您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

什么是 Azure 资源的托管标识?What is managed identities for Azure resources?

Azure 资源的托管标识是 Azure Active Directory 的一项功能。Managed identities for Azure resources is a feature of Azure Active Directory. 支持 Azure 资源的托管标识的每个 Azure 服务都受其自己的时间线限制。Each of the Azure services that support managed identities for Azure resources are subject to their own timeline. 在开始之前,请务必查看资源的托管标识的可用性状态以及已知问题Make sure you review the availability status of managed identities for your resource and known issues before you begin.

生成云应用程序时需要应对的常见挑战是,如何管理代码中用于云服务身份验证的凭据。A common challenge when building cloud applications is how to manage the credentials in your code for authenticating to cloud services. 保护这些凭据是一项重要任务。Keeping the credentials secure is an important task. 理想情况下,这些凭据永远不会出现在开发者工作站上,也不会被签入源代码管理系统中。Ideally, the credentials never appear on developer workstations and aren't checked into source control. 虽然 Azure Key Vault 可用于安全存储凭据、机密以及其他密钥,但代码需要通过 Key Vault 的身份验证才能检索它们。Azure Key Vault provides a way to securely store credentials, secrets, and other keys, but your code has to authenticate to Key Vault to retrieve them.

Azure Active Directory (Azure AD) 中的 Azure 资源托管标识功能可以解决此问题。The managed identities for Azure resources feature in Azure Active Directory (Azure AD) solves this problem. 此功能为 Azure 服务提供了 Azure AD 中的自动托管标识。The feature provides Azure services with an automatically managed identity in Azure AD. 可以使用此标识向支持 Azure AD 身份验证的任何服务(包括 Key Vault)证明身份,无需在代码中放入任何凭据。You can use the identity to authenticate to any service that supports Azure AD authentication, including Key Vault, without any credentials in your code.

如果有 Azure 订阅,Azure AD 中的 Azure 资源托管标识功能是免费的。The managed identities for Azure resources feature is free with Azure AD for Azure subscriptions. 不需额外付费。There's no additional cost.

备注

Azure 资源托管标识是以前称为托管服务标识 (MSI) 的服务的新名称。Managed identities for Azure resources is the new name for the service formerly known as Managed Service Identity (MSI).

术语Terminology

以下术语用于 Azure 资源文档集的托管标识:The following terms are used throughout the managed identities for Azure resources documentation set:

  • 客户端 ID - Azure AD 生成的唯一标识符,在其初始预配期间与应用程序和服务主体绑定。Client ID - a unique identifier generated by Azure AD that is tied to an application and service principal during its initial provisioning.
  • 主体 ID - 托管标识的服务主体对象的对象 ID,用于授予对 Azure 资源的基于角色的访问权限。Principal ID - the object ID of the service principal object for your managed identity that is used to grant role-based access to an Azure resource.
  • Azure 实例元数据服务 (IMDS) - 一个 REST 终结点,可供通过 Azure 资源管理器创建的所有 IaaS VM 使用。Azure Instance Metadata Service (IMDS) - a REST endpoint accessible to all IaaS VMs created via the Azure Resource Manager. 该终结点位于已知不可路由的 IP 地址 (169.254.169.254),该地址只能从 VM 中访问。The endpoint is available at a well-known non-routable IP address (169.254.169.254) that can be accessed only from within the VM.

Azure 资源托管标识的工作原理How does the managed identities for Azure resources work?

托管标识分为两种类型:There are two types of managed identities:

  • 系统分配托管标识直接在 Azure 服务实例上启用。A system-assigned managed identity is enabled directly on an Azure service instance. 启用标识后,Azure 将在实例的订阅信任的 Azure AD 租户中创建实例的标识。When the identity is enabled, Azure creates an identity for the instance in the Azure AD tenant that's trusted by the subscription of the instance. 创建标识后,系统会将凭据预配到实例。After the identity is created, the credentials are provisioned onto the instance. 系统分配标识的生命周期直接绑定到启用它的 Azure 服务实例。The lifecycle of a system-assigned identity is directly tied to the Azure service instance that it's enabled on. 如果实例遭删除,Azure 会自动清理 Azure AD 中的凭据和标识。If the instance is deleted, Azure automatically cleans up the credentials and the identity in Azure AD.
  • 用户分配托管标识是作为独立的 Azure 资源创建的。A user-assigned managed identity is created as a standalone Azure resource. 在创建过程中,Azure 会在由所用订阅信任的 Azure AD 租户中创建一个标识。Through a create process, Azure creates an identity in the Azure AD tenant that's trusted by the subscription in use. 在创建标识后,可以将标识分配到一个或多个 Azure 服务实例。After the identity is created, the identity can be assigned to one or more Azure service instances. 用户分配标识的生命周期与它所分配到的 Azure 服务实例的生命周期是分开管理的。The lifecycle of a user-assigned identity is managed separately from the lifecycle of the Azure service instances to which it's assigned.

