Automated tools that use Azure services should always have restricted permissions to ensure that Azure resources are secure. Therefore, instead of having applications sign in as a fully privileged user, Azure offers service principals. An Azure service principal is an identity created for use with applications, hosted services, and automated tools. This identity is used to access resources.
本教程中,您将学习如何:
- 创建服务主体
- Sign in using a service principal and password
- Sign in using a service principal and certificate
- Manage service principal roles
- Create an Azure resource using a service principal
- Reset service principal credentials
先决条件
- In a subscription, you must have
User Access AdministratororRole Based Access Control Administratorpermissions, or higher, to create a service principal. For a list of roles available for Azure role-based access control (Azure RBAC), see Azure built-in roles.
在 Azure Cloud Shell 中使用 Bash 环境。 有关详细信息,请参阅 Azure Cloud Shell 中的 Bash 快速入门。
如需在本地运行 CLI 参考命令,请安装 Azure CLI。 如果在 Windows 或 macOS 上运行,请考虑在 Docker 容器中运行 Azure CLI。 有关详细信息,请参阅如何在 Docker 容器中运行 Azure CLI。
如果使用的是本地安装,请使用 az login 命令登录到 Azure CLI。 若要完成身份验证过程,请遵循终端中显示的步骤。 有关其他登录选项,请参阅使用 Azure CLI 登录。
出现提示时,请在首次使用时安装 Azure CLI 扩展。 有关扩展的详细信息,请参阅 将扩展与 Azure CLI配合使用。
运行 az version 以查找安装的版本和依赖库。 若要升级到最新版本,请运行 az upgrade。
创建服务主体
Use the az ad sp create-for-rbac Azure CLI reference command to create a service principal. This example doesn't specify a --name parameter, so a name containing a time stamp is automatically created.
az ad sp create-for-rbac
输出控制台:
{
"appId": "myAppId",
"displayName": "myServicePrincipalName",
"password": "myServicePrincipalPassword",
"tenant": "myTentantId"
}
If you aren't adhering to resource naming conventions and plan to create a role and scope for your new service principal later, the az ad sp create-for-rbac command without parameters is an acceptable solution. However, without a role and scope, the new service principal doesn't have access to resources. It just exists.
When you create a service principal without parameters, also complete these steps:
- Record your system-assigned password as you can't retrieve it again. If you lose the password, reset it using az ad sp credential reset as explained in Reset service principal credentials.
- Set the role assignment for your new service principal by using az role assignment create as explained in Manage service principal roles.
注释
If your account doesn't have permission to create a service principal, az ad sp create-for-rbac returns an error message containing "Insufficient privileges to complete the operation". Contact your Microsoft Entra admin to create a service principal.
In a Microsoft Entra ID directory where user setting Users can register applications has been set to No, you must be a member of one of the following Microsoft Entra ID built-in roles (which have the action: microsoft.directory/applications/createAsOwner or microsoft.directory/applications/create):
For more information about user settings in Microsoft Entra ID, see Restrict who can create applications.
Create a service principal with role and scope
As a best practice, always assign a specific --role and --scopes when you create a service principal. 执行以下步骤:
Determine the correct role.
When determining role, always use the principle of least privilege. For example, don't give your service principal
contributorpermissions to a subscription if the service principal only needs to access Azure storage within a resource group. Consider a specialize role like storage blob data contributor. 有关 Azure RBAC 中可用角色的完整列表,请参阅 Azure 内置角色。Get a value for the scopes parameter.
Find and copy the Resource ID of the Azure resource the new service principal needs to access. 此信息通常在 Azure 门户的每个资源的 “属性 ”或 “终结点 ”页中找到。 Here are common
--scopesexamples, but rely on your Resource ID for an actual format and value.范围 示例: 订阅 /subscriptions/mySubscriptionID资源组 /subscriptions/mySubscriptionID/resourceGroups/myResourceGroupName虚拟机 /subscriptions/mySubscriptionID/resourceGroups/myResourceGroupName/providers/Microsoft.Compute/virtualMachines/myVMnameStorage account file service /subscriptions/mySubscriptionID/resourceGroups/myResourceGroupName/providers/Microsoft.Storage/storageAccounts/myStorageAccountName/fileServices/default数据工厂 /subscriptions/mySubscriptionID/resourceGroups/myResourceGroupName/providers/Microsoft.DataFactory/factories/myDataFactoryName有关更多范围示例,请参阅 了解 Azure RBAC 的范围。
创建服务主体。
In this example, a new service principal named myServicePrincipalName1 is created with reader permissions to all resources in resource group RG1.
# Bash script az ad sp create-for-rbac --name myServicePrincipalName1 \ --role reader \ --scopes /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG1The
--scopesparameter accepts a space-delimited list of scopes. In this example, a new service principal named myServicePrincipalName2 is created with reader permissions to all resources in resource group myRG1. This service principal is also given reader permissions to myVM located in myRG2.# Bash script az ad sp create-for-rbac --name myServicePrincipalName2 \ --role reader \ --scopes /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG1 /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG2/providers/Microsoft.Compute/virtualMachines/myVM
If you decide that you granted too few or too many permissions to your new service principal, alter the permissions by managing service principal roles.
Create a service principal using variables
You can also create a service principal using variables:
# Bash script
let "randomIdentifier=$RANDOM*$RANDOM"
servicePrincipalName="msdocs-sp-$randomIdentifier"
roleName="azureRoleName"
subscriptionID=$(az account show --query id --output tsv)
# Verify the ID of the active subscription
echo "Using subscription ID $subscriptionID"
resourceGroup="myResourceGroupName"
echo "Creating SP for RBAC with name $servicePrincipalName, with role $roleName and in scopes /subscriptions/$subscriptionID/resourceGroups/$resourceGroup"
az ad sp create-for-rbac --name $servicePrincipalName \
--role $roleName \
--scopes /subscriptions/$subscriptionID/resourceGroups/$resourceGroup
For a complete list of service principal properties, use az ad sp list and see Get an existing service principal.
警告
When you create an Azure service principal using the az ad sp create-for-rbac command, the output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. As an alternative, consider using managed identities if available to avoid the need to use credentials.
后续步骤
Now that you've learned how to create an Azure service principal, proceed to the next step to learn how to use service principals with password-based authentication.
