你当前正在访问 Microsoft Azure Global Edition 技术文档网站。如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站，请访问 https://docs.azure.cn。

Federated Identity Credentials - Create Or Update

参考

Service:: Managed Identity

API Version:: 2023-01-31

在指定的用户分配的标识下创建或更新联合标识凭据。

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{resourceName}/federatedIdentityCredentials/{federatedIdentityCredentialResourceName}?api-version=2023-01-31

URI 参数

名称	在	必需	类型	说明
federatedIdentityCredentialResourceName	path	True	string	联合标识凭据资源的名称。 Regex pattern: `^[a-zA-Z0-9]{1}[a-zA-Z0-9-_]{2,119}$`
resourceGroupName	path	True	string	标识所属的资源组的名称。
resourceName	path	True	string	标识资源的名称。
subscriptionId	path	True	string	标识所属的订阅的 ID。
api-version	query	True	string	要调用的 API 版本。

请求正文

名称	必需	类型	说明
properties.audiences	True	string[]	可在颁发的令牌中显示的受众列表。
properties.issuer	True	string	要信任的颁发者的 URL。
properties.subject	True	string	外部文件的标识符。

响应

名称	类型	说明
200 OK	FederatedIdentityCredential	更新了联合标识凭据。
201 Created	FederatedIdentityCredential	已创建联合标识凭据。
Other Status Codes	CloudError	描述操作失败原因的错误响应。

安全性

azure_auth

Azure Active Directory OAuth2 流

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

名称	说明
user_impersonation	模拟用户帐户

示例

FederatedIdentityCredentialCreate

Sample Request

PUT https://management.azure.com/subscriptions/c267c0e7-0a73-4789-9e17-d26aeb0904e5/resourceGroups/rgName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/resourceName/federatedIdentityCredentials/ficResourceName?api-version=2023-01-31

{
  "properties": {
    "issuer": "https://oidc.prod-aks.azure.com/TenantGUID/IssuerGUID",
    "subject": "system:serviceaccount:ns:svcaccount",
    "audiences": [
      "api://AzureADTokenExchange"
    ]
  }
}


import com.azure.resourcemanager.msi.fluent.models.FederatedIdentityCredentialInner;
import java.util.Arrays;

/** Samples for FederatedIdentityCredentials CreateOrUpdate. */
public final class Main {
    /*
     * x-ms-original-file: specification/msi/resource-manager/Microsoft.ManagedIdentity/stable/2023-01-31/examples/
     * FederatedIdentityCredentialCreate.json
     */
    /**
     * Sample code: FederatedIdentityCredentialCreate.
     *
     * @param azure The entry point for accessing resource management APIs in Azure.
     */
    public static void federatedIdentityCredentialCreate(com.azure.resourcemanager.AzureResourceManager azure) {
        azure.identities().manager().serviceClient().getFederatedIdentityCredentials().createOrUpdateWithResponse(
            "rgName", "resourceName", "ficResourceName",
            new FederatedIdentityCredentialInner().withIssuer("https://oidc.prod-aks.azure.com/TenantGUID/IssuerGUID")
                .withSubject("system:serviceaccount:ns:svcaccount")
                .withAudiences(Arrays.asList("api://AzureADTokenExchange")),
            com.azure.core.util.Context.NONE);
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

from azure.identity import DefaultAzureCredential
from azure.mgmt.msi import ManagedServiceIdentityClient

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-msi
# USAGE
    python federated_identity_credential_create.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = ManagedServiceIdentityClient(
        credential=DefaultAzureCredential(),
        subscription_id="c267c0e7-0a73-4789-9e17-d26aeb0904e5",
    )

    response = client.federated_identity_credentials.create_or_update(
        resource_group_name="rgName",
        resource_name="resourceName",
        federated_identity_credential_resource_name="ficResourceName",
        parameters={
            "properties": {
                "audiences": ["api://AzureADTokenExchange"],
                "issuer": "https://oidc.prod-aks.azure.com/TenantGUID/IssuerGUID",
                "subject": "system:serviceaccount:ns:svcaccount",
            }
        },
    )
    print(response)


