Federated Identity Credentials - Create Or Update

Referência

Service:: Managed Identity

API Version:: 2023-01-31

Crie ou atualize uma credencial de identidade federada sob a identidade atribuída pelo usuário especificada.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{resourceName}/federatedIdentityCredentials/{federatedIdentityCredentialResourceName}?api-version=2023-01-31

Parâmetros de URI

Nome	Em	Obrigatório	Tipo	Description
federatedIdentityCredentialResourceName	path	True	string	O nome do recurso de credencial de identidade federada. Regex pattern: `^[a-zA-Z0-9]{1}[a-zA-Z0-9-_]{2,119}$`
resourceGroupName	path	True	string	O nome do Grupo de Recursos ao qual a identidade pertence.
resourceName	path	True	string	O nome do recurso de identidade.
subscriptionId	path	True	string	A ID da Assinatura à qual a identidade pertence.
api-version	query	True	string	Versão da API a ser invocada.

Corpo da solicitação

Nome	Obrigatório	Tipo	Description
properties.audiences	True	string[]	A lista de públicos que podem aparecer no token emitido.
properties.issuer	True	string	A URL do emissor a ser confiável.
properties.subject	True	string	O identificador da identidade externa.

Respostas

Nome	Tipo	Description
200 OK	FederatedIdentityCredential	Credencial de identidade federada atualizada.
201 Created	FederatedIdentityCredential	Criou a credencial de identidade federada.
Other Status Codes	CloudError	Resposta de erro que descreve por que a operação falhou.

Segurança

azure_auth

Fluxo do OAuth2 do Azure Active Directory

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Nome	Description
user_impersonation	representar sua conta de usuário

Exemplos

FederatedIdentityCredentialCreate

Sample Request

PUT https://management.azure.com/subscriptions/c267c0e7-0a73-4789-9e17-d26aeb0904e5/resourceGroups/rgName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/resourceName/federatedIdentityCredentials/ficResourceName?api-version=2023-01-31

{
  "properties": {
    "issuer": "https://oidc.prod-aks.azure.com/TenantGUID/IssuerGUID",
    "subject": "system:serviceaccount:ns:svcaccount",
    "audiences": [
      "api://AzureADTokenExchange"
    ]
  }
}


import com.azure.resourcemanager.msi.fluent.models.FederatedIdentityCredentialInner;
import java.util.Arrays;

/** Samples for FederatedIdentityCredentials CreateOrUpdate. */
public final class Main {
    /*
     * x-ms-original-file: specification/msi/resource-manager/Microsoft.ManagedIdentity/stable/2023-01-31/examples/
     * FederatedIdentityCredentialCreate.json
     */
    /**
     * Sample code: FederatedIdentityCredentialCreate.
     *
     * @param azure The entry point for accessing resource management APIs in Azure.
     */
    public static void federatedIdentityCredentialCreate(com.azure.resourcemanager.AzureResourceManager azure) {
        azure.identities().manager().serviceClient().getFederatedIdentityCredentials().createOrUpdateWithResponse(
            "rgName", "resourceName", "ficResourceName",
            new FederatedIdentityCredentialInner().withIssuer("https://oidc.prod-aks.azure.com/TenantGUID/IssuerGUID")
                .withSubject("system:serviceaccount:ns:svcaccount")
                .withAudiences(Arrays.asList("api://AzureADTokenExchange")),
            com.azure.core.util.Context.NONE);
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

from azure.identity import DefaultAzureCredential
from azure.mgmt.msi import ManagedServiceIdentityClient

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-msi
# USAGE
    python federated_identity_credential_create.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = ManagedServiceIdentityClient(
        credential=DefaultAzureCredential(),
        subscription_id="c267c0e7-0a73-4789-9e17-d26aeb0904e5",
    )

    response = client.federated_identity_credentials.create_or_update(
        resource_group_name="rgName",
        resource_name="resourceName",
        federated_identity_credential_resource_name="ficResourceName",
        parameters={
            "properties": {
                "audiences": ["api://AzureADTokenExchange"],
                "issuer": "https://oidc.prod-aks.azure.com/TenantGUID/IssuerGUID",
                "subject": "system:serviceaccount:ns:svcaccount",
            }
        },
    )
    print(response)


# x-ms-original-file: specification/msi/resource-manager/Microsoft.ManagedIdentity/stable/2023-01-31/examples/FederatedIdentityCredentialCreate.json
if __name__ == "__main__":
    main()

