您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

使用 Azure CLI 创建 Azure 服务主体Create an Azure service principal with Azure CLI

使用 Azure 服务的自动化工具应始终具有受限权限。Automated tools that use Azure services should always have restricted permissions. Azure 提供了服务主体,而不是让应用程序以具有完全特权的用户身份登录。Instead of having applications sign in as a fully privileged user, Azure offers service principals.

Azure 服务主体是为与应用程序、托管服务和自动化工具配合使用以访问 Azure 资源而创建的标识。An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources. 此访问权限受分配给服务主体的角色限制,可用于控制哪些资源可以访问以及在哪个级别进行访问。This access is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level. 出于安全原因,始终建议将服务主体与自动化工具配合使用,而不是允许它们使用用户标识进行登录。For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.

本文介绍了用于使用 Azure CLI 创建服务主体、获取服务主体相关信息以及重置服务主体的步骤。This article shows you the steps for creating, getting information about, and resetting a service principal with the Azure CLI.

创建服务主体Create a service principal

使用 az ad sp create-for-rbac 命令创建服务主体。Create a service principal with the az ad sp create-for-rbac command. 在创建服务主体时,需选择其使用的登录身份验证的类型。When creating a service principal, you choose the type of sign-in authentication it uses.

备注

如果帐户没有足够的权限创建服务主体,az ad sp create-for-rbac 将返回一条错误消息,其中包含“权限不足,无法完成该操作”。If your account doesn't have permission to create a service principal, az ad sp create-for-rbac will return an error message containing "Insufficient privileges to complete the operation." 请与 Azure Active Directory 管理员联系以创建服务主体。Contact your Azure Active Directory admin to create a service principal.

有两种类型的身份验证可用于服务主体:基于密码的身份验证和基于证书的身份验证。There are two types of authentication available for service principals: Password-based authentication, and certificate-based authentication.

基于密码的身份验证Password-based authentication

没有任何身份验证参数,基于密码的身份验证与为你创建的随机密码配合使用。Without any authentication parameters, password-based authentication is used with a random password created for you.

az ad sp create-for-rbac --name ServicePrincipalName

重要

从 Azure CLI 2.0.68 开始,用于创建具有用户定义密码的服务主体的 --password 参数__不再受支持__,以防止意外使用弱密码。As of Azure CLI 2.0.68, the --password parameter to create a service principal with a user-defined password is no longer supported to prevent the accidental use of weak passwords.

与密码身份验证配合使用的服务主体的输出包括 password 密钥。The output for a service principal with password authentication includes the password key. __请确保__复制此值 - 它不可检索。Make sure you copy this value - it can't be retrieved. 如果忘记了密码,请重置服务主体凭据If you forget the password, reset the service principal credentials.

appIdtenant 密钥出现在 az ad sp create-for-rbac 的输出中,并且在服务主体身份验证中使用。The appId and tenant keys appear in the output of az ad sp create-for-rbac and are used in service principal authentication. 请记录其值,但它们随时可以通过 az ad sp list 检索。Record their values, but they can be retrieved at any point with az ad sp list.

基于证书的身份验证Certificate-based authentication

对于基于证书的身份验证,请使用 --cert 参数。For certificate-based authentication, use the --cert argument. 此参数需要你持有现有的证书。This argument requires that you hold an existing certificate. 请确保任何使用此服务主体的工具都有权访问该证书的私钥。Make sure any tool that uses this service principal has access to the certificate's private key. 证书应采用 PEM、CER 或 DER 等 ASCII 格式。Certificates should be in an ASCII format such as PEM, CER, or DER. 请将证书作为字符串传递,或使用 @path 格式从文件加载证书。Pass the certificate as a string, or use the @path format to load the certificate from a file.

az ad sp create-for-rbac --name ServicePrincipalName --cert "-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----"
az ad sp create-for-rbac --name ServicePrincipalName --cert @/path/to/cert.pem

可以添加 --keyvault 参数以使用 Azure Key Vault 中的证书。The --keyvault argument can be added to use a certificate in Azure Key Vault. 在这种情况下,--cert 值是证书的名称。In this case, the --cert value is the name of the certificate.

az ad sp create-for-rbac --name ServicePrincipalName --cert CertName --keyvault VaultName

若要创建自签名 证书以用于身份验证,请使用 --create-cert 参数:To create a self-signed certificate for authentication, use the --create-cert argument:

az ad sp create-for-rbac --name ServicePrincipalName --create-cert

可以添加 --keyvault 参数以将证书存储在 Azure Key Vault 中。The --keyvault argument can be added to store the certificate in Azure Key Vault. 使用 --keyvault 时,--cert 参数是__必需__的。When using --keyvault, the --cert argument is required.

az ad sp create-for-rbac --name ServicePrincipalName --create-cert --cert CertName --keyvault VaultName

除非将证书存储在 Key Vault 中,否则输出将包括 fileWithCertAndPrivateKey 密钥。Unless you store the certificate in Key Vault, the output includes the fileWithCertAndPrivateKey key. 此密钥的值指示所生成的证书的存储位置。This key's value tells you where the generated certificate is stored. __请确保__将证书复制到安全位置,否则将无法使用此服务主体登录。Make sure that you copy the certificate to a secure location, or you can't sign in with this service principal.

对于 Key Vault 中存储的证书,请使用 az keyvault secret show 检索该证书的私钥。For certificates stored in Key Vault, retrieve the certificate's private key with az keyvault secret show. 在 Key Vault 中,证书机密的名称与证书名称相同。In Key Vault, the name of the certificate's secret is the same as the certificate name. 如果无法访问证书的私钥,请重置服务主体凭据If you lose access to a certificate's private key, reset the service principal credentials.

appIdtenant 密钥出现在 az ad sp create-for-rbac 的输出中,并且在服务主体身份验证中使用。The appId and tenant keys appear in the output of az ad sp create-for-rbac and are used in service principal authentication. 请记录其值,但它们随时可以通过 az ad sp list 检索。Record their values, but they can be retrieved at any point with az ad sp list.

获取现有服务主体Get an existing service principal

可使用 az ad sp list 检索租户中的服务主体的列表。A list of the service principals in a tenant can be retrieved with az ad sp list. 默认情况下,此命令返回租户的前 100 个服务主体。By default this command returns the first 100 service principals for your tenant. 若要获取某个租户的所有服务主体,请使用 --all 参数。To get all of a tenant's service principals, use the --all argument. 获取此列表可能需要很长时间,因此建议使用以下参数之一筛选该列表:Getting this list can take a long time, so it's recommended that you filter the list with one of the following arguments:

  • --display-name 用于请求具有与所提供名称匹配的前缀 的服务主体。--display-name requests service principals that have a prefix that match the provided name. 服务主体的显示名称是在创建期间使用 --name 参数设置的值。The display name of a service principal is the value set with the --name parameter during creation. 如果在创建服务主体期间未设置 --name,则名称前缀为 azure-cli-If you didn't set --name during service principal creation, the name prefix is azure-cli-.
  • --spn 基于完全服务主体名称匹配进行筛选。--spn filters on exact service principal name matching. 服务主体名称始终以 https:// 开头。The service principal name always starts with https://. 如果用于 --name 的值不是一个 URI,则此值是后跟显示名称的 https://if the value you used for --name wasn't a URI, this value is https:// followed by the display name.
  • --show-mine 仅请求由登录用户创建的服务主体。--show-mine requests only service principals created by the signed-in user.
  • --filter 伴随一个 OData 筛选器,并执行“服务器端” 筛选。--filter takes an OData filter, and performs server-side filtering. 建议使用此方法通过 CLI 的 --query 参数筛选客户端。This method is recommended over filtering client-side with the CLI's --query argument. 若要了解 OData 筛选器,请参阅筛选器的 OData 表达式语法To learn about OData filters, see OData expression syntax for filters.

为服务主体对象返回的信息十分详细。The information returned for service principal objects is verbose. 若要仅获取执行登录所需的信息,请使用查询字符串 [].{id:appId, tenant:appOwnerTenantId}To get only the information necessary for sign-in, use the query string [].{id:appId, tenant:appOwnerTenantId}. 例如,若要获取由当前登录用户创建的所有服务主体的登录信息,请执行以下命令:For example, to get the sign-in information for all service principals created by the currently logged in user:

az ad sp list --show-mine --query "[].{id:appId, tenant:appOwnerTenantId}"

重要

az ad sp listaz ad sp show 获取用户和租户,但不获取任何身份验证机密或 身份验证方法。az ad sp list or az ad sp show get the user and tenant, but not any authentication secrets or the authentication method. 可使用 az keyvault secret show 检索 Key Vault 中的证书机密,但默认情况下任何其他机密都不会存储。Secrets for certificates in Key Vault can be retrieved with az keyvault secret show, but no other secrets are stored by default. 如果忘记了身份验证方法或机密,请重置服务主体凭据If you forget an authentication method or secret, reset the service principal credentials.

管理服务主体角色Manage service principal roles

Azure CLI 提供以下命令来管理角色分配:The Azure CLI has the following commands to manage role assignments:

服务主体的默认角色是“参与者”。 The default role for a service principal is Contributor. 此角色具有读取和写入到 Azure 帐户的完全权限。This role has full permissions to read and write to an Azure account. “读者”角色限制性更强,具有只读访问权限。 The Reader role is more restrictive, with read-only access. 有关基于角色的访问控制 (RBAC) 和角色的详细信息,请参阅 RBAC:内置角色For more information on Role-Based Access Control (RBAC) and roles, see RBAC: Built-in roles.

此示例将添加“读者” 角色并删除“参与者” 角色:This example adds the Reader role and removes the Contributor one:

az role assignment create --assignee APP_ID --role Reader
az role assignment delete --assignee APP_ID --role Contributor

备注

如果帐户无权分配角色,则将显示错误消息“你的帐户无权执行操作 'Microsoft.Authorization/roleAssignments/write'”。请与 Azure Active Directory 管理员联系以管理角色。If your account doesn't have permission to assign a role, you see an error message that your account "does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write'." Contact your Azure Active Directory admin to manage roles.

添加角色并不 会限制以前分配的权限。Adding a role doesn't restrict previously assigned permissions. 要限制服务主体的权限时,应删除“参与者” 角色。When restricting a service principal's permissions, the Contributor role should be removed.

可以通过列出分配的角色来验证所做的更改:The changes can be verified by listing the assigned roles:

az role assignment list --assignee APP_ID

使用服务主体登录Sign in using a service principal

可以通过登录来测试新服务主体的凭据和权限。Test the new service principal's credentials and permissions by signing in. 若要使用服务主体登录,需要appIdtenant 和凭据。To sign in with a service prinicpal, you need the appId, tenant, and credentials.

若要将服务主体与密码配合使用进行登录,请使用以下命令:To sign in with a service principal using a password:

az login --service-principal --username APP_ID --password PASSWORD --tenant TENANT_ID

若要使用证书登录,则证书必须在本地以 PEM 或 DER 文件的形式存在(采用 ASCII 格式):To sign in with a certificate, it must be available locally as a PEM or DER file, in ASCII format:

az login --service-principal --username APP_ID --tenant TENANT_ID --password /path/to/cert

若要了解有关使用服务主体登录的详细信息,请参阅使用 Azure CLI 登录To learn more about signing in with a service principal, see Sign in with the Azure CLI.

重置凭据Reset credentials

如果忘记了服务主体凭据,请使用 az ad sp credential resetIf you forget the credentials for a service principal, use az ad sp credential reset. 该重置命令带有与 az ad sp create-for-rbac 相同的参数。The reset command takes the same arguments as az ad sp create-for-rbac.

az ad sp credential reset --name APP_ID