我想了解 Azure PowerShell 如何使用基于 AAD 用户名/密码的凭据进行 Azure API 调用。
我的理解是应用程序需要一个客户端 ID 才能进行 Azure API 调用。该客户端 ID 必须使用用户帐户注册。
Azure PowerShell 是否有客户端 ID?如果是这样,在没有显式向 Azure 帐户注册的情况下它如何工作?是不是跨账号被列入白名单的特殊id?
无需在 Azure Active Directory 中为 Azure Powershell 创建应用程序注册。要利用 Azure AD 用户的用户名/密码凭据,可以使用 Add-AzureAccount cmdlet:
$username = "admin@your_account.onmicrosoft.com"
$password = "SuperSecretPassword" | ConvertTo-SecureString -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username, $password
Add-AzureAccount -Credential $credential
只需确保安装了最新版本的 Azure PowerShell 模块,并且使用的帐户是组织帐户(而不是 Microsoft 帐户)或本机 Azure AD 用户。
为了回答问题的最后部分,Azure PowerShell 有一个众所周知的客户端 ID(“1950a258-227b-4e31-a9cf-717495945fc2”)。它硬编码在 Azure Powershell 模块中,可用于在 PowerShell 脚本直接调用 Azure 管理 API 时向 Azure AD 进行身份验证:
# Load Active Directory Authentication Library (ADAL) Assemblies
$adal = "${env:ProgramFiles(x86)}\Microsoft SDKs\Azure\PowerShell\ServiceManagement\Azure\Services\Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = "${env:ProgramFiles(x86)}\Microsoft SDKs\Azure\PowerShell\ServiceManagement\Azure\Services\Microsoft.IdentityModel.Clients.ActiveDirectory.WindowsForms.dll"
[System.Reflection.Assembly]::LoadFrom($adal)
[System.Reflection.Assembly]::LoadFrom($adalforms)
# Set Azure AD Tenant name
$adTenant = "yourtenant.onmicrosoft.com"
# Set well-known client ID for Azure PowerShell
$clientId = "1950a258-227b-4e31-a9cf-717495945fc2"
# Set redirect URI for Azure PowerShell
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
# Set Resource URI to Azure Service Management API
$resourceAppIdURI = "https://management.core.windows.net/"
# Set Authority to Azure AD Tenant
$authority = "https://login.windows.net/$adTenant"
# Set user credentials (*** obviously you wouldn't have the password in clear text in a production script ***)
$userName = "admin@your_tenant.onmicrosoft.com"
$password = "SecretPassword"
$creds = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential" -ArgumentList $userName,$password
# Create AuthenticationContext tied to Azure AD Tenant
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
# Acquire token
$authResult = $authContext.AcquireToken($resourceAppIdURI,$clientId,$creds)
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)