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

package armmsi_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi"
)

// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/3d7a3848106b831a4a7f46976fe38aa605c4f44d/specification/msi/resource-manager/Microsoft.ManagedIdentity/stable/2023-01-31/examples/FederatedIdentityCredentialCreate.json
func ExampleFederatedIdentityCredentialsClient_CreateOrUpdate() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armmsi.NewClientFactory("<subscription-id>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	res, err := clientFactory.NewFederatedIdentityCredentialsClient().CreateOrUpdate(ctx, "rgName", "resourceName", "ficResourceName", armmsi.FederatedIdentityCredential{
		Properties: &armmsi.FederatedIdentityCredentialProperties{
			Audiences: []*string{
				to.Ptr("api://AzureADTokenExchange")},
			Issuer:  to.Ptr("https://oidc.prod-aks.azure.com/TenantGUID/IssuerGUID"),
			Subject: to.Ptr("system:serviceaccount:ns:svcaccount"),
		},
	}, nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	// You could use response here. We use blank identifier for just demo purposes.
	_ = res
	// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
	// res.FederatedIdentityCredential = armmsi.FederatedIdentityCredential{
	// 	Name: to.Ptr("ficResourceName"),
	// 	Type: to.Ptr("Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials"),
	// 	ID: to.Ptr("/subscriptions/c267c0e7-0a73-4789-9e17-d26aeb0904e5/resourcegroups/rgName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identityName/federatedIdentityCredentials/ficResourceName"),
	// 	Properties: &armmsi.FederatedIdentityCredentialProperties{
	// 		Audiences: []*string{
	// 			to.Ptr("api://AzureADTokenExchange")},
	// 			Issuer: to.Ptr("https://oidc.prod-aks.azure.com/TenantGUID/IssuerGUID"),
	// 			Subject: to.Ptr("system:serviceaccount:ns:svcaccount"),
	// 		},
	// 	}
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

const { ManagedServiceIdentityClient } = require("@azure/arm-msi");
const { DefaultAzureCredential } = require("@azure/identity");

/**
 * This sample demonstrates how to Create or update a federated identity credential under the specified user assigned identity.
 *
 * @summary Create or update a federated identity credential under the specified user assigned identity.
 * x-ms-original-file: specification/msi/resource-manager/Microsoft.ManagedIdentity/stable/2023-01-31/examples/FederatedIdentityCredentialCreate.json
 */
async function federatedIdentityCredentialCreate() {
  const subscriptionId =
    process.env["MSI_SUBSCRIPTION_ID"] || "c267c0e7-0a73-4789-9e17-d26aeb0904e5";
  const resourceGroupName = process.env["MSI_RESOURCE_GROUP"] || "rgName";
  const resourceName = "resourceName";
  const federatedIdentityCredentialResourceName = "ficResourceName";
  const parameters = {
    audiences: ["api://AzureADTokenExchange"],
    issuer: "https://oidc.prod-aks.azure.com/TenantGUID/IssuerGUID",
    subject: "system:serviceaccount:ns:svcaccount",
  };
  const credential = new DefaultAzureCredential();
  const client = new ManagedServiceIdentityClient(credential, subscriptionId);
  const result = await client.federatedIdentityCredentials.createOrUpdate(
    resourceGroupName,
    resourceName,
    federatedIdentityCredentialResourceName,
    parameters
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

using System;
using System.Threading.Tasks;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.ManagedServiceIdentities;

// Generated from example definition: specification/msi/resource-manager/Microsoft.ManagedIdentity/stable/2023-01-31/examples/FederatedIdentityCredentialCreate.json
// this example is just showing the usage of "FederatedIdentityCredentials_CreateOrUpdate" operation, for the dependent resources, they will have to be created separately.

// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);

// this example assumes you already have this UserAssignedIdentityResource created on azure
// for more information of creating UserAssignedIdentityResource, please refer to the document of UserAssignedIdentityResource
string subscriptionId = "c267c0e7-0a73-4789-9e17-d26aeb0904e5";
string resourceGroupName = "rgName";
string resourceName = "resourceName";
ResourceIdentifier userAssignedIdentityResourceId = UserAssignedIdentityResource.CreateResourceIdentifier(subscriptionId, resourceGroupName, resourceName);
UserAssignedIdentityResource userAssignedIdentity = client.GetUserAssignedIdentityResource(userAssignedIdentityResourceId);

// get the collection of this FederatedIdentityCredentialResource
FederatedIdentityCredentialCollection collection = userAssignedIdentity.GetFederatedIdentityCredentials();

// invoke the operation
string federatedIdentityCredentialResourceName = "ficResourceName";
FederatedIdentityCredentialData data = new FederatedIdentityCredentialData()
{
    IssuerUri = new Uri("https://oidc.prod-aks.azure.com/TenantGUID/IssuerGUID"),
    Subject = "system:serviceaccount:ns:svcaccount",
    Audiences =
    {
    "api://AzureADTokenExchange"
    },
};
ArmOperation<FederatedIdentityCredentialResource> lro = await collection.CreateOrUpdateAsync(WaitUntil.Completed, federatedIdentityCredentialResourceName, data);
FederatedIdentityCredentialResource result = lro.Value;

// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
FederatedIdentityCredentialData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample Response

Status code:: 201

{
  "id": "/subscriptions/c267c0e7-0a73-4789-9e17-d26aeb0904e5/resourcegroups/rgName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identityName/federatedIdentityCredentials/ficResourceName",
  "name": "ficResourceName",
  "properties": {
    "issuer": "https://oidc.prod-aks.azure.com/TenantGUID/IssuerGUID",
    "subject": "system:serviceaccount:ns:svcaccount",
    "audiences": [
      "api://AzureADTokenExchange"
    ]
  },
  "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials"
}

Status code:: 200

{
  "id": "/subscriptions/c267c0e7-0a73-4789-9e17-d26aeb0904e5/resourcegroups/rgName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identityName/federatedIdentityCredentials/ficResourceName",
  "name": "ficResourceName",
  "properties": {
    "issuer": "https://oidc.prod-aks.azure.com/TenantGUID/IssuerGUID",
    "subject": "system:serviceaccount:ns:svcaccount",
    "audiences": [
      "api://AzureADTokenExchange"
    ]
  },
  "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials"
}

Definições

Nome	Description
CloudError	Uma resposta de erro do serviço ManagedServiceIdentity.
CloudErrorBody	Uma resposta de erro do serviço ManagedServiceIdentity.
createdByType	O tipo de identidade que criou o recurso.
FederatedIdentityCredential	Descreve uma credencial de identidade federada.
systemData	Metadados relativos à criação e à última modificação do recurso.

CloudError

Uma resposta de erro do serviço ManagedServiceIdentity.

Nome	Tipo	Description
error	CloudErrorBody	Uma lista de detalhes adicionais sobre o erro.

CloudErrorBody

Uma resposta de erro do serviço ManagedServiceIdentity.

Nome	Tipo	Description
code	string	Um identificador para o erro.
details	CloudErrorBody[]	Uma lista de detalhes adicionais sobre o erro.
message	string	Uma mensagem que descreve o erro, destinada a ser adequada para exibição em uma interface do usuário.
target	string	O destino do erro específico. Por exemplo, o nome da propriedade em erro.

createdByType

O tipo de identidade que criou o recurso.

Nome	Tipo	Description
Application	string
Key	string
ManagedIdentity	string
User	string

FederatedIdentityCredential

Descreve uma credencial de identidade federada.

Nome	Tipo	Description
id	string	ID de recurso totalmente qualificada para o recurso. Por exemplo, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"
name	string	O nome do recurso
properties.audiences	string[]	A lista de públicos que podem aparecer no token emitido.
properties.issuer	string	A URL do emissor a ser confiável.
properties.subject	string	O identificador da identidade externa.
systemData	systemData	Os metadados do Azure Resource Manager que contêm as informações createdBy e modifiedBy.
type	string	Tipo do recurso. Por exemplo, "Microsoft.Compute/virtualMachines" ou "Microsoft.Storage/storageAccounts"

systemData

Metadados relativos à criação e à última modificação do recurso.

Nome	Tipo	Description
createdAt	string	O carimbo de data/hora da criação de recursos (UTC).
createdBy	string	A identidade que criou o recurso.
createdByType	createdByType	O tipo de identidade que criou o recurso.
lastModifiedAt	string	O carimbo de data/hora da última modificação do recurso (UTC)
lastModifiedBy	string	A identidade que modificou o recurso pela última vez.
lastModifiedByType	createdByType	O tipo de identidade que modificou o recurso pela última vez.