您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 Azure CLI 登录Sign in with Azure CLI

Azure CLI 有多种身份验证类型。There are several authentication types for the Azure CLI. 最简单的入门方法是使用 Azure Cloud Shell,这样可以自动登录。The easiest way to get started is with Azure Cloud Shell, which automatically logs you in. 在本地,可以通过浏览器使用 az login 命令以交互方式登录。Locally, you can sign in interactively through your browser with the az login command. 编写脚本时,建议的方法是使用服务主体。When writing scripts, the recommended approach is to use service principals. 通过授予服务主体所需的最低适当权限,可以确保自动化的安全性。By granting just the appropriate permissions needed to a service principal, you can keep your automation secure.

CLI 不会存储任何登录信息。None of your sign-in information is stored by the CLI. 身份验证刷新令牌由 Azure 生成并存储。Instead, an authentication refresh token is generated by Azure and stored. 自 2018 年 8 月起,此令牌在不活动 90 天后将被撤销,但此值可由 Microsoft 或租户管理员更改。As of August 2018 this token is revoked after 90 days of inactivity, but this value can be changed by Microsoft or your tenant administrator. 令牌被撤销后,你会收到来自 CLI 的消息,指示你需要重新登录。Once the token is revoked you get a message from the CLI saying you need to sign in again.

登录后,将针对默认订阅运行 CLI 命令。After signing in, CLI commands are run against your default subscription. 如果你有多个订阅,可以更改默认订阅If you have multiple subscriptions, you can change your default subscription.

以交互方式登录Sign in interactively

Azure CLI 的默认身份验证方法是使用 Web 浏览器和访问令牌进行登录。The Azure CLI's default authentication method uses a web browser and access token to sign in.

  1. 运行 login 命令。Run the login command.

    az login
    

    如果 CLI 可以打开默认浏览器,它将这样做并加载 Azure 登录页。If the CLI can open your default browser, it will do so and load an Azure sign-in page.

    否则,请在 https://aka.ms/devicelogin 处打开浏览器页,然后输入终端中显示的授权代码。Otherwise, open a browser page at https://aka.ms/devicelogin and enter the authorization code displayed in your terminal.

  2. 在浏览器中使用帐户凭据登录。Sign in with your account credentials in the browser.

在命令行中使用凭据登录。Sign in with credentials on the command line

在命令行中提供 Azure 用户凭据。Provide your Azure user credentials on the command line.

备注

此方法不适用于 Microsoft 帐户或已启用双重身份验证的帐户。This approach doesn't work with Microsoft accounts or accounts that have two-factor authentication enabled.

az login -u <username> -p <password>

重要

如果想要避免在控制台中显示自己的密码并以交互方式使用 az login,请在 bash 下面使用 read -s 命令。If you want to avoid displaying your password on console and are using az login interactively, use the read -s command under bash.

read -sp "Azure password: " AZ_PASS && echo && az login -u <username> -p $AZ_PASS

在 PowerShell 下,请使用 Get-Credential cmdlet。Under PowerShell, use the Get-Credential cmdlet.

$AzCred = Get-Credential -UserName <username>
az login -u $AzCred.UserName -p $AzCred.GetNetworkCredential().Password

使用服务主体进行登录Sign in with a service principal

服务主体是未绑定到任何特定用户的帐户,这些帐户具有通过预定义角色分配的权限。Service principals are accounts not tied to any particular user, which can have permissions on them assigned through pre-defined roles. 使用服务主体进行身份验证是编写安全脚本或程序的最佳方法,因为这样可以同时应用权限限制和本地存储的静态凭据信息。Authenticating with a service principal is the best way to write secure scripts or programs, allowing you to apply both permissions restrictions and locally stored static credential information. 若要了解有关服务主体的详细信息,请参阅使用 Azure CLI 创建 Azure 服务主体To learn more about service principals, see Create an Azure service principal with the Azure CLI.

若要使用服务主体登录,需要:To sign in with a service principal, you need:

  • 与该服务主体关联的 URL 或名称The URL or name associated with the service principal
  • 该服务主体的密码,或用于创建该服务主体的 X509 证书(PEM 格式)The service principal password, or the X509 certificate used to create the service principal in PEM format
  • 与该服务主体关联的租户(.onmicrosoft.com 域或 Azure 对象 ID)The tenant associated with the service principal, as either an .onmicrosoft.com domain or Azure object ID

重要

如果服务主体使用 Key Vault 中存储的证书,则该证书的私钥必须在未登录到 Azure 的情况下可用。If your service principal uses a certificate that is stored in Key Vault, that certificate's private key must be available without signing in to Azure. 若要检索私钥以供脱机使用,请使用 az keyvault secret showTo retrieve a private key for use offline, use az keyvault secret show.

az login --service-principal -u <app-url> -p <password-or-cert> --tenant <tenant>

重要

如果想要避免在控制台中显示自己的密码并以交互方式使用 az login,请在 bash 下面使用 read -s 命令。If you want to avoid displaying your password on console and are using az login interactively, use the read -s command under bash.

read -sp "Azure password: " AZ_PASS && echo && az login --service-principal -u <app-url> -p $AZ_PASS --tenant <tenant>

在 PowerShell 下,请使用 Get-Credential cmdlet。Under PowerShell, use the Get-Credential cmdlet.

$AzCred = Get-Credential -UserName <app-url>
az login --service-principal -u $AzCred.UserName -p $AzCred.GetNetworkCredential().Password --tenant <tenant>

使用其他租户身份登录Sign in with a different tenant

可以使用 --tenant 参数选择用于登录的租户。You can select a tenant to sign in under with the --tenant argument. 此参数的值可以是 .onmicrosoft.com 域或租户的 Azure 对象 ID。The value of this argument can either be an .onmicrosoft.com domain or the Azure object ID for the tenant. 交互式登录方法和命令行登录方法都可以配合 --tenant 来使用。Both interactive and command-line sign in methods work with --tenant.

az login --tenant <tenant>

使用托管标识登录Sign in with a managed identity

在针对 Azure 资源托管标识配置的资源上,可以使用托管标识登录。On resources configured for managed identities for Azure resources, you can sign in using the managed identity. 使用资源的标识登录时,登录操作通过 --identity 标记来完成。Signing in with the resource's identity is done through the --identity flag.

az login --identity

若要详细了解 Azure 资源的托管标识,请参阅配置 Azure 资源的托管标识使用 Azure 资源的托管标识进行登录To learn more about managed identities for Azure resources, see Configure managed identities for Azure resources and Use managed identities for Azure resources for sign in.