在内部,托管标识是特殊类型的服务主体,它们已锁定,只能与 Azure 资源配合使用。Internally, managed identities are service principals of a special type, which are locked to only be used with Azure resources. 删除托管标识时,相应的服务主体也会自动删除。When the managed identity is deleted, the corresponding service principal is automatically removed.

代码可以使用托管标识来请求支持 Azure AD 身份验证的服务的访问令牌。Your code can use a managed identity to request access tokens for services that support Azure AD authentication. Azure 负责滚动更新服务实例使用的凭据。Azure takes care of rolling the credentials that are used by the service instance.

下图演示了托管服务标识如何与 Azure 虚拟机 (VM) 协同工作:The following diagram shows how managed service identities work with Azure virtual machines (VMs):

托管服务标识和 Azure VM

属性Property 系统分配的托管标识System-assigned managed identity 用户分配的托管标识User-assigned managed identity
创建Creation 作为 Azure 资源(例如 Azure 虚拟机或 Azure 应用服务)的一部分创建Created as part of an Azure resource (for example, an Azure virtual machine or Azure App Service) 作为独立 Azure 资源创建Created as a stand-alone Azure resource
生命周期Lifecycle 与用于创建托管标识的 Azure 资源共享生命周期。Shared lifecycle with the Azure resource that the managed identity is created with.
删除父资源时,也会删除托管标识。When the parent resource is deleted, the managed identity is deleted as well.
独立生命周期。Independent life-cycle.
必须显式删除。Must be explicitly deleted.
在 Azure 资源之间共享Sharing across Azure resources 无法共享。Cannot be shared.
只能与单个 Azure 资源相关联。It can only be associated with a single Azure resource.
可以共享Can be shared
用户分配的同一个托管标识可以关联到多个 Azure 资源。The same user-assigned managed identity can be associated with more than one Azure resource.
常见用例Common use cases 包含在单个 Azure 资源中的工作负荷Workloads that are contained within a single Azure resource
需要独立标识的工作负荷。Workloads for which you need independent identities.
例如,在单个虚拟机上运行的应用程序For example, an application that runs on a single virtual machine
在多个资源上运行的并可以共享单个标识的工作负荷。Workloads that run on multiple resources and which can share a single identity.
需要在预配流程中预先对安全资源授权的工作负荷。Workloads that need pre-authorization to a secure resource as part of a provisioning flow.
其资源经常回收,但权限应保持一致的工作负荷。Workloads where resources are recycled frequently, but permissions should stay consistent.
例如,其中的多个虚拟机需要访问同一资源的工作负荷For example, a workload where multiple virtual machines need to access the same resource

系统分配托管标识如何与 Azure VM 协同工作How a system-assigned managed identity works with an Azure VM

  1. Azure 资源管理器收到请求,要求在 VM 上启用系统分配托管标识。Azure Resource Manager receives a request to enable the system-assigned managed identity on a VM.

  2. Azure 资源管理器在 Azure AD 中创建与 VM 标识相对应的服务主体。Azure Resource Manager creates a service principal in Azure AD for the identity of the VM. 服务主体在此订阅信任的 Azure AD 租户中创建。The service principal is created in the Azure AD tenant that's trusted by the subscription.

  3. Azure 资源管理器通过使用服务主体客户端 ID 和证书更新 Azure 实例元数据服务标识终结点来配置 VM 上的标识。Azure Resource Manager configures the identity on the VM by updating the Azure Instance Metadata Service identity endpoint with the service principal client ID and certificate.

  4. VM 有了标识以后,请根据服务主体信息向 VM 授予对 Azure 资源的访问权限。After the VM has an identity, use the service principal information to grant the VM access to Azure resources. 若要调用 Azure 资源管理器,请在 Azure AD 中使用基于角色的访问控制 (RBAC) 向 VM 服务主体分配相应的角色。To call Azure Resource Manager, use role-based access control (RBAC) in Azure AD to assign the appropriate role to the VM service principal. 若要调用 Key Vault,请授予代码对 Key Vault 中特定机密或密钥的访问权限。To call Key Vault, grant your code access to the specific secret or key in Key Vault.

  5. 在 VM 上运行的代码可以从只能从 VM 中访问的 Azure 实例元数据服务终结点请求令牌:http://169.254.169.254/metadata/identity/oauth2/tokenYour code that's running on the VM can request a token from the Azure Instance Metadata service endpoint, accessible only from within the VM: http://169.254.169.254/metadata/identity/oauth2/token

    • resource 参数指定了要向其发送令牌的服务。The resource parameter specifies the service to which the token is sent. 若要向 Azure 资源管理器进行身份验证,请使用 resource=https://management.azure.com/To authenticate to Azure Resource Manager, use resource=https://management.azure.com/.
    • API 版本参数指定 IMDS 版本,请使用 api-version=2018-02-01 或更高版本。API version parameter specifies the IMDS version, use api-version=2018-02-01 or greater.
  6. 调用了 Azure AD,以便使用在步骤 3 中配置的客户端 ID 和证书请求访问令牌(在步骤 5 中指定)。A call is made to Azure AD to request an access token (as specified in step 5) by using the client ID and certificate configured in step 3. Azure AD 返回 JSON Web 令牌 (JWT) 访问令牌。Azure AD returns a JSON Web Token (JWT) access token.

