使用托管标识在 Azure Blob 存储输出中对 Azure 流分析作业进行身份验证Use Managed Identity to authenticate your Azure Stream Analytics job to Azure Blob Storage output

用于 Azure Blob 存储输出的托管标识身份验证允许流分析作业直接访问存储帐户,而不是使用连接字符串。Managed Identity authentication for output to Azure Blob storage gives Stream Analytics jobs direct access to a storage account instead of using a connection string. 除了提高安全性以外,此功能还可让你将数据写入到 Azure 上的虚拟网络 (VNET) 中的存储帐户。In addition to improved security, this feature also enables you to write data to a storage account in a Virtual Network (VNET) within Azure.

本文介绍如何通过 Azure 门户以及通过 Azure 资源管理器部署,为流分析作业的 Blob 输出启用托管标识。This article shows you how to enable Managed Identity for the Blob output(s) of a Stream Analytics job through the Azure portal and through an Azure Resource Manager deployment.

使用 Azure 门户创建流分析作业Create the Stream Analytics job using the Azure portal

  1. 在 Azure 门户中创建新的流分析作业,或打开现有的作业。Create a new Stream Analytics job or open an existing job in the Azure portal. 在屏幕左侧的菜单栏中,选择“配置”下面的“托管标识”。 From the menu bar located on the left side of the screen, select Managed Identity located under Configure. 确保选择“使用系统分配的托管标识”,然后单击屏幕底部的“保存”按钮。 Ensure that "Use System-assigned Managed Identity" is selected and then click the Save button on the bottom of the screen.

    配置流分析托管标识

  2. 在 Azure Blob 存储输出接收器的输出属性窗口中,选择“身份验证模式”下拉列表并选择“托管标识”。 In the output properties window of the Azure Blob storage output sink, select the Authentication mode drop-down and choose Managed Identity. 有关其他输出属性的信息,请参阅了解 Azure 流分析的输出For information regarding the other output properties, see Understand outputs from Azure Stream Analytics. 完成后,单击“保存”。 When you are finished, click Save.

    配置 Azure Blob 存储输出

  3. 创建作业后,请参阅本文的为流分析作业授予对存储帐户的访问权限部分。Now that the job is created, see the Give the Stream Analytics job access to your storage account section of this article.

Azure 资源管理器部署Azure Resource Manager deployment

使用 Azure 资源管理器可以完全自动化流分析作业的部署。Using Azure Resource Manager allows you to fully automate the deployment of your Stream Analytics job. 可以使用 Azure PowerShell 或 Azure CLI 部署资源管理器模板。You can deploy Resource Manager templates using either Azure PowerShell or the Azure CLI. 以下示例使用 Azure CLI。The below examples use the Azure CLI.

  1. 可以通过在资源管理器模板的 resource 节中包含以下属性,来创建带有托管标识的 Microsoft.StreamAnalytics/streamingjobs 资源:You can create a Microsoft.StreamAnalytics/streamingjobs resource with a Managed Identity by including the following property in the resource section of your Resource Manager template:

    "Identity": {
      "Type": "SystemAssigned",
    },
    

    此属性告知 Azure 资源管理器为流分析作业创建和管理标识。This property tells Azure Resource Manager to create and manage the identity for your Stream Analytics job. 以下示例资源管理器模板部署一个启用了托管标识的流分析作业,以及一个使用托管标识的 Blob 输出接收器:Below is an example Resource Manager template that deploys a Stream Analytics job with Managed Identity enabled and a Blob output sink that uses Managed Identity:

    {
        "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
        "contentVersion": "1.0.0.0",
        "resources": [
            {
                "apiVersion": "2017-04-01-preview",
                "name": "MyStreamingJob",
                "location": "[resourceGroup().location]",
                "type": "Microsoft.StreamAnalytics/StreamingJobs",
                "identity": {
                    "type": "systemAssigned"
                },
                "properties": {
                    "sku": {
                        "name": "standard"
                    },
                    "outputs":[
                        {
                            "name":"output",
                            "properties":{
                                "serialization": {
                                    "type": "JSON",
                                    "properties": {
                                        "encoding": "UTF8"
                                    }
                                },
                                "datasource":{
                                    "type":"Microsoft.Storage/Blob",
                                    "properties":{
                                        "storageAccounts": [
                                            { "accountName": "MyStorageAccount" }
                                        ],
                                        "container": "test",
                                        "pathPattern": "segment1/{date}/segment2/{time}",
                                        "dateFormat": "yyyy/MM/dd",
                                        "timeFormat": "HH",
                                        "authenticationMode": "Msi"
                                    }
                                }
                            }
                        }
                    ]
                }
            }
        ]
    }
    

