使用 Azure 受控識別向 Azure 容器登錄進行驗證Use an Azure managed identity to authenticate to an Azure container registry

使用 Azure 資源的受控識別 從另一個 Azure 資源向 Azure 容器登錄進行驗證,不需提供或管理登錄認證。Use a managed identity for Azure resources to authenticate to an Azure container registry from another Azure resource, without needing to provide or manage registry credentials. 例如在 Linux VM 上設定使用者指派或系統指派的受控識別,以從您的容器登錄存取容器映像,就像使用公用登錄一樣容易。For example, set up a user-assigned or system-assigned managed identity on a Linux VM to access container images from your container registry, as easily as you use a public registry.

您可以從本文了解受控識別,以及如何:For this article, you learn more about managed identities and how to:

  • 在 Azure VM 中啟用使用者指派或系統指派的身分識別Enable a user-assigned or system-assigned identity on an Azure VM
  • 授與 Azure 容器登錄的身分識別存取權Grant the identity access to an Azure container registry
  • 使用受控識別存取登錄及提取容器映像Use the managed identity to access the registry and pull a container image

若要建立 Azure,本文需要您執行 Azure CLI 2.0.55 版或更新版本。To create the Azure resources, this article requires that you run the Azure CLI version 2.0.55 or later. 執行 az --version 以尋找版本。Run az --version to find the version. 如果您需要安裝或升級,請參閱安裝 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

若要設定容器登錄並將容器映像推送至登錄,您也必須在本機安裝 Docker。To set up a container registry and push a container image to it, you must also have Docker installed locally. Docker 提供可輕鬆在任何 macOSWindowsLinux 系統上設定 Docker 的套件。Docker provides packages that easily configure Docker on any macOS, Windows, or Linux system.

為什麼要使用受控識別?Why use a managed identity?

適用於 Azure 資源的受控識別會在 Azure Active Directory (Azure AD) 中為 Azure 服務提供自動的受控識別。A managed identity for Azure resources provides Azure services with an automatically managed identity in Azure Active Directory (Azure AD). 您可以設定某些 Azure 資源,包括虛擬機器與受控識別。You can configure certain Azure resources, including virtual machines, with a managed identity. 然後使用身分識別存取其他 Azure 資源,不需要使用程式碼或指令碼傳遞認證。Then, use the identity to access other Azure resources, without passing credentials in code or scripts.

受控身分識別有兩種:Managed identities are of two types:

  • 使用者指派的身分識別,您可以指派給多個資源並視需要保存。User-assigned identities, which you can assign to multiple resources and persist for as long as your want. 使用者指派的身分識別目前處於預覽狀態。User-assigned identities are currently in preview.

  • 系統受控識別,這對特定資源 (例如單一虛擬機器) 而言是唯一的,且存留時間與該資源一致。A system-managed identity, which is unique to a specific resource like a single virtual machine and lasts for the lifetime of that resource.

以受控識別設定 Azure 資源後,請為此受控識別提供對另一項資源的存取權,就像任何安全性主體一樣。After you set up an Azure resource with a managed identity, give the identity the access you want to another resource, just like any security principal. 例如,指派一個角色給受控識別,該角色可具備 Azure 中私人登錄的提取、推送和提取,或其他權限。For example, assign a managed identity a role with pull, push and pull, or other permissions to a private registry in Azure. (如需登錄角色的完整清單,請參閱 Azure Container Registry 角色和權限。)您可以提供對一或多個資源的身分識別存取權。(For a complete list of registry roles, see Azure Container Registry roles and permissions.) You can give an identity access to one or more resources.