  7. 代码在调用支持 Azure AD 身份验证的服务时发送访问令牌。Your code sends the access token on a call to a service that supports Azure AD authentication.

用户分配托管标识如何与 Azure VM 协同工作How a user-assigned managed identity works with an Azure VM

  1. Azure 资源管理器收到请求,要求创建用户分配托管标识。Azure Resource Manager receives a request to create a user-assigned managed identity.

  2. Azure 资源管理器在 Azure AD 中创建与用户分配托管标识相对应的服务主体。Azure Resource Manager creates a service principal in Azure AD for the user-assigned managed identity. 服务主体在此订阅信任的 Azure AD 租户中创建。The service principal is created in the Azure AD tenant that's trusted by the subscription.

  3. Azure 资源管理器收到在 VM 上配置用户分配的托管标识的请求,并使用用户分配的托管标识服务主体客户端 ID 和证书更新 Azure 实例元数据服务标识终结点。Azure Resource Manager receives a request to configure the user-assigned managed identity on a VM and updates the Azure Instance Metadata Service identity endpoint with the user-assigned managed identity service principal client ID and certificate.

  4. 创建用户分配托管标识以后,请根据服务主体信息向标识授予对 Azure 资源的访问权限。After the user-assigned managed identity is created, use the service principal information to grant the identity access to Azure resources. 若要调用 Azure 资源管理器,请在 Azure AD 中使用 RBAC 向用户分配标识的服务主体分配相应的角色。To call Azure Resource Manager, use RBAC in Azure AD to assign the appropriate role to the service principal of the user-assigned identity. 若要调用 Key Vault,请授予代码对 Key Vault 中特定机密或密钥的访问权限。To call Key Vault, grant your code access to the specific secret or key in Key Vault.

    备注

    也可在步骤 3 之前执行此步骤。You can also do this step before step 3.

  5. 在 VM 上运行的代码可以从只能从 VM 中访问的 Azure 实例元数据服务标识终结点请求令牌:http://169.254.169.254/metadata/identity/oauth2/tokenYour code that's running on the VM can request a token from the Azure Instance Metadata Service identity endpoint, accessible only from within the VM: http://169.254.169.254/metadata/identity/oauth2/token

    • resource 参数指定了要向其发送令牌的服务。The resource parameter specifies the service to which the token is sent. 若要向 Azure 资源管理器进行身份验证,请使用 resource=https://management.azure.com/To authenticate to Azure Resource Manager, use resource=https://management.azure.com/.
    • 客户端 ID 参数指定为其请求令牌的标识。The client ID parameter specifies the identity for which the token is requested. 当单台 VM 上有多个用户分配的标识时,此值是消除歧义所必需的。This value is required for disambiguation when more than one user-assigned identity is on a single VM.
    • API 版本参数指定 Azure 实例元数据服务版本。The API version parameter specifies the Azure Instance Metadata Service version. 请使用 api-version=2018-02-01 或指定更高的版本。Use api-version=2018-02-01 or higher.
  6. 调用了 Azure AD,以便使用在步骤 3 中配置的客户端 ID 和证书请求访问令牌(在步骤 5 中指定)。A call is made to Azure AD to request an access token (as specified in step 5) by using the client ID and certificate configured in step 3. Azure AD 返回 JSON Web 令牌 (JWT) 访问令牌。Azure AD returns a JSON Web Token (JWT) access token.

  7. 代码在调用支持 Azure AD 身份验证的服务时发送访问令牌。Your code sends the access token on a call to a service that supports Azure AD authentication.

如何使用 Azure 资源的托管标识?How can I use managed identities for Azure resources?

若要了解如何使用托管标识来访问不同的 Azure 资源,请尝试以下教程。To learn how to use managed identities to access different Azure resources, try these tutorials.

备注

请查看为 Microsoft Azure 资源实施托管标识来了解有关托管标识的详细信息,包括多个受支持方案的详细视频演练。Check out the Implementing Managed Identities for Microsoft Azure Resources course for more information about managed identities, including detailed video walkthroughs of several supported scenarios.

了解如何将托管标识与 Windows VM 配合使用:Learn how to use a managed identity with a Windows VM:

了解如何将托管标识与 Linux VM 配合使用:Learn how to use a managed identity with a Linux VM:

了解如何将托管标识与其他 Azure 服务配合使用:Learn how to use a managed identity with other Azure services:

哪些 Azure 服务支持此功能?What Azure services support the feature?

Azure 资源的托管标识可以用来向支持 Azure AD 身份验证的服务证明身份。Managed identities for Azure resources can be used to authenticate to services that support Azure AD authentication. 如需支持 Azure 资源托管标识功能的 Azure 服务的列表,请参阅支持 Azure 资源托管标识的服务For a list of Azure services that support the managed identities for Azure resources feature, see Services that support managed identities for Azure resources.

后续步骤Next steps

请参阅以下快速入门,开始使用 Azure 资源托管标识功能:Get started with the managed identities for Azure resources feature with the following quickstarts: