Federated Identity Credentials - Create Or Update

참조

서비스:: Managed Identity

API 버전:: 2023-01-31

지정된 사용자 할당 ID에서 페더레이션 ID 자격 증명을 만들거나 업데이트합니다.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{resourceName}/federatedIdentityCredentials/{federatedIdentityCredentialResourceName}?api-version=2023-01-31

URI 매개 변수

Name	In(다음 안에)	필수	형식	Description
federatedIdentityCredentialResourceName	path	True	string	페더레이션 ID 자격 증명 리소스의 이름입니다. regex 패턴: `^[a-zA-Z0-9]{1}[a-zA-Z0-9-_]{2,119}$`
resourceGroupName	path	True	string	ID가 속한 리소스 그룹의 이름입니다.
resourceName	path	True	string	ID 리소스의 이름입니다.
subscriptionId	path	True	string	ID가 속한 구독의 ID입니다.
api-version	query	True	string	호출할 API의 버전입니다.

요청 본문

Name	필수	형식	Description
properties.audiences	True	string[]	발급된 토큰에 나타날 수 있는 대상 그룹 목록입니다.
properties.issuer	True	string	신뢰할 수 있는 발급자의 URL입니다.
properties.subject	True	string	외부 ID의 식별자입니다.

응답

Name	형식	Description
200 OK	FederatedIdentityCredential	페더레이션 ID 자격 증명이 업데이트되었습니다.
201 Created	FederatedIdentityCredential	페더레이션 ID 자격 증명을 만들었습니다.
Other Status Codes	CloudError	작업이 실패한 이유를 설명하는 오류 응답입니다.

보안

azure_auth

Azure Active Directory OAuth2 Flow

형식: oauth2
Flow: implicit
권한 부여 URL: https://login.microsoftonline.com/common/oauth2/authorize

범위

Name	Description
user_impersonation	사용자 계정 가장

예제

FederatedIdentityCredentialCreate

샘플 요청

PUT https://management.azure.com/subscriptions/c267c0e7-0a73-4789-9e17-d26aeb0904e5/resourceGroups/rgName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/resourceName/federatedIdentityCredentials/ficResourceName?api-version=2023-01-31

{
  "properties": {
    "issuer": "https://oidc.prod-aks.azure.com/TenantGUID/IssuerGUID",
    "subject": "system:serviceaccount:ns:svcaccount",
    "audiences": [
      "api://AzureADTokenExchange"
    ]
  }
}


import com.azure.resourcemanager.msi.fluent.models.FederatedIdentityCredentialInner;
import java.util.Arrays;

/**
 * Samples for FederatedIdentityCredentials CreateOrUpdate.
 */
public final class Main {
    /*
     * x-ms-original-file: specification/msi/resource-manager/Microsoft.ManagedIdentity/stable/2023-01-31/examples/
     * FederatedIdentityCredentialCreate.json
     */
    /**
     * Sample code: FederatedIdentityCredentialCreate.
     * 
     * @param azure The entry point for accessing resource management APIs in Azure.
     */
    public static void federatedIdentityCredentialCreate(com.azure.resourcemanager.AzureResourceManager azure) {
        azure.identities().manager().serviceClient().getFederatedIdentityCredentials().createOrUpdateWithResponse(
            "rgName", "resourceName", "ficResourceName",
            new FederatedIdentityCredentialInner().withIssuer("https://oidc.prod-aks.azure.com/TenantGUID/IssuerGUID")
                .withSubject("system:serviceaccount:ns:svcaccount")
                .withAudiences(Arrays.asList("api://AzureADTokenExchange")),
            com.azure.core.util.Context.NONE);
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

from azure.identity import DefaultAzureCredential
from azure.mgmt.msi import ManagedServiceIdentityClient

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-msi
# USAGE
    python federated_identity_credential_create.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = ManagedServiceIdentityClient(
        credential=DefaultAzureCredential(),
        subscription_id="c267c0e7-0a73-4789-9e17-d26aeb0904e5",
    )

    response = client.federated_identity_credentials.create_or_update(
        resource_group_name="rgName",
        resource_name="resourceName",
        federated_identity_credential_resource_name="ficResourceName",
        parameters={
            "properties": {
                "audiences": ["api://AzureADTokenExchange"],
                "issuer": "https://oidc.prod-aks.azure.com/TenantGUID/IssuerGUID",
                "subject": "system:serviceaccount:ns:svcaccount",
            }
        },
    )
    print(response)


