将凭据传递给 Azure DSC 扩展处理程序Pass credentials to the Azure DSCExtension handler

本文介绍了 Azure 的所需状态配置 (DSC) 扩展。This article covers the Desired State Configuration (DSC) extension for Azure. 有关 DSC 扩展处理程序的概述,请参阅 Azure 所需状态配置扩展处理程序For an overview of the DSC extension handler, see Introduction to the Azure Desired State Configuration extension handler.

传入凭据Pass in credentials

在配置过程中,可能需要在用户上下文中设置用户帐户、访问服务或安装程序。As part of the configuration process, you might need to set up user accounts, access services, or install a program in a user context. 若要执行这些操作,需提供凭据。To do these things, you need to provide credentials.

可以使用 DSC 来设置参数化配置。You can use DSC to set up parameterized configurations. 在参数化配置中,凭据将传递到配置并安全地存储在 .mof 文件中。In a parameterized configuration, credentials are passed into the configuration and securely stored in .mof files. Azure 扩展处理程序提供证书的自动管理功能,以此简化凭据管理。The Azure extension handler simplifies credential management by providing automatic management of certificates.

以下 DSC 配置脚本创建具有指定密码的本地用户帐户:The following DSC configuration script creates a local user account with the specified password:

configuration Main
{
    param(
        [Parameter(Mandatory=$true)]
        [ValidateNotNullorEmpty()]
        [PSCredential]
        $Credential
    )
    Node localhost {
        User LocalUserAccount
        {
            Username = $Credential.UserName
            Password = $Credential
            Disabled = $false
            Ensure = "Present"
            FullName = "Local User Account"
            Description = "Local User Account"
            PasswordNeverExpires = $true
        }
    }
}

必须将 node localhost 包含为配置的一部分。It's important to include node localhost as part of the configuration. 扩展处理程序会特意查找 node localhost 语句。The extension handler specifically looks for the node localhost statement. 如果缺少此语句,则以下步骤不起作用。If this statement is missing, the following steps don't work. 还必须包含类型强制转换 [PsCredential]It's also important to include the typecast [PsCredential]. 此特定类型触发扩展对凭据进行加密。This specific type triggers the extension to encrypt the credential.

将此脚本发布到 Azure Blob 存储:To publish this script to Azure Blob storage:

Publish-AzVMDscConfiguration -ConfigurationPath .\user_configuration.ps1

设置 Azure DSC 扩展并提供凭据:To set the Azure DSC extension and provide the credential:

$configurationName = 'Main'
$configurationArguments = @{ Credential = Get-Credential }
$configurationArchive = 'user_configuration.ps1.zip'
$vm = Get-AzVM -Name 'example-1'

$vm = Set-AzVMDscExtension -VMName $vm -ConfigurationArchive $configurationArchive -ConfigurationName $configurationName -ConfigurationArgument $configurationArguments

$vm | Update-AzVM

如何保护凭据How a credential is secured

运行此代码时会出现输入凭据的提示。Running this code prompts for a credential. 提供凭据后,它短暂地存储在内存中。After the credential is provided, it's briefly stored in memory. 使用 Set-AzVMDscExtension cmdlet 发布凭据时,会通过 HTTPS 将凭据传输到 VM。When the credential is published by using the Set-AzVMDscExtension cmdlet, the credential is transmitted over HTTPS to the VM. 在 VM 中,Azure 使用本地 VM 证书将加密的凭据存储在磁盘上。In the VM, Azure stores the credential encrypted on disk by using the local VM certificate. 若要将凭据传递给 DSC,将在内存中短暂地将其解密,然后将其重新加密。The credential is briefly decrypted in memory, and then it's re-encrypted to pass it to DSC.

此过程不同于使用不带扩展处理程序的安全配置This process is different than using secure configurations without the extension handler. Azure 环境提供了通过证书安全地传输配置数据的方法。The Azure environment gives you a way to transmit configuration data securely via certificates. 使用 DSC 扩展处理程序时,无需在 ConfigurationData 中提供 $CertificatePath$CertificateID/ $Thumbprint 条目。When you use the DSC extension handler, you don't need to provide $CertificatePath or a $CertificateID/ $Thumbprint entry in ConfigurationData.

后续步骤Next steps