您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 Azure 托管标识向 Azure 容器注册表验证身份Use an Azure managed identity to authenticate to an Azure container registry

使用 Azure 资源的托管标识从另一个 Azure 资源向 Azure 容器注册表验证身份,而无需提供或管理注册表凭据。Use a managed identity for Azure resources to authenticate to an Azure container registry from another Azure resource, without needing to provide or manage registry credentials. 例如,在 Linux VM 上设置用户分配或系统分配的托管标识,以便从容器注册表访问容器映像,就像使用公共注册表一样容易。For example, set up a user-assigned or system-assigned managed identity on a Linux VM to access container images from your container registry, as easily as you use a public registry.

本文将详细介绍托管标识以及如何:For this article, you learn more about managed identities and how to:

  • 在 Azure VM 上启用用户分配或系统分配的标识Enable a user-assigned or system-assigned identity on an Azure VM
  • 授予标识对 Azure 容器注册表的访问权限Grant the identity access to an Azure container registry
  • 使用托管标识访问注册表并拉取容器映像Use the managed identity to access the registry and pull a container image

为了创建 Azure 资源,本文要求运行 Azure CLI 版本 2.0.55 或更高版本。To create the Azure resources, this article requires that you run the Azure CLI version 2.0.55 or later. 运行 az --version 即可查找版本。Run az --version to find the version. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

若要设置容器注册表并向其推送容器映像,还必须在本地安装 Docker。To set up a container registry and push a container image to it, you must also have Docker installed locally. Docker 提供的包可在任何 macOSWindowsLinux 系统上轻松配置 Docker。Docker provides packages that easily configure Docker on any macOS, Windows, or Linux system.

为什么使用托管标识?Why use a managed identity?

Azure 资源的托管标识可在 Azure Active Directory (Azure AD) 中为 Azure 服务提供一个自动托管标识。A managed identity for Azure resources provides Azure services with an automatically managed identity in Azure Active Directory (Azure AD). 你可以为某些 Azure 资源(包括虚拟机)配置托管标识。You can configure certain Azure resources, including virtual machines, with a managed identity. 然后使用该标识访问其他 Azure 资源,而无需在代码或脚本中传递凭据。Then, use the identity to access other Azure resources, without passing credentials in code or scripts.

托管标识有两种类型:Managed identities are of two types:

  • 用户分配的标识,可以将其分配给多个资源,并根据需要持久保存。User-assigned identities, which you can assign to multiple resources and persist for as long as your want. 用户分配的标识现提供预览版。User-assigned identities are currently in preview.

  • 系统托管标识,对于特定资源(如单个虚拟机)是唯一的,并且在该资源的生存期内持久保存。A system-managed identity, which is unique to a specific resource like a single virtual machine and lasts for the lifetime of that resource.

为 Azure 资源设置托管标识后,便可以根据需要授予该标识对另一资源的访问权限,这一点与所有安全主体一样。After you set up an Azure resource with a managed identity, give the identity the access you want to another resource, just like any security principal. 例如,为托管标识分配角色,该角色对 Azure 中的专用注册表具有拉取、推送和拉取或其他权限。For example, assign a managed identity a role with pull, push and pull, or other permissions to a private registry in Azure. (有关完整的注册表角色列表,请参阅 Azure 容器注册表角色和权限。)可以授予标识对一个或多个资源的访问权限。(For a complete list of registry roles, see Azure Container Registry roles and permissions.) You can give an identity access to one or more resources.

然后使用该标识向支持 Azure AD 身份验证的任何服务进行身份验证,而无需在代码中放入任何凭据。Then, use the identity to authenticate to any service that supports Azure AD authentication, without any credentials in your code. 若要使用该标识从虚拟机访问 Azure 容器注册表,请向 Azure 资源管理器验证身份。To use the identity to access an Azure container registry from a virtual machine, you authenticate with Azure Resource Manager. 选择如何使用托管标识进行身份验证,具体取决于你的方案:Choose how to authenticate using the managed identity, depending on your scenario:

创建容器注册表Create a container registry

如果还没有 Azure 容器注册表,请创建一个注册表并向其推送示例容器映像。If you don't already have an Azure container registry, create a registry and push a sample container image to it. 有关步骤,请参阅快速入门:使用 Azure CLI 创建专用容器注册表For steps, see Quickstart: Create a private container registry using the Azure CLI.

本文假设你在注册表中存储了 aci-helloworld:v1 容器映像。This article assumes you have the aci-helloworld:v1 container image stored in your registry. 以下示例使用注册表名称 myContainerRegistryThe examples use a registry name of myContainerRegistry. 请在后续步骤中替换为你自己的注册表和映像名称。Replace with your own registry and image names in later steps.

创建一个启用了 Docker 的 VMCreate a Docker-enabled VM

创建一个启用了 Docker 的 Ubuntu 虚拟机。Create a Docker-enabled Ubuntu virtual machine. 还需要在该虚拟机上安装 Azure CLIYou also need to install the Azure CLI on the virtual machine. 如果已有 Azure 虚拟机,请跳过此虚拟机创建步骤。If you already have an Azure virtual machine, skip this step to create the virtual machine.

使用 az vm create 部署默认的 Ubuntu Azure 虚拟机。Deploy a default Ubuntu Azure virtual machine with az vm create. 以下示例在名为 myResourceGroup 的现有资源组中创建名为 myDockerVM 的 VM:The following example creates a VM named myDockerVM in an existing resource group named myResourceGroup:

az vm create \
    --resource-group myResourceGroup \
    --name myDockerVM \
    --image UbuntuLTS \
    --admin-username azureuser \
    --generate-ssh-keys

创建 VM 需要几分钟时间。It takes a few minutes for the VM to be created. 等该命令完成后,记下 Azure CLI 显示的 publicIpAddressWhen the command completes, take note of the publicIpAddress displayed by the Azure CLI. 使用此地址与 VM 建立 SSH 连接。Use this address to make SSH connections to the VM.

在 VM 上安装 DockerInstall Docker on the VM

等 VM 正常运行后,与 VM 建立 SSH 连接。After the VM is running, make an SSH connection to the VM. publicIpAddress 替换为 VM 的公共 IP 地址。Replace publicIpAddress with the public IP address of your VM.

ssh azureuser@publicIpAddress

运行以下命令以在 VM 上安装 Docker:Run the following command to install Docker on the VM:

sudo apt install docker.io -y

安装完成后,运行以下命令验证 Docker 在 VM 上是否正常运行:After installation, run the following command to verify that Docker is running properly on the VM:

sudo docker run -it hello-world

输出:Output:

Hello from Docker!
This message shows that your installation appears to be working correctly.
[...]

安装 Azure CLIInstall the Azure CLI

按照使用 apt 安装 Azure CLI 中的步骤在 Ubuntu 虚拟机上安装 Azure CLI。Follow the steps in Install Azure CLI with apt to install the Azure CLI on your Ubuntu virtual machine. 在本文中,请确保安装版本 2.0.55 或更高版本。For this article, ensure that you install version 2.0.55 or later.

退出 SSH 会话。Exit the SSH session.

示例 1:使用用户分配的标识进行访问Example 1: Access with a user-assigned identity

创建标识Create an identity

使用 az identity create 命令在订阅中创建标识。Create an identity in your subscription using the az identity create command. 可以使用先前用于创建容器注册表或虚拟机的相同资源组,也可以使用不同的资源组。You can use the same resource group you used previously to create the container registry or virtual machine, or a different one.

az identity create --resource-group myResourceGroup --name myACRId

若要在以下步骤中配置标识,请使用 az identity show 命令将标识的资源 ID 和服务主体 ID 存储在变量中。To configure the identity in the following steps, use the az identity show command to store the identity's resource ID and service principal ID in variables.

# Get resource ID of the user-assigned identity
userID=$(az identity show --resource-group myResourceGroup --name myACRId --query id --output tsv)

# Get service principal ID of the user-assigned identity
spID=$(az identity show --resource-group myResourceGroup --name myACRId --query principalId --output tsv)

当你从虚拟机登录 CLI 时,需要在稍后的步骤中使用标识的 ID,因此请显示以下值:Because you need the identity's ID in a later step when you sign in to the CLI from your virtual machine, show the value:

echo $userID

ID 的格式如下:The ID is of the form:

/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myACRId

为 VM 配置标识Configure the VM with the identity

以下 az vm identity assign 命令可为 Docker VM 配置用户分配的标识:The following az vm identity assign command configures your Docker VM with the user-assigned identity:

az vm identity assign --resource-group myResourceGroup --name myDockerVM --identities $userID

授予标识对容器注册表的访问权限Grant identity access to the container registry

现在将标识配置为访问容器注册表。Now configure the identity to access your container registry. 首先使用 az acr show 命令获取注册表的资源 ID:First use the az acr show command to get the resource ID of the registry:

resourceID=$(az acr show --resource-group myResourceGroup --name myContainerRegistry --query id --output tsv)

使用 az role assignment create 命令向注册表分配 AcrPull 角色。Use the az role assignment create command to assign the AcrPull role to the registry. 此角色将提供对注册表的拉取权限This role provides pull permissions to the registry. 若要同时提供拉取和推送权限,请分配 ACRPush 角色。To provide both pull and push permissions, assign the ACRPush role.

az role assignment create --assignee $spID --scope $resourceID --role acrpull

使用标识访问注册表Use the identity to access the registry

通过 SSH 连接到配置了标识的 Docker 虚拟机。SSH into the Docker virtual machine that's configured with the identity. 使用 VM 上安装的 Azure CLI 运行以下 Azure CLI 命令。Run the following Azure CLI commands, using the Azure CLI installed on the VM.

