如何为 Azure Spring Cloud 应用程序启用系统分配的托管标识How to enable system-assigned managed identity for Azure Spring Cloud application

Azure 资源的托管标识在 Azure Active Directory 中为 Azure 资源(如 Azure Spring Cloud 应用程序)提供自动托管标识。Managed identities for Azure resources provide an automatically managed identity in Azure Active Directory to an Azure resource such as your Azure Spring Cloud application. 此标识可用于通过支持 Azure AD 身份验证的任何服务的身份验证,这样就无需在代码中插入凭据了。You can use this identity to authenticate to any service that supports Azure AD authentication, without having credentials in your code.

本文介绍如何使用 Azure 门户和 CLI(可从 0.2.4 版获得)为 Azure Spring Cloud 应用启用和禁用系统分配的托管标识。This article shows how to enable and disable system-assigned managed identities for an Azure Spring Cloud app, using the Azure portal and CLI (available from version 0.2.4).

先决条件Prerequisites

如果不熟悉 Azure 资源的托管标识,请参阅概述部分If you're unfamiliar with managed identities for Azure resources, see overview section. 需要一个已部署的 Azure Spring Cloud 实例。You'll need a deployed Azure Spring Cloud instance. 按照使用 Azure CLI 进行部署快速入门进行操作。Follow the Quickstart to deploy by using the Azure CLI.

添加系统分配的标识Add a system-assigned identity

若要创建带有系统分配的标识的应用,需在应用程序上设置一个额外的属性。Creating an app with a system-assigned identity requires setting an additional property on the application.

使用 Azure 门户Using Azure portal

若要在 Azure 门户中设置托管标识,请首先创建应用,然后启用该功能。To set up a managed identity in the Azure portal, first create an app, and then enable the feature.

  1. 按常规在门户中创建应用。Create an app in the portal as you normally would. 在门户中导航到该应用。Navigate to it in the portal.
  2. 在左侧导航窗格中向下滚动到“设置”组。Scroll down to the Settings group in the left navigation pane.
  3. 选择“标识”。Select Identity.
  4. 在“系统分配的”选项卡中,将“状态”切换为“启用” 。Within the System assigned tab, switch Status to On. 单击“保存” 。Click Save.

门户中的托管标识

使用 Azure CLIUsing Azure CLI

可以在创建应用的过程中或在现有应用上启用系统分配的托管标识。You can enable system-assigned managed identity during app creation or on an existing app.

在创建应用的过程中启用系统分配的托管标识Enable system-assigned managed identity during creation of an app

以下示例按 --assign-identity 参数的请求,创建名为 app_name 且具有系统分配的托管标识的应用。The following example creates an app named app_name with a system-assigned managed identity, as requested by the --assign-identity parameter.

az spring-cloud app create -n app_name -s service_name -g resource_group_name --assign-identity

在现有应用上启用系统分配的托管标识 使用 az spring-cloud app identity assign 命令在现有应用上启用系统分配的标识。Enable system-assigned managed identity on an existing app Use az spring-cloud app identity assign command to enable the system-assigned identity on an existing app.

az spring-cloud app identity assign -n app_name -s service_name -g resource_group_name

获取 Azure 资源的令牌Obtain tokens for Azure resources

应用可以使用其托管标识获取令牌,以访问其他受 Azure Active Directory 保护的资源(如 Azure Key Vault)。An app can use its managed identity to get tokens to access other resources protected by Azure Active Directory, such as Azure Key Vault. 这些令牌代表访问资源的应用程序,而不是应用程序的任何特定用户。These tokens represent the application accessing the resource, not any specific user of the application.

可能需要配置目标资源以允许从应用程序进行访问You may need to configure the target resource to allow access from your application. 例如,如果请求用于访问 Key Vault 的令牌,请确保已添加包含应用程序标识的访问策略。For example, if you request a token to access Key Vault, make sure you have added an access policy that includes your application's identity. 否则,对 Key Vault 的调用将被拒绝,即使其中包含令牌。Otherwise, your calls to Key Vault will be rejected, even if they include the token. 若要详细了解支持 Azure Active Directory 令牌的资源,请参阅支持 Azure AD 身份验证的 Azure 服务To learn more about which resources support Azure Active Directory tokens, see Azure services that support Azure AD authentication.

Azure Spring Cloud 与 Azure 虚拟机使用同一终结点来获取令牌。Azure Spring Cloud shares the same endpoint for token acquisition with Azure Virtual Machine. 建议使用 Java SDK 或 Spring Boot Starter 获取令牌。We recommend using Java SDK or spring boot starters to acquire a token. 有关各种代码和脚本示例以及有关重要主题(例如,处理令牌到期和 HTTP 错误)的指南,请参阅如何使用 VM 令牌See How to use VM token for various code and script examples and guidance on important topics such as handling token expiration and HTTP errors.

建议:使用 Java SDK 或 Spring Boot Starter 获取令牌。Recommended: use Java SDK or spring boot starters to get tokens. 请参阅后续步骤中的示例。See the samples in the Next Steps.

从应用禁用系统分配的标识Disable system-assigned identity from an app

删除系统分配的标识也会将其从 Azure AD 中删除。Removing a system-assigned identity will also delete it from Azure AD. 删除应用资源会自动从 Azure AD 中删除系统分配的标识。Deleting the app resource automatically removes system-assigned identities from Azure AD.

使用 Azure 门户Using Azure portal

若要从不再需要系统分配的托管标识的应用中删除该标识,请执行以下操作:To remove system-assigned managed identity from an app that no longer needs it:

  1. 使用与包含 Azure Spring Cloud 实例的 Azure 订阅关联的帐户登录到 Azure 门户Sign in to the Azure portal using an account associated with the Azure subscription that contains the Azure Spring Cloud instance.
  2. 导航到所需的虚拟机,然后选择“标识”。Navigate to the desired Virtual Machine and select Identity.
  3. 在“系统分配”/“状态”下,选择“关闭”,然后单击“保存”:Under System assigned/Status, select Off and then click Save:

托管标识

使用 Azure CLIUsing Azure CLI

若要从不再需要系统分配的托管标识的应用中删除该标识,请使用以下命令:To remove system-assigned managed identity from an app that no longer needs it, use the following command:

az spring-cloud app identity remove -n app_name -s service_name -g resource_group_name

后续步骤Next steps