然後使用身分識別向任何支援 Azure AD 驗證的服務進行驗證,不需要任何您程式碼中的認證。Then, use the identity to authenticate to any service that supports Azure AD authentication, without any credentials in your code. 若要使用身分識別從虛擬機器存取 Azure 容器登錄,可以使用 Azure Resource Manager 驗證。To use the identity to access an Azure container registry from a virtual machine, you authenticate with Azure Resource Manager. 請依據您的案例選擇如何使用受控識別進行驗證:Choose how to authenticate using the managed identity, depending on your scenario:

建立容器登錄庫Create a container registry

如果您還沒有 Azure 容器登錄,請建立登錄並將範例容器映像推送至該登錄。If you don't already have an Azure container registry, create a registry and push a sample container image to it. 如需步驟,請參閱快速入門:使用 Azure CLI 建立私人容器登錄For steps, see Quickstart: Create a private container registry using the Azure CLI.

本文假設您的登錄中已儲存 aci-helloworld:v1 容器映像。This article assumes you have the aci-helloworld:v1 container image stored in your registry. 範例中使用名為 myContainerRegistry 的登錄。The examples use a registry name of myContainerRegistry. 請在稍後的步驟中以您自己的登錄和映像名稱取代。Replace with your own registry and image names in later steps.

建立啟用 Docker 的 VMCreate a Docker-enabled VM

建立啟用 Docker 的 Ubuntu 虛擬機器。Create a Docker-enabled Ubuntu virtual machine. 您也需要在虛擬機器上安裝 Azure CLIYou also need to install the Azure CLI on the virtual machine. 如果您已經有 Azure 虛擬機器,請略過此步驟以建立虛擬機器。If you already have an Azure virtual machine, skip this step to create the virtual machine.

使用 az vm create 部署一個預設 Ubuntu Azure 虛擬機器。Deploy a default Ubuntu Azure virtual machine with az vm create. 下列範例會在名為 myResourceGroup 的現有資源群組中建立名為 myDockerVM 的 VM:The following example creates a VM named myDockerVM in an existing resource group named myResourceGroup:

az vm create \
    --resource-group myResourceGroup \
    --name myDockerVM \
    --image UbuntuLTS \
    --admin-username azureuser \
    --generate-ssh-keys

系統需要花幾分鐘的時間來建立 VM。It takes a few minutes for the VM to be created. 命令完成之後,請記下 Azure CLI 所顯示的 publicIpAddressWhen the command completes, take note of the publicIpAddress displayed by the Azure CLI. 請使用此位址與 VM 建立 SSH 連線。Use this address to make SSH connections to the VM.

在 VM 上安裝 DockerInstall Docker on the VM

在 VM 執行之後,與 VM 建立 SSH 連線。After the VM is running, make an SSH connection to the VM. 以您 VM 的公用 IP 位址取代 publicIpAddressReplace publicIpAddress with the public IP address of your VM.

ssh azureuser@publicIpAddress

執行下列命令以在該 VM 上安裝 Docker:Run the following command to install Docker on the VM:

sudo apt install docker.io -y

安裝之後,執行下列命令確認 Docker 在 VM 上正常執行:After installation, run the following command to verify that Docker is running properly on the VM:

sudo docker run -it hello-world

輸出:Output:

Hello from Docker!
This message shows that your installation appears to be working correctly.
[...]

安裝 Azure CLIInstall the Azure CLI

請遵循使用 apt 安裝 Azure CLI 中的步驟在您的 Ubuntu 虛擬機器上安裝 Azure CLI。Follow the steps in Install Azure CLI with apt to install the Azure CLI on your Ubuntu virtual machine. 對於本文,請確定您安裝的是 2.0.55 版或更新版本。For this article, ensure that you install version 2.0.55 or later.

結束 SSH 工作階段。Exit the SSH session.

範例 1:使用使用者指派的身分識別進行存取Example 1: Access with a user-assigned identity

建立身分識別Create an identity

使用 az identity create 命令,在您的訂用帳戶中建立身分識別。Create an identity in your subscription using the az identity create command. 您可以使用先前用來建立容器登錄或虛擬機器的同一個資源群組,或使用其他資源群組。You can use the same resource group you used previously to create the container registry or virtual machine, or a different one.

az identity create --resource-group myResourceGroup --name myACRId

若要在接下來的步驟中設定身分識別,請使用 az identity show 命令,以將身分識別的資源識別碼與服務主體識別碼儲存在變數中。To configure the identity in the following steps, use the az identity show command to store the identity's resource ID and service principal ID in variables.

# Get resource ID of the user-assigned identity
userID=$(az identity show --resource-group myResourceGroup --name myACRId --query id --output tsv)

# Get service principal ID of the user-assigned identity
spID=$(az identity show --resource-group myResourceGroup --name myACRId --query principalId --output tsv)

因為您需要在稍後步驟中的身分識別的識別碼,當您登入 CLI 從您的虛擬機器時,會顯示值:Because you need the identity's ID in a later step when you sign in to the CLI from your virtual machine, show the value:

echo $userID

識別碼的格式為:The ID is of the form:

/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myACRId

使用身分識別設定 VMConfigure the VM with the identity

以下 az vm identity assign 命令會使用使用者指派的身分識別設定您的 Docker VM:The following az vm identity assign command configures your Docker VM with the user-assigned identity:

az vm identity assign --resource-group myResourceGroup --name myDockerVM --identities $userID

授與容器登錄的身分識別存取權Grant identity access to the container registry

現在請設定身分識別以存取容器登錄。Now configure the identity to access your container registry. 第一次使用 az acr show命令取得登錄的資源識別碼:First use the az acr show command to get the resource ID of the registry:

resourceID=$(az acr show --resource-group myResourceGroup --name myContainerRegistry --query id --output tsv)

請使用 az role assignment create 命令指派 AcrPull 角色給登錄。Use the az role assignment create command to assign the AcrPull role to the registry. 此角色提供對登錄的 提取權限This role provides pull permissions to the registry. 若要提供提取和推送權限,請指派 ACRPush 角色。To provide both pull and push permissions, assign the ACRPush role.

az role assignment create --assignee $spID --scope $resourceID --role acrpull

使用身分識別存取登錄Use the identity to access the registry

透過 SSH 連線到使用身分識別設定的 Docker 虛擬機器。SSH into the Docker virtual machine that's configured with the identity. 使用 VM 上安裝的 Azure CLI 執行下列 Azure CLI 命令。Run the following Azure CLI commands, using the Azure CLI installed on the VM.

首先,向使用 Azure CLI az login,使用您在 VM 設定的身分識別。First, authenticate to the Azure CLI with az login, using the identity you configured on the VM. 對於 <userID>,請取代為您在上一個步驟中擷取的身分識別的識別碼。For <userID>, substitute the ID of the identity you retrieved in a previous step.

az login --identity --username <userID>

然後,向登錄中以az acr loginThen, authenticate to the registry with az acr login. 使用此命令時,CLI 會使用您執行 az login 時建立的 Active Directory 權杖順暢地向容器登錄驗證您的工作階段。When you use this command, the CLI uses the Active Directory token created when you ran az login to seamlessly authenticate your session with the container registry. (根據 VM 設定,您可能需要使用 sudo 執行此命令與 docker 命令。)(Depending on your VM's setup, you might need to run this command and docker commands with sudo.)

az acr login --name myContainerRegistry

您應該會看見 Login succeeded 訊息。You should see a Login succeeded message. 接著可以執行 docker 命令,不需要提供認證。You can then run docker commands without providing credentials. 例如執行 docker 提取 以提取 aci-helloworld:v1 映像,指定您登錄的登入伺服器名稱。For example, run docker pull to pull the aci-helloworld:v1 image, specifying the login server name of your registry. 登入伺服器名稱包含您的容器登錄名稱 (全部小寫),後面接著 .azurecr.io - 例如 mycontainerregistry.azurecr.ioThe login server name consists of your container registry name (all lowercase) followed by .azurecr.io - for example, mycontainerregistry.azurecr.io.

docker pull mycontainerregistry.azurecr.io/aci-helloworld:v1

範例 2:使用系統指派的身分識別進行存取Example 2: Access with a system-assigned identity

使用系統受控身分識別設定 VMConfigure the VM with a system-managed identity

以下 az vm 身分識別指派 命令會使用系統指派的身分識別設定您的 Docker VM:The following az vm identity assign command configures your Docker VM with a system-assigned identity:

az vm identity assign --resource-group myResourceGroup --name myDockerVM 

請使用 az vm show 命令將變數設定為 VM 身分識別 principalId (服務主體識別碼) 的值,以在稍後的步驟中使用。Use the az vm show command to set a variable to the value of principalId (the service principal ID) of the VM's identity, to use in later steps.

spID=$(az vm show --resource-group myResourceGroup --name myDockerVM --query identity.principalId --out tsv)

授與容器登錄的身分識別存取權Grant identity access to the container registry

現在請設定身分識別以存取容器登錄。Now configure the identity to access your container registry. 第一次使用 az acr show命令取得登錄的資源識別碼:First use the az acr show command to get the resource ID of the registry:

resourceID=$(az acr show --resource-group myResourceGroup --name myContainerRegistry --query id --output tsv)

請使用 az 角色指派建立 命令指派 AcrPull 角色給身分識別。Use the az role assignment create command to assign the AcrPull role to the identity. 此角色提供對登錄的 提取權限This role provides pull permissions to the registry. 若要提供提取和推送權限,請指派 ACRPush 角色。To provide both pull and push permissions, assign the ACRPush role.

az role assignment create --assignee $spID --scope $resourceID --role acrpull

使用身分識別存取登錄Use the identity to access the registry

透過 SSH 連線到使用身分識別設定的 Docker 虛擬機器。SSH into the Docker virtual machine that's configured with the identity. 使用 VM 上安裝的 Azure CLI 執行下列 Azure CLI 命令。Run the following Azure CLI commands, using the Azure CLI installed on the VM.

首先,驗證使用 Azure CLI az login,使用在 VM 上的系統指派的識別。First, authenticate the Azure CLI with az login, using the system-assigned identity on the VM.

az login --identity

然後,向登錄中以az acr loginThen, authenticate to the registry with az acr login. 使用此命令時,CLI 會使用您執行 az login 時建立的 Active Directory 權杖順暢地向容器登錄驗證您的工作階段。When you use this command, the CLI uses the Active Directory token created when you ran az login to seamlessly authenticate your session with the container registry. (根據 VM 設定,您可能需要使用 sudo 執行此命令與 docker 命令。)(Depending on your VM's setup, you might need to run this command and docker commands with sudo.)

az acr login --name myContainerRegistry

您應該會看見 Login succeeded 訊息。You should see a Login succeeded message. 接著可以執行 docker 命令,不需要提供認證。You can then run docker commands without providing credentials. 例如執行 docker 提取 以提取 aci-helloworld:v1 映像,指定您登錄的登入伺服器名稱。For example, run docker pull to pull the aci-helloworld:v1 image, specifying the login server name of your registry. 登入伺服器名稱包含您的容器登錄名稱 (全部小寫),後面接著 .azurecr.io - 例如 mycontainerregistry.azurecr.ioThe login server name consists of your container registry name (all lowercase) followed by .azurecr.io - for example, mycontainerregistry.azurecr.io.

docker pull mycontainerregistry.azurecr.io/aci-helloworld:v1

後續步驟Next steps

您已在本文中了解搭配 Azure 容器登錄使用受控識別的方式以及如何:In this article, you learned about using managed identities with Azure Container Registry and how to:

  • 在 Azure VM 中啟用使用者指派或系統指派的身分識別Enable a user-assigned or system-assigned identity in an Azure VM
  • 授與 Azure 容器登錄的身分識別存取權Grant the identity access to an Azure container registry
  • 使用受控識別存取登錄及提取容器映像Use the managed identity to access the registry and pull a container image