# x-ms-original-file: specification/msi/resource-manager/Microsoft.ManagedIdentity/stable/2023-01-31/examples/FederatedIdentityCredentialCreate.json
if __name__ == "__main__":
    main()

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

package armmsi_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi"
)

// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/3d7a3848106b831a4a7f46976fe38aa605c4f44d/specification/msi/resource-manager/Microsoft.ManagedIdentity/stable/2023-01-31/examples/FederatedIdentityCredentialCreate.json
func ExampleFederatedIdentityCredentialsClient_CreateOrUpdate() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armmsi.NewClientFactory("<subscription-id>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	res, err := clientFactory.NewFederatedIdentityCredentialsClient().CreateOrUpdate(ctx, "rgName", "resourceName", "ficResourceName", armmsi.FederatedIdentityCredential{
		Properties: &armmsi.FederatedIdentityCredentialProperties{
			Audiences: []*string{
				to.Ptr("api://AzureADTokenExchange")},
			Issuer:  to.Ptr("https://oidc.prod-aks.azure.com/TenantGUID/IssuerGUID"),
			Subject: to.Ptr("system:serviceaccount:ns:svcaccount"),
		},
	}, nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	// You could use response here. We use blank identifier for just demo purposes.
	_ = res
	// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
	// res.FederatedIdentityCredential = armmsi.FederatedIdentityCredential{
	// 	Name: to.Ptr("ficResourceName"),
	// 	Type: to.Ptr("Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials"),
	// 	ID: to.Ptr("/subscriptions/c267c0e7-0a73-4789-9e17-d26aeb0904e5/resourcegroups/rgName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identityName/federatedIdentityCredentials/ficResourceName"),
	// 	Properties: &armmsi.FederatedIdentityCredentialProperties{
	// 		Audiences: []*string{
	// 			to.Ptr("api://AzureADTokenExchange")},
	// 			Issuer: to.Ptr("https://oidc.prod-aks.azure.com/TenantGUID/IssuerGUID"),
	// 			Subject: to.Ptr("system:serviceaccount:ns:svcaccount"),
	// 		},
	// 	}
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

const { ManagedServiceIdentityClient } = require("@azure/arm-msi");
const { DefaultAzureCredential } = require("@azure/identity");

/**
 * This sample demonstrates how to Create or update a federated identity credential under the specified user assigned identity.
 *
 * @summary Create or update a federated identity credential under the specified user assigned identity.
 * x-ms-original-file: specification/msi/resource-manager/Microsoft.ManagedIdentity/stable/2023-01-31/examples/FederatedIdentityCredentialCreate.json
 */
async function federatedIdentityCredentialCreate() {
  const subscriptionId =
    process.env["MSI_SUBSCRIPTION_ID"] || "c267c0e7-0a73-4789-9e17-d26aeb0904e5";
  const resourceGroupName = process.env["MSI_RESOURCE_GROUP"] || "rgName";
  const resourceName = "resourceName";
  const federatedIdentityCredentialResourceName = "ficResourceName";
  const parameters = {
    audiences: ["api://AzureADTokenExchange"],
    issuer: "https://oidc.prod-aks.azure.com/TenantGUID/IssuerGUID",
    subject: "system:serviceaccount:ns:svcaccount",
  };
  const credential = new DefaultAzureCredential();
  const client = new ManagedServiceIdentityClient(credential, subscriptionId);
  const result = await client.federatedIdentityCredentials.createOrUpdate(
    resourceGroupName,
    resourceName,
    federatedIdentityCredentialResourceName,
    parameters
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

using System;
using System.Threading.Tasks;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.ManagedServiceIdentities;

// Generated from example definition: specification/msi/resource-manager/Microsoft.ManagedIdentity/stable/2023-01-31/examples/FederatedIdentityCredentialCreate.json
// this example is just showing the usage of "FederatedIdentityCredentials_CreateOrUpdate" operation, for the dependent resources, they will have to be created separately.

// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);

// this example assumes you already have this UserAssignedIdentityResource created on azure
// for more information of creating UserAssignedIdentityResource, please refer to the document of UserAssignedIdentityResource
string subscriptionId = "c267c0e7-0a73-4789-9e17-d26aeb0904e5";
string resourceGroupName = "rgName";
string resourceName = "resourceName";
ResourceIdentifier userAssignedIdentityResourceId = UserAssignedIdentityResource.CreateResourceIdentifier(subscriptionId, resourceGroupName, resourceName);
UserAssignedIdentityResource userAssignedIdentity = client.GetUserAssignedIdentityResource(userAssignedIdentityResourceId);

// get the collection of this FederatedIdentityCredentialResource
FederatedIdentityCredentialCollection collection = userAssignedIdentity.GetFederatedIdentityCredentials();

// invoke the operation
string federatedIdentityCredentialResourceName = "ficResourceName";
FederatedIdentityCredentialData data = new FederatedIdentityCredentialData()
{
    IssuerUri = new Uri("https://oidc.prod-aks.azure.com/TenantGUID/IssuerGUID"),
    Subject = "system:serviceaccount:ns:svcaccount",
    Audiences =
    {
    "api://AzureADTokenExchange"
    },
};
ArmOperation<FederatedIdentityCredentialResource> lro = await collection.CreateOrUpdateAsync(WaitUntil.Completed, federatedIdentityCredentialResourceName, data);
FederatedIdentityCredentialResource result = lro.Value;

// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
FederatedIdentityCredentialData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample Response

Status code:: 201

{
  "id": "/subscriptions/c267c0e7-0a73-4789-9e17-d26aeb0904e5/resourcegroups/rgName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identityName/federatedIdentityCredentials/ficResourceName",
  "name": "ficResourceName",
  "properties": {
    "issuer": "https://oidc.prod-aks.azure.com/TenantGUID/IssuerGUID",
    "subject": "system:serviceaccount:ns:svcaccount",
    "audiences": [
      "api://AzureADTokenExchange"
    ]
  },
  "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials"
}

Status code:: 200

{
  "id": "/subscriptions/c267c0e7-0a73-4789-9e17-d26aeb0904e5/resourcegroups/rgName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identityName/federatedIdentityCredentials/ficResourceName",
  "name": "ficResourceName",
  "properties": {
    "issuer": "https://oidc.prod-aks.azure.com/TenantGUID/IssuerGUID",
    "subject": "system:serviceaccount:ns:svcaccount",
    "audiences": [
      "api://AzureADTokenExchange"
    ]
  },
  "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials"
}

定义

名称	说明
CloudError	来自 ManagedServiceIdentity 服务的错误响应。
CloudErrorBody	来自 ManagedServiceIdentity 服务的错误响应。
createdByType	创建资源的标识类型。
FederatedIdentityCredential	描述联合标识凭据。
systemData	与资源的创建和上次修改相关的元数据。

CloudError

来自 ManagedServiceIdentity 服务的错误响应。

名称	类型	说明
error	CloudErrorBody	有关错误的其他详细信息的列表。

CloudErrorBody

来自 ManagedServiceIdentity 服务的错误响应。

名称	类型	说明
code	string	错误的标识符。
details	CloudErrorBody[]	有关错误的其他详细信息的列表。
message	string	描述错误的消息，该消息适用于在用户界面中显示。
target	string	特定错误的目标。例如，属性的名称出错。

createdByType

创建资源的标识类型。

名称	类型	说明
Application	string
Key	string
ManagedIdentity	string
User	string

FederatedIdentityCredential

描述联合标识凭据。

名称	类型	说明
id	string	资源的完全限定的资源 ID。例如“/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}”
name	string	资源的名称
properties.audiences	string[]	可在颁发的令牌中显示的受众列表。
properties.issuer	string	要信任的颁发者的 URL。
properties.subject	string	外部文件的标识符。
systemData	systemData	包含 createdBy 和 modifiedBy 信息的 Azure 资源管理器元数据。
type	string	资源类型。例如“Microsoft.Compute/virtualMachines”或“Microsoft.Storage/storageAccounts”

systemData

与资源的创建和上次修改相关的元数据。

名称	类型	说明
createdAt	string	资源的创建时间戳 (UTC) 。
createdBy	string	创建资源的标识。
createdByType	createdByType	创建资源的标识类型。
lastModifiedAt	string	资源上次修改的时间戳 (UTC)
lastModifiedBy	string	上次修改资源的标识。
lastModifiedByType	createdByType	上次修改资源的标识类型。