凭据以本地方式保存在开发人员工作站或源代码管理中。A common challenge when building cloud applications is how to securely manage the credentials in your code for authenticating to various services without saving them locally on a developer workstation or in source control. Azure 的托管标识通过在 Azure AD 中为资源提供自动托管的标识,为 Azure Active Directory (Azure AD) 中的所有资源解决了此问题。Managed identities for Azure solve this problem for all your resources in Azure Active Directory (Azure AD) by providing them with automatically managed identities within Azure AD. 可以使用某个服务的标识向支持 Azure AD 身份验证的任何服务(包括 Key Vault)进行身份验证,无需在代码中存储任何凭据。You can use a service's identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials stored in your code.

如果有 Azure 订阅,Azure AD 中的 Azure 资源托管标识是免费的。Managed identities for Azure resources are free with Azure AD for Azure subscriptions. 不需额外付费。There's no additional cost.

备注

“Azure 托管标识”是以前称为托管服务标识 (MSI) 的服务的新名称。Managed identities for Azure is the new name for the service formerly known as Managed Service Identity (MSI).

概念Concepts

Azure 托管标识基于几个关键概念:Managed identities for Azure is based upon several key concepts:

  • 客户端 ID - Azure AD 生成的唯一标识符,在其初始预配期间与应用程序和服务主体绑定(另请参阅应用程序 ID。)Client ID - a unique identifier generated by Azure AD that is tied to an application and service principal during its initial provisioning (also see application ID.)

  • 主体 ID - 托管标识的服务主体对象的对象 ID,用于授予对 Azure 资源的基于角色的访问权限。Principal ID - the object ID of the service principal object for your Managed Identity that is used to grant role-based access to an Azure resource.

  • 服务主体 - 一个 Azure Active Directory 对象,表示给定租户中 AAD 应用程序的投影(另请参阅服务主体。)Service Principal - an Azure Active Directory object, which represents the projection of an AAD application in a given tenant (also see service principal.)

托管标识分为两种类型:There are two types of managed identities:

  • 系统分配托管标识直接在 Azure 服务实例上启用。A System-assigned managed identity is enabled directly on an Azure service instance. 系统分配标识的生命周期对于启用它的 Azure 服务实例来说是独一无二的。The lifecycle of a system-assigned identity is unique to the Azure service instance that it's enabled on.
  • 用户分配托管标识是作为独立的 Azure 资源创建的。A user-assigned managed identity is created as a standalone Azure resource. 可以将该标识分配给一个或多个 Azure 服务实例,并独立于这些实例的生命周期对其进行管理。The identity can be assigned to one or more Azure service instances and is managed separately from the lifecycles of those instances.

若要进一步了解托管标识类型之间的差异,请参阅 Azure 资源托管标识如何工作To further understand the difference between managed identity types, see How do managed identities for Azure resources work?.

Service Fabric 应用程序支持的方案Supported scenarios for Service Fabric applications

Service Fabric 的托管标识仅在 Azure 部署的 Service Fabric 群集中受支持,并且仅适用于部署为 Azure 资源的应用程序;无法对部署为 Azure 资源的应用程序分配标识。Managed identities for Service Fabric are only supported in Azure-deployed Service Fabric clusters, and only for applications deployed as Azure resources; an application that is not deployed as an Azure resource cannot be assigned an identity. 从概念上讲,Azure Service Fabric 群集中的托管标识支持包括两个阶段:Conceptually speaking, support for managed identities in an Azure Service Fabric cluster consists of two phases:

  1. 将一个或多个托管标识分配到应用程序资源;可以分别为某个应用程序分配单个系统分配的标识和/或最多 32 个用户分配的标识。Assign one or more managed identities to the application resource; an application may be assigned a single system-assigned identity, and/or up to 32 user-assigned identities, respectively.

  2. 在应用程序的定义中,可将分配给应用程序的某个标识映射到构成该应用程序的任意单个服务。Within the application's definition, map one of the identities assigned to the application to any individual service comprising the application.

应用程序的系统分配的标识是该应用程序特有的;用户分配的标识是独立的资源,可分配到多个应用程序。The system-assigned identity of an application is unique to that application; a user-assigned identity is a standalone resource, which may be assigned to multiple applications. 在应用程序中,可将单个标识(无论是系统分配的还是用户分配的)分配到该应用程序的多个服务,但对于每个服务,只能为其分配一个标识。Within an application, a single identity (whether system-assigned or user-assigned) can be assigned to multiple services of the application, but each individual service can only be assigned one identity. 最后,必须显式为服务分配标识才能访问此功能。Lastly, a service must be assigned an identity explicitly to have access to this feature. 实际上,应用程序标识到其构成服务的映射可以实现应用程序内隔离 — 一个服务只能使用映射到其自身的标识。In effect, the mapping of an application's identities to its constituent services allows for in-application isolation — a service may only use the identity mapped to it.

目前,此功能支持以下方案:Currently, the following scenarios are supported for this feature:

  • 部署包含一个或多个服务以及一个或多个已分配标识的新应用程序Deploy a new application with one or more services and one or more assigned identities

  • 将一个或多个托管标识分配到现有的(Azure 部署的)应用程序以访问 Azure 资源Assign one or more managed identities to an existing (Azure-deployed) application in order to access Azure resources

不支持,也不建议使用以下方案;请注意,这些操作不一定会遭到阻止,但可能会导致应用程序中断:The following scenarios are not supported or not recommended; note these actions may not be blocked, but can lead to outages in your applications:

  • 删除或更改分配给应用程序的标识;如果必须进行更改,请提交单独的部署,以先添加新的标识分配,然后删除以前分配的标识。Remove or change the identities assigned to an application; if you must make changes, submit separate deployments to first add a new identity assignment, and then to remove a previously assigned one. 从现有应用程序中删除标识可能会产生不良影响,包括使应用程序处于一种不可升级的状态。Removal of an identity from an existing application can have undesirable effects, including leaving your application in a state that is not upgradeable. 如果有必要删除标识,安全的做法是连同应用程序一起删除;请注意,这会删除与该应用程序关联的系统分配的标识(如果已定义),并会删除与分配给该应用程序的用户分配的标识之间的所有关联。It is safe to delete the application altogether if the removal of an identity is necessary; note this will delete the system-assigned identity (if so defined) associated with the application, and will remove any associations with the user-assigned identities assigned to the application.

  • 目前,对托管标识的 Service Fabric 支持未集成到 AzureServiceTokenProviderService Fabric support for managed identities is not integrated at this time into the AzureServiceTokenProvider.

后续步骤Next steps