# x-ms-original-file: specification/msi/resource-manager/Microsoft.ManagedIdentity/stable/2023-01-31/examples/FederatedIdentityCredentialCreate.json
if __name__ == "__main__":
    main()

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

package armmsi_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi"
)

// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/3d7a3848106b831a4a7f46976fe38aa605c4f44d/specification/msi/resource-manager/Microsoft.ManagedIdentity/stable/2023-01-31/examples/FederatedIdentityCredentialCreate.json
func ExampleFederatedIdentityCredentialsClient_CreateOrUpdate() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armmsi.NewClientFactory("<subscription-id>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	res, err := clientFactory.NewFederatedIdentityCredentialsClient().CreateOrUpdate(ctx, "rgName", "resourceName", "ficResourceName", armmsi.FederatedIdentityCredential{
		Properties: &armmsi.FederatedIdentityCredentialProperties{
			Audiences: []*string{
				to.Ptr("api://AzureADTokenExchange")},
			Issuer:  to.Ptr("https://oidc.prod-aks.azure.com/TenantGUID/IssuerGUID"),
			Subject: to.Ptr("system:serviceaccount:ns:svcaccount"),
		},
	}, nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	// You could use response here. We use blank identifier for just demo purposes.
	_ = res
	// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
	// res.FederatedIdentityCredential = armmsi.FederatedIdentityCredential{
	// 	Name: to.Ptr("ficResourceName"),
	// 	Type: to.Ptr("Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials"),
	// 	ID: to.Ptr("/subscriptions/c267c0e7-0a73-4789-9e17-d26aeb0904e5/resourcegroups/rgName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identityName/federatedIdentityCredentials/ficResourceName"),
	// 	Properties: &armmsi.FederatedIdentityCredentialProperties{
	// 		Audiences: []*string{
	// 			to.Ptr("api://AzureADTokenExchange")},
	// 			Issuer: to.Ptr("https://oidc.prod-aks.azure.com/TenantGUID/IssuerGUID"),
	// 			Subject: to.Ptr("system:serviceaccount:ns:svcaccount"),
	// 		},
	// 	}
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

const { ManagedServiceIdentityClient } = require("@azure/arm-msi");
const { DefaultAzureCredential } = require("@azure/identity");

/**
 * This sample demonstrates how to Create or update a federated identity credential under the specified user assigned identity.
 *
 * @summary Create or update a federated identity credential under the specified user assigned identity.
 * x-ms-original-file: specification/msi/resource-manager/Microsoft.ManagedIdentity/stable/2023-01-31/examples/FederatedIdentityCredentialCreate.json
 */
async function federatedIdentityCredentialCreate() {
  const subscriptionId =
    process.env["MSI_SUBSCRIPTION_ID"] || "c267c0e7-0a73-4789-9e17-d26aeb0904e5";
  const resourceGroupName = process.env["MSI_RESOURCE_GROUP"] || "rgName";
  const resourceName = "resourceName";
  const federatedIdentityCredentialResourceName = "ficResourceName";
  const parameters = {
    audiences: ["api://AzureADTokenExchange"],
    issuer: "https://oidc.prod-aks.azure.com/TenantGUID/IssuerGUID",
    subject: "system:serviceaccount:ns:svcaccount",
  };
  const credential = new DefaultAzureCredential();
  const client = new ManagedServiceIdentityClient(credential, subscriptionId);
  const result = await client.federatedIdentityCredentials.createOrUpdate(
    resourceGroupName,
    resourceName,
    federatedIdentityCredentialResourceName,
    parameters
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

using Azure;
using Azure.ResourceManager;
using System;
using System.Threading.Tasks;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager.ManagedServiceIdentities;

// Generated from example definition: specification/msi/resource-manager/Microsoft.ManagedIdentity/stable/2023-01-31/examples/FederatedIdentityCredentialCreate.json
// this example is just showing the usage of "FederatedIdentityCredentials_CreateOrUpdate" operation, for the dependent resources, they will have to be created separately.

// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);

// this example assumes you already have this FederatedIdentityCredentialResource created on azure
// for more information of creating FederatedIdentityCredentialResource, please refer to the document of FederatedIdentityCredentialResource
string subscriptionId = "c267c0e7-0a73-4789-9e17-d26aeb0904e5";
string resourceGroupName = "rgName";
string resourceName = "resourceName";
string federatedIdentityCredentialResourceName = "ficResourceName";
ResourceIdentifier federatedIdentityCredentialResourceId = FederatedIdentityCredentialResource.CreateResourceIdentifier(subscriptionId, resourceGroupName, resourceName, federatedIdentityCredentialResourceName);
FederatedIdentityCredentialResource federatedIdentityCredential = client.GetFederatedIdentityCredentialResource(federatedIdentityCredentialResourceId);

// invoke the operation
FederatedIdentityCredentialData data = new FederatedIdentityCredentialData()
{
    IssuerUri = new Uri("https://oidc.prod-aks.azure.com/TenantGUID/IssuerGUID"),
    Subject = "system:serviceaccount:ns:svcaccount",
    Audiences =
    {
    "api://AzureADTokenExchange"
    },
};
ArmOperation<FederatedIdentityCredentialResource> lro = await federatedIdentityCredential.UpdateAsync(WaitUntil.Completed, data);
FederatedIdentityCredentialResource result = lro.Value;

// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
FederatedIdentityCredentialData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

샘플 응답

상태 코드:: 201

{
  "id": "/subscriptions/c267c0e7-0a73-4789-9e17-d26aeb0904e5/resourcegroups/rgName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identityName/federatedIdentityCredentials/ficResourceName",
  "name": "ficResourceName",
  "properties": {
    "issuer": "https://oidc.prod-aks.azure.com/TenantGUID/IssuerGUID",
    "subject": "system:serviceaccount:ns:svcaccount",
    "audiences": [
      "api://AzureADTokenExchange"
    ]
  },
  "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials"
}

상태 코드:: 200

{
  "id": "/subscriptions/c267c0e7-0a73-4789-9e17-d26aeb0904e5/resourcegroups/rgName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identityName/federatedIdentityCredentials/ficResourceName",
  "name": "ficResourceName",
  "properties": {
    "issuer": "https://oidc.prod-aks.azure.com/TenantGUID/IssuerGUID",
    "subject": "system:serviceaccount:ns:svcaccount",
    "audiences": [
      "api://AzureADTokenExchange"
    ]
  },
  "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials"
}

정의

Name	Description
CloudError	ManagedServiceIdentity 서비스의 오류 응답입니다.
CloudErrorBody	ManagedServiceIdentity 서비스의 오류 응답입니다.
createdByType	리소스를 만든 ID의 형식입니다.
FederatedIdentityCredential	페더레이션 ID 자격 증명을 설명합니다.
systemData	리소스 만들기 및 마지막 수정과 관련된 메타데이터입니다.

CloudError

ManagedServiceIdentity 서비스의 오류 응답입니다.

Name	형식	Description
error	CloudErrorBody	오류에 대한 추가 세부 정보 목록입니다.

CloudErrorBody

ManagedServiceIdentity 서비스의 오류 응답입니다.

Name	형식	Description
code	string	오류의 식별자입니다.
details	CloudErrorBody[]	오류에 대한 추가 세부 정보 목록입니다.
message	string	사용자 인터페이스에 표시하기에 적합한 오류를 설명하는 메시지입니다.
target	string	특정 오류의 대상입니다. 예를 들어 오류에 있는 속성의 이름입니다.

createdByType

리소스를 만든 ID의 형식입니다.

Name	형식	Description
Application	string
Key	string
ManagedIdentity	string
User	string

FederatedIdentityCredential

페더레이션 ID 자격 증명을 설명합니다.

Name	형식	Description
id	string	리소스에 대한 정규화된 리소스 ID입니다. 예: "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"
name	string	리소스의 이름입니다.
properties.audiences	string[]	발급된 토큰에 나타날 수 있는 대상 그룹 목록입니다.
properties.issuer	string	신뢰할 수 있는 발급자의 URL입니다.
properties.subject	string	외부 ID의 식별자입니다.
systemData	systemData	createdBy 및 modifiedBy 정보가 포함된 Azure Resource Manager 메타데이터입니다.
type	string	리소스 형식입니다. 예: "Microsoft.Compute/virtualMachines" 또는 "Microsoft.Storage/storageAccounts"

systemData

리소스 만들기 및 마지막 수정과 관련된 메타데이터입니다.

Name	형식	Description
createdAt	string	UTC(리소스 만들기)의 타임스탬프입니다.
createdBy	string	리소스를 만든 ID입니다.
createdByType	createdByType	리소스를 만든 ID의 형식입니다.
lastModifiedAt	string	리소스 마지막 수정의 타임스탬프(UTC)
lastModifiedBy	string	리소스를 마지막으로 수정한 ID입니다.
lastModifiedByType	createdByType	리소스를 마지막으로 수정한 ID 유형입니다.