Certificate-based authentication of Azure Automation accounts
Table of Contents
Before you can manage Azure services with Azure Automation, you need to authenticate the Automation account against a subscription. This authentication process is part of each runbook. There are two different ways to authenticate against an Azure subscription:
- Active Directory user
- Certificate
If you want to use an Active Directory account, you have to create a credential asset in the Automation account and provide username and password for that Active Directory account. You can retrieve the credentials using the Get-AzureAutomationCredential cmdlet. This cmdlet returns a System.Management.Automation.PSCredential object, which can be used with Add-AzureAccount to connect to a subscription. If you want to use a certificate, you need four assets in the Automation account: A certificate and variables with the certificate name, the subscription ID and the subscription name. The values of these assets can be retrieved with Get-AutomationVariable and Get-AutomationCertificate.
Prerequisites
Before you start, you need a certificate. This certificate can be a self- or a CA-signed certificate. Check this blog post from Alice Waddicor if you want to start with a self-signed certificate. I used a certificate, that was signed by my lab CA.
At a Glance:
- self- or CA-signed certificate
- Base64 encoded DER format (file name extension .cer) to upload it as a management certificate
- PKCS #12 format with private key (file name extension .pfx or .cer) to use it as an asset inside the Automation account
Upload the management certificate
First, you must upload the certificate to the management certificates. Login to Azure and click “Settings”.
[caption id=“attachment_2548” align=“alignnone” width=“198”] Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0[/caption]
Click on “Management Certificates”
[caption id=“attachment_2549” align=“alignnone” width=“293”] Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0[/caption]
and select “Upload” at the bottom of the website.
[caption id=“attachment_2550” align=“alignnone” width=“182”] Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0[/caption]
Make sure that the certificate has the correct format and file name extension (.cer).
[caption id=“attachment_2551” align=“alignnone” width=“501”] Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0[/caption]
Finish the upload dialog. After a few seconds, the certificate should appear in the listing.
[caption id=“attachment_2552” align=“alignnone” width=“740”] Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0[/caption]
Create a new Automation account
Now it’s time to create the Automation account. Select “Automation” from the left panel.
[caption id=“attachment_2553” align=“alignnone” width=“200”] Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0[/caption]
Click on “Create an Automation account”.
[caption id=“attachment_2554” align=“alignnone” width=“427”] Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0[/caption]
Give your Automation account a descriptive name and select a region. Please note that an Automation account can manage Azure services from all regions!
[caption id=“attachment_2555” align=“alignnone” width=“502”] Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0[/caption]
Click on the newly created account and click on “Assets”.
[caption id=“attachment_2556” align=“alignnone” width=“351”] Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0[/caption]
Select “Add setting” from the bottom of the website.
[caption id=“attachment_2557” align=“alignnone” width=“246”] Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0[/caption]
Add a credential asset by choosing “Add credential” and select “Certificate” as “Credential type”.
[caption id=“attachment_2558” align=“alignnone” width=“710”] Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0[/caption]
Enter a descriptive name for the certificate. You should remember this name. You will need it later. Now you have to upload the certificate. The certificate must have the file name extension .pfx or .cer and it must include the private key!
[caption id=“attachment_2559” align=“alignnone” width=“710”] Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0[/caption]
Finish the upload of the certificate. Now add three additional assets (variables).
[caption id=“attachment_2560” align=“alignnone” width=“710”] Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0[/caption]
Select the name, the value and the type from the table below. The name of the certificate is the descriptive name, you’ve previously entered when uploading the certificate.
Done. You’ve uploaded and created all the required certificates and variables.
How to use it
To use the certificate and the variables to connect to an Azure subscription, you have to use the two cmdlets Get-AutomationCertificate and Get-AutomationVariable. I use this code block in my runbooks:
$AzureSubscriptionName = Get-AutomationVariable -Name “AzureSubscriptionName” $AzureSubscriptionID = Get-AutomationVariable -Name “AzureSubscriptionID” $AutomationCertificateName = Get-AutomationVariable -Name “AutomationCertificateName” $CertificateName = Get-AutomationCertificate -Name $AutomationCertificateName
Set-AzureSubscription -SubscriptionName $AzureSubscriptionName -SubscriptionId $AzureSubscriptionID -Certificate $CertificateName Select-AzureSubscription $AzureSubscriptionName
Works like a charm.
Summary
Certificate-based authentication is an easy way to authenticate an Automation account against an Azure subscription. It’s easy to implement and you don’t have to maintain users and passwords. You can use different certificates for different Automation accounts. I really recommend this, especially if you have separate accounts for dev, test and production.
All you need is to upload a certificate as a management certificates, and as a credential asset in the Automation account. You can use a self- or CA-signed certificate. The subscription ID, the subscription name and the name of the certificate are stored in variables.
At the beginning of each runbook, you have to insert a code block. This code block takes care of authentication.