首先,使用在 VM 上配置的标识,通过 az login 向 Azure CLI 进行身份验证。First, authenticate to the Azure CLI with az login, using the identity you configured on the VM. 对于 <userID>,请替换成在上一步中检索到的标识 ID。For <userID>, substitute the ID of the identity you retrieved in a previous step.

az login --identity --username <userID>

然后,使用 az acr login 向注册表进行身份验证。Then, authenticate to the registry with az acr login. 使用此命令时,CLI 使用运行 az login 时创建的 Active Directory 令牌,以无缝的方式向容器注册表验证会话的身份。When you use this command, the CLI uses the Active Directory token created when you ran az login to seamlessly authenticate your session with the container registry. (根据 VM 的设置,可能需要使用 sudo 运行此命令和 docker 命令。)(Depending on your VM's setup, you might need to run this command and docker commands with sudo.)

az acr login --name myContainerRegistry

你应该会看到 Login succeeded 消息。You should see a Login succeeded message. 之后,便可以在不提供凭据的情况下运行 docker 命令。You can then run docker commands without providing credentials. 例如,运行 docker pull 以拉取 aci-helloworld:v1 映像,并指定注册表的登录服务器名称。For example, run docker pull to pull the aci-helloworld:v1 image, specifying the login server name of your registry. 登录服务器名称由容器注册表名称(全部小写)后跟 .azurecr.io 组成 - 例如,mycontainerregistry.azurecr.ioThe login server name consists of your container registry name (all lowercase) followed by .azurecr.io - for example, mycontainerregistry.azurecr.io.

docker pull mycontainerregistry.azurecr.io/aci-helloworld:v1

示例 2:使用系统分配的标识进行访问Example 2: Access with a system-assigned identity

为 VM 配置系统托管标识Configure the VM with a system-managed identity

以下 az vm identity assign 命令可为 Docker VM 配置系统分配的标识:The following az vm identity assign command configures your Docker VM with a system-assigned identity:

az vm identity assign --resource-group myResourceGroup --name myDockerVM 

使用 az vm show 命令将变量设置为 VM 标识的值 principalId(服务主体 ID),以便在后续步骤中使用。Use the az vm show command to set a variable to the value of principalId (the service principal ID) of the VM's identity, to use in later steps.

spID=$(az vm show --resource-group myResourceGroup --name myDockerVM --query identity.principalId --out tsv)

授予标识对容器注册表的访问权限Grant identity access to the container registry

现在将标识配置为访问容器注册表。Now configure the identity to access your container registry. 首先使用 az acr show 命令获取注册表的资源 ID:First use the az acr show command to get the resource ID of the registry:

resourceID=$(az acr show --resource-group myResourceGroup --name myContainerRegistry --query id --output tsv)

使用 az role assignment create 命令向标识分配 AcrPull 角色。Use the az role assignment create command to assign the AcrPull role to the identity. 此角色将提供对注册表的拉取权限This role provides pull permissions to the registry. 若要同时提供拉取和推送权限,请分配 ACRPush 角色。To provide both pull and push permissions, assign the ACRPush role.

az role assignment create --assignee $spID --scope $resourceID --role acrpull

使用标识访问注册表Use the identity to access the registry

通过 SSH 连接到配置了标识的 Docker 虚拟机。SSH into the Docker virtual machine that's configured with the identity. 使用 VM 上安装的 Azure CLI 运行以下 Azure CLI 命令。Run the following Azure CLI commands, using the Azure CLI installed on the VM.

首先,使用 VM 上的系统分配标识通过 az login 向 Azure CLI 进行身份验证。First, authenticate the Azure CLI with az login, using the system-assigned identity on the VM.

az login --identity

然后,使用 az acr login 向注册表进行身份验证。Then, authenticate to the registry with az acr login. 使用此命令时,CLI 使用运行 az login 时创建的 Active Directory 令牌,以无缝的方式向容器注册表验证会话的身份。When you use this command, the CLI uses the Active Directory token created when you ran az login to seamlessly authenticate your session with the container registry. (根据 VM 的设置,可能需要使用 sudo 运行此命令和 docker 命令。)(Depending on your VM's setup, you might need to run this command and docker commands with sudo.)

az acr login --name myContainerRegistry

你应该会看到 Login succeeded 消息。You should see a Login succeeded message. 之后,便可以在不提供凭据的情况下运行 docker 命令。You can then run docker commands without providing credentials. 例如,运行 docker pull 以拉取 aci-helloworld:v1 映像,并指定注册表的登录服务器名称。For example, run docker pull to pull the aci-helloworld:v1 image, specifying the login server name of your registry. 登录服务器名称由容器注册表名称(全部小写)后跟 .azurecr.io 组成 - 例如,mycontainerregistry.azurecr.ioThe login server name consists of your container registry name (all lowercase) followed by .azurecr.io - for example, mycontainerregistry.azurecr.io.

docker pull mycontainerregistry.azurecr.io/aci-helloworld:v1

后续步骤Next steps

本文介绍了如何将托管标识与 Azure 容器注册表配合使用,以及如何:In this article, you learned about using managed identities with Azure Container Registry and how to:

  • 在 Azure VM 中启用用户分配或系统分配的标识Enable a user-assigned or system-assigned identity in an Azure VM
  • 授予标识对 Azure 容器注册表的访问权限Grant the identity access to an Azure container registry
  • 使用托管标识访问注册表并拉取容器映像Use the managed identity to access the registry and pull a container image