跨 Azure 租户共享库 VM 映像Share gallery VM images across Azure tenants

共享映像库可让你使用 RBAC 共享映像。Shared Image Galleries let you share images using RBAC. 可以使用 RBAC 在租户中共享映像,甚至可以与租户外部的个人共享映像。You can use RBAC to share images within your tenant, and even to individuals outside of your tenant. 但是,若要在 Azure 租户外部大规模共享映像,应创建一个应用注册来方便共享。But, if you want to share images outside of your Azure tenant, at scale, you should create an app registration to facilitate sharing. 使用应用注册可以实现更复杂的共享方案,例如:Using an app registration can enable more complex sharing scenarios, like:

  • 当一家公司并购了另一家公司,并且 Azure 基础结构分散在不同的租户之间时管理共享的映像。Managing shared images when one company acquires another, and the Azure infrastructure is spread across separate tenants.
  • Azure 合作伙伴代表其客户管理 Azure 基础结构。Azure Partners manage Azure infrastructure on behalf of their customers. 映像的自定义在合作伙伴租户内部完成,但基础结构部署都在客户的租户中发生。Customization of images is done within the partners tenant, but the infrastructure deployments will happen in the customer's tenant.

创建应用注册Create the app registration

创建由两个租户用来共享映像库资源的应用程序注册。Create an application registration that will be used by both tenants to share the image gallery resources.

  1. 在 Azure 门户中打开“应用注册(预览版)”Open the App registrations (preview) in the Azure portal.
  2. 从页面顶部的菜单中选择“新建注册”。 Select New registration from the menu at the top of the page.
  3. 在“名称”中键入 myGalleryAppIn Name, type myGalleryApp.
  4. 在“支持的帐户类型”中,选择“任何组织目录中的帐户和个人 Azure 帐户”。 In Supported account types, select Accounts in any organizational directory and personal Azure accounts.
  5. 在“重定向 URI”中键入 https://www.microsoft.com ,然后选择“注册”。 In Redirect URI, type https://www.microsoft.com and then select Register. 创建应用注册后,概述页将会打开。After the app registration has been created, the overview page will open.
  6. 在概述页上,复制“应用程序(客户端) ID”并保存供稍后使用。 On the overview page, copy the Application (client) ID and save for use later.
  7. 依次选择“证书和机密”、“新建客户端机密”。 Select Certificates & secrets, and then select New client secret.
  8. 在“说明”中,键入“共享映像库跨租户应用机密”。 In Description, type Shared image gallery cross-tenant app secret.
  9. 在“过期”中,保留默认值“1 年内”,然后选择“添加”。 In Expires, leave the default of In 1 year and then select Add.
  10. 复制机密值并将其保存到某个安全位置。Copy the value of the secret and save it to a safe place. 退出页面后无法检索该值。You cannot retrieve it after you leave the page.

为应用注册授予使用共享映像库的权限。Give the app registration permission to use the shared image gallery.

  1. 在 Azure 门户中,选择要与另一租户共享的共享映像库。In the Azure portal, select the Shared Image Gallery that you want to share with another tenant.
  2. 选择“选择访问控制(IAM)”,然后在“添加角色分配”下选择“添加”。 Select select Access control (IAM), and under Add role assignment select Add.
  3. 在“角色”下,选择“读取者”。 Under Role, select Reader.
  4. 在“将访问权限分配给:”下,保留现有的“Azure AD 用户、组或服务主体”。 Under Assign access to:, leave this as Azure AD user, group, or service principal.
  5. 在“选择”下键入 myGalleryApp,并在此应用显示在列表中时将其选中。 Under Select, type myGalleryApp and select it when it shows up in the list. 完成后,选择“保存” 。When you are done, select Save.

授予租户 2 访问权限Give Tenant 2 access

通过使用浏览器请求登录,授予租户 2 对应用程序的访问权限。Give Tenant 2 access to the application by requesting a sign-in using a browser. 请将 <Tenant2 ID> 替换为要与其共享映像库的租户的租户 ID。Replace <Tenant2 ID> with the tenant ID for the tenant that you would like to share your image gallery with. 请将 <Application (client) ID> 替换为创建的应用注册的应用程序 ID。Replace <Application (client) ID> with the application ID of the app registration you created. 完成替换后,将 URL 粘贴到浏览器中,然后遵照登录提示登录到租户 2。When done making the replacements, paste the URL into a browser and follow the sign-in prompts to sign into Tenant 2.

https://login.chinacloudapi.cn/<Tenant 2 ID>/oauth2/authorize?client_id=<Application (client) ID>&response_type=code&redirect_uri=https%3A%2F%2Fwww.microsoft.com%2F 

Azure 门户中以租户 2 的身份登录,并允许应用注册访问要在其中创建 VM 的资源组。In the Azure portal sign in as Tenant 2 and give the app registration access to the resource group where you want to create the VM.

  1. 选择该资源组,然后选择“访问控制(IAM)”。 Select the resource group and then select Access control (IAM). 在“添加角色分配”下,选择“添加”。 Under Add role assignment select Add.
  2. 在“角色”下,键入“参与者”。 Under Role, type Contributor.
  3. 在“将访问权限分配给:”下,保留现有的“Azure AD 用户、组或服务主体”。 Under Assign access to:, leave this as Azure AD user, group, or service principal.
  4. 在“选择”下键入 myGalleryApp,并在此应用显示在列表中时将其选中。 Under Select type myGalleryApp then select it when it shows up in the list. 完成后,选择“保存” 。When you are done, select Save.

Note

需等待映像版本彻底生成并复制完毕,然后才能使用同一托管映像来创建另一映像版本。You need to wait for the image version to completely finish being built and replicated before you can use the same managed image to create another image version.

Important

不能使用门户从另一个 Azure 租户中的映像部署 VM。You cannot use the portal to deploy a VM from an image in another azure tenant. 若要从租户之间共享的映像创建 VM,必须使用 Azure CLI 或 PowershellTo create a VM from an image shared between tenants, you must use the Azure CLI or Powershell.

使用 Azure CLI 创建 VMCreate a VM using Azure CLI

使用租户 1 的 appID、应用密钥以及 ID 登录到租户 1 的服务主体。Sign in the service principal for tenant 1 using the appID, the app key, and the ID of tenant 1. 可以根据需要使用 az account show --query "tenantId" 获取租户 ID。You can use az account show --query "tenantId" to get the tenant IDs if needed.

az account clear
az login --service-principal -u '<app ID>' -p '<Secret>' --tenant '<tenant 1 ID>'
az account get-access-token 

使用租户 2 的 appID、应用密钥以及 ID 登录到租户 2 的服务主体:Sign in the service principal for tenant 2 using the appID, the app key, and the ID of tenant 2:

az login --service-principal -u '<app ID>' -p '<Secret>' --tenant '<tenant 2 ID>'
az account get-access-token

创建 VM。Create the VM. 请将示例中的信息替换为你自己的。Replace the information in the example with your own.

az vm create \
  --resource-group myResourceGroup \
  --name myVM \
  --image "/subscriptions/<Tenant 1 subscription>/resourceGroups/<Resource group>/providers/Microsoft.Compute/galleries/<Gallery>/images/<Image definition>/versions/<version>" \
  --admin-username azureuser \
  --generate-ssh-keys

后续步骤Next steps

如果遇到任何问题,可以对共享映像库进行故障排除If you run into any issues, you can troubleshoot shared image galleries.