您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

什么是 Azure 资源的托管标识?What are managed identities for Azure resources?

开发人员面临的一个共同挑战是如何管理密码和凭据,以确保构成解决方案的不同组件之间的通信安全。A common challenge for developers is the management of secrets and credentials used to secure communication between different components making up a solution. 托管标识使开发人员无需管理凭据。Managed identities eliminate the need for developers to manage credentials. 托管标识为应用程序提供一个标识,可以在连接到支持 Azure Active Directory (Azure AD) 身份验证的资源时使用。Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory (Azure AD) authentication. 应用程序可以使用托管标识来获取 Azure AD 令牌。Applications may use the managed identity to obtain Azure AD tokens. 例如,应用程序可以使用托管标识来访问 Azure 密钥保管库 等资源,开发人员可以采用安全的方式存储凭据或访问存储帐户。For example, an application may use a managed identity to access resources like Azure Key Vault where developers can store credentials in a secure manner or to access storage accounts.

托管标识有哪些用途?What can a managed identity be used for?

下面是使用托管标识的一些好处:Here are some of the benefits of using Managed identities:

  • 你无需管理凭据,You don't need to manage credentials. 而且你甚至可能都无法访问凭据。Credentials are not even accessible to you.
  • 你可以使用托管标识对支持 Azure Active Directory 身份验证(包括你自己的应用程序)的任何资源进行身份验证。You can use managed identities to authenticate to any resource that supports Azure Active Directory authentication including your own applications.
  • 无需额外付费也可使用托管标识。Managed identities can be used without any additional cost.

备注

Azure 资源托管标识是以前称为托管服务标识 (MSI) 的服务的新名称。Managed identities for Azure resources is the new name for the service formerly known as Managed Service Identity (MSI).

托管标识类型Managed identity types

托管标识分为两种类型:There are two types of managed identities:

  • 系统分配:某些 Azure 服务允许你直接在服务实例上启用托管标识。System-assigned Some Azure services allow you to enable a managed identity directly on a service instance. 启用系统分配的托管标识后,系统会在 Azure AD 中创建一个与该服务实例的生命周期相关联的标识。When you enable a system-assigned managed identity an identity is created in Azure AD that is tied to the lifecycle of that service instance. 因此,资源被删除时,Azure 会自动删除标识。So when the resource is deleted, Azure automatically deletes the identity for you. 按照设计,只有该 Azure 资源可以使用此标识从 Azure AD 请求令牌。By design, only that Azure resource can use this identity to request tokens from Azure AD.
  • 用户分配:你也可以将托管标识创建为独立的 Azure 资源。User-assigned You may also create a managed identity as a standalone Azure resource. 你可以创建用户分配的托管标识,并将其分配给一个或多个 Azure 服务实例。You can create a user-assigned managed identity and assign it to one or more instances of an Azure service. 对于用户分配的托管标识,标识与使用它的资源分开管理。In the case of user-assigned managed identities, the identity is managed separately from the resources that use it.

下表显示了这两种托管标识之间的差异。The table below shows the differences between the two types of managed identities.

属性Property 系统分配的托管标识System-assigned managed identity 用户分配的托管标识User-assigned managed identity
创建Creation 作为 Azure 资源(例如 Azure 虚拟机或 Azure 应用服务)的一部分创建Created as part of an Azure resource (for example, an Azure virtual machine or Azure App Service) 作为独立 Azure 资源创建Created as a stand-alone Azure resource
生命周期Life cycle 与用于创建托管标识的 Azure 资源共享生命周期。Shared life cycle with the Azure resource that the managed identity is created with.
删除父资源时,也会删除托管标识。When the parent resource is deleted, the managed identity is deleted as well.
独立生命周期。Independent life cycle.
必须显式删除。Must be explicitly deleted.
在 Azure 资源之间共享Sharing across Azure resources 无法共享。Cannot be shared.
只能与单个 Azure 资源相关联。It can only be associated with a single Azure resource.
可以共享Can be shared
用户分配的同一个托管标识可以关联到多个 Azure 资源。The same user-assigned managed identity can be associated with more than one Azure resource.
常见用例Common use cases 包含在单个 Azure 资源中的工作负荷Workloads that are contained within a single Azure resource
需要独立标识的工作负荷。Workloads for which you need independent identities.
例如,在单个虚拟机上运行的应用程序For example, an application that runs on a single virtual machine
在多个资源上运行的并可以共享单个标识的工作负荷。Workloads that run on multiple resources and which can share a single identity.
需要在预配流程中预先对安全资源授权的工作负荷。Workloads that need pre-authorization to a secure resource as part of a provisioning flow.
其资源经常回收,但权限应保持一致的工作负荷。Workloads where resources are recycled frequently, but permissions should stay consistent.
例如,其中的多个虚拟机需要访问同一资源的工作负荷For example, a workload where multiple virtual machines need to access the same resource

重要

无论选择哪种标识,托管标识都是一种只能用于 Azure 资源的特殊类型的服务主体。Regardless of the type of identity chosen a managed identity is a service principal of a special type that may only be used with Azure resources. 删除托管标识时,相应的服务主体也会自动删除。When the managed identity is deleted, the corresponding service principal is automatically removed.

如何使用 Azure 资源的托管标识?How can I use managed identities for Azure resources?

开发人员如何使用托管标识从其代码访问资源而不管理身份验证信息的一些示例

哪些 Azure 服务支持此功能?What Azure services support the feature?

Azure 资源的托管标识可以用来向支持 Azure AD 身份验证的服务证明身份。Managed identities for Azure resources can be used to authenticate to services that support Azure AD authentication. 如需支持 Azure 资源托管标识功能的 Azure 服务的列表,请参阅支持 Azure 资源托管标识的服务For a list of Azure services that support the managed identities for Azure resources feature, see Services that support managed identities for Azure resources.

使用托管标识可以执行哪些操作?Which operations can I perform using managed identities?

支持系统分配托管标识的资源允许执行以下操作:Resources that support system assigned managed identities allow you to:

如果改为选择用户分配的托管标识:If you choose a user assigned managed identity instead:

可以使用 Azure 资源管理器 (ARM) 模板、Azure 门户、Azure CLI、PowerShell 和 REST API 来执行托管标识的操作。Operations on managed identities may be performed by using an Azure Resource Manager (ARM) template, the Azure Portal, the Azure CLI, PowerShell, and REST APIs.

后续步骤Next steps