    可使用以下 Azure CLI 命令将上述作业部署到资源组 ExampleGroupThe above job can be deployed to the Resource group ExampleGroup using the below Azure CLI command:

    az group deployment create --resource-group ExampleGroup -template-file StreamingJob.json
    
  2. 创建作业后,可以使用 Azure 资源管理器检索该作业的完整定义。After the job is created, you can use Azure Resource Manager to retrieve the job's full definition.

    az resource show --ids /subscriptions/{SUBSCRIPTION_ID}/resourceGroups/{RESOURCE_GROUP}/providers/Microsoft.StreamAnalytics/StreamingJobs/{RESOURCE_NAME}
    

    以上命令将返回如下所示的响应:The above command will return a response like the below:

    {
        "id": "/subscriptions/{SUBSCRIPTION_ID}/resourceGroups/{RESOURCE_GROUP}/providers/Microsoft.StreamAnalytics/streamingjobs/{RESOURCE_NAME}",
        "identity": {
            "principalId": "{PRINCIPAL_ID}",
            "tenantId": "{TENANT_ID}",
            "type": "SystemAssigned",
            "userAssignedIdentities": null
        },
        "kind": null,
        "location": "China East",
        "managedBy": null,
        "name": "{RESOURCE_NAME}",
        "plan": null,
        "properties": {
            "compatibilityLevel": "1.0",
            "createdDate": "2019-07-12T03:11:30.39Z",
            "dataLocale": "en-US",
            "eventsLateArrivalMaxDelayInSeconds": 5,
            "jobId": "{JOB_ID}",
            "jobState": "Created",
            "jobStorageAccount": null,
            "jobType": "Cloud",
            "outputErrorPolicy": "Stop",
            "package": null,
            "provisioningState": "Succeeded",
            "sku": {
                "name": "Standard"
            }
        },
        "resourceGroup": "{RESOURCE_GROUP}",
        "sku": null,
        "tags": null,
        "type": "Microsoft.StreamAnalytics/streamingjobs"
    }
    

    请记下作业定义中的 principalId,它用于在 Azure Active Directory 中标识该作业的托管标识,在下一步骤中,将使用它来为流分析作业授予对存储帐户的访问权限。Take note of the principalId from the job's definition, which identifies your job's Managed Identity within Azure Active Directory and will be used in the next step to grant the Stream Analytics job access to the storage account.

  3. 创建作业后,请参阅本文的为流分析作业授予对存储帐户的访问权限部分。Now that the job is created, see the Give the Stream Analytics job access to your storage account section of this article.

为流分析作业授予对存储帐户的访问权限Give the Stream Analytics job access to your storage account

可以选择为流分析作业授予两种级别的访问权限:There are two levels of access you can choose to give your Stream Analytics job:

  1. 容器级访问权限:使用此选项可为作业授予对现有特定容器的访问权限。Container level access: this option gives the job access to a specific existing container.
  2. 帐户级访问权限:使用此选项可为作业授予对存储帐户的一般访问权限,包括创建新容器的能力。Account level access: this option gives the job general access to the storage account, including the ability to create new containers.

除非你需要作业代表你创建容器,否则应选择“容器级访问权限”,因为此选项将为作业授予所需的最低访问权限级别。 Unless you need the job to create containers on your behalf, you should choose Container level access since this option will grant the job the minimum level of access required. 下面将会解释这两个选项在 Azure 门户和命令行中的用法。Both options are explained below for the Azure portal and the command-line.

通过 Azure 门户授予访问权限Grant access via the Azure portal

容器级访问权限Container level access

  1. 导航到存储帐户中的容器配置窗格。Navigate to the container's configuration pane within your storage account.

  2. 在左侧选择“访问控制(IAM)”。 Select Access Control (IAM) on the left-hand side.

  3. 在“添加角色分配”部分下,单击“添加”。 Under the "Add a role assignment" section click Add.

  4. 在角色分配窗格中:In the role assignment pane:

    1. 将“角色”设置为“存储 Blob 数据参与者” Set the Role to "Storage Blob Data Contributor"
    2. 确保“将访问权限分配给”下拉列表设置为“Azure AD 用户、组或服务主体”。 Ensure the Assign access to dropdown is set to "Azure AD user, group, or service principal".
    3. 在搜索字段中键入流分析作业的名称。Type the name of your Stream Analytics job in the search field.
    4. 选择你的流分析作业,然后单击“保存”。 Select your Stream Analytics job and click Save.

    授予容器访问权限

帐户级访问权限Account level access

  1. 导航到存储帐户。Navigate to your storage account.

  2. 在左侧选择“访问控制(IAM)”。 Select Access Control (IAM) on the left-hand side.

  3. 在“添加角色分配”部分下,单击“添加”。 Under the "Add a role assignment" section click Add.

  4. 在角色分配窗格中:In the role assignment pane:

    1. 将“角色”设置为“存储 Blob 数据参与者” Set the Role to "Storage Blob Data Contributor"
    2. 确保“将访问权限分配给”下拉列表设置为“Azure AD 用户、组或服务主体”。 Ensure the Assign access to dropdown is set to "Azure AD user, group, or service principal".
    3. 在搜索字段中键入流分析作业的名称。Type the name of your Stream Analytics job in the search field.
    4. 选择你的流分析作业,然后单击“保存”。 Select your Stream Analytics job and click Save.

    授予帐户访问权限

通过命令行授予访问权限Grant access via the command line

容器级访问权限Container level access

若要授予对特定容器的访问权限,请使用 Azure CLI 运行以下命令:To give access to a specific container, run the following command using the Azure CLI:

az role assignment create --role "Storage Blob Data Contributor" --assignee <principal-id> --scope /subscriptions/<subscription-id>/resourcegroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>/blobServices/default/containers/<container-name>

帐户级访问权限Account level access

若要授予对整个帐户的访问权限,请使用 Azure CLI 运行以下命令:To give access to the entire account, run the following command using the Azure CLI:

az role assignment create --role "Storage Blob Data Contributor" --assignee <principal-id> --scope /subscriptions/<subscription-id>/resourcegroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account>

启用 VNET 访问权限Enable VNET access

配置存储帐户的防火墙和虚拟网络时,可以视需要允许来自其他受信任 Microsoft 服务的网络流量。When configuring your storage account's Firewalls and virtual networks, you can optionally allow in network traffic from other trusted Microsoft services. 当流分析使用托管标识进行身份验证时,它会提供该请求源自受信任服务的证明。When Stream Analytics authenticates using Managed Identity, it provides proof that the request is originating from a trusted service. 下面是有关启用此 VNET 访问权限例外的说明。Below are instructions to enable this VNET access exception.

  1. 在存储帐户的配置窗格中导航到“防火墙和虚拟网络”窗格。Navigate to the “Firewalls and virtual networks” pane within the storage account’s configuration pane.
  2. 确保启用“允许受信任的 Microsoft 服务访问此存储帐户”选项。Ensure the “Allow trusted Microsoft services to access this storage account” option is enabled.
  3. 如果已启用此选项,请单击“保存”。 If you enabled it, click Save.

启用 VNET 访问权限

限制Limitations

下面是此功能的当前限制:Below are the current limitations of this feature:

  1. 经典 Azure 存储帐户。Classic Azure Storage accounts.

  2. 不包含 Azure Active Directory 的 Azure 帐户。Azure accounts without Azure Active Directory.

  3. 不支持多租户访问。Multi-tenant access is not supported. 为给定流分析作业创建的服务主体必须驻留在创建了该作业的同一 Azure Active Directory 租户中,而不可用于驻留在其他 Azure Active Directory 租户中的资源。The Service principal created for a given Stream Analytics job must reside in the same Azure Active Directory tenant in which the job was created, and cannot be used with a resource that resides in a different Azure Active Directory tenant.

  4. 不支持用户分配的标识User Assigned Identity is not supported. 这意味着,用户不能输入自己的供流分析作业使用的服务主体。This means the user is not able to enter their own service principal to be used by their Stream Analytics job. 服务主体必须由 Azure 流分析生成。The service principal must be generated by Azure Stream Analytics.

后续步骤Next steps