AzureRM tasks in PowerShell Automation using Azure AD Principal - Part Two

-
In Part 1 we had covered the topics of understanding Azure Service Principals and how to create them. In this part we will look at using the Service Principals in a secure manner when creating Azure Automation Runbooks and carrying out AzureRM tasks.

We will not get into the details of how to create a automation account in Azure. It is very simple to follow the Microsoft Docs to create an automation account and also learn how to create a runbook and schedule it.

We will now focus on the how-to of using an Azure Service Principal in our PowerShell script.

In this example we will use the Password-based Service Principal for simplicity. Maybe I'll create another post for the certificate based service principal in a later update.

Note: The Service Principal can be used as any other account in Azure. So, you can use it with RBAC across Resource Groups/Resources as might be necessary.

Go to your Automation Account resource and scroll down to find "Credentials" in the left bar. Use the "Add a credential" option to create a new credential in the credential store. Fill in the fields as required. The username is the ID of your service principal and the password is the same what you set during the service principal creation.


You now have your Service Principal credentials stored securely in the Credential Store.

Now, the next step is using this inside your PowerShell script. Now it is important to note the name that we used when creating the credential in the Credential Store.

Here is a sample PowerShell that gets all Resource Groups that the Service Principal has access to.


$credentials = Get-AutomationPSCredential -Name 'PSAutomation Account'
Add-AzureRmAccount -ServicePrincipal -Credential $credentials -TenantId $TenantId

$resourceGroups = Get-AzResourceGroup 
 
if ($resourceGroups) { 
    foreach ($ResourceGroup in $resourceGroups) { 
        Write-Host $ResourceGroup.ResourceGroupName
    }
}
else {
    Write-Host "User has no access to any resource group"
}


Of course, this can easily be extended to more complex scripts and regular jobs that require automation.

Comments

Post a Comment

Popular posts from this blog

Automate Import of Functions/WebAPI in Azure API Management as backend and using OpenAPI definition and Terraform

-
Image
 When hosting APIs in Azure it is more and more common to make them available for consumption via an API Management Gateway. The advantages of using a API Management gateway are well known.  When adding a Function/WebAPI to an API Management gateway, the most common method is to add the Function/WebAPI as a backend in API Management and then exposing the Function/WebAPI as an API that uses this backend to process requests. There is a very simple way to do this using the Azure Portal. The portal allows connecting an existing Function or WebAPI inside the API Management gateway.  The portal now also allows to expose a function/web api from the action pane of functions and web api. While this makes it very easy to add APIs to API Management gateway using the portal, this would very soon become unmanageable and for more complex and automated environments, the obvious tilt would then be towards a automated deployment using one of the Infrastructure as Code (IaC) possibilities. In this examp
Read more

Transcripts with Microsoft Bot Framework v4

-
Image
For those that have been working with conversational interfaces namely bots, both developers and business users, have at some point come across the term transcript. So what is a " bot transcript file "? According to docs.microsoft.com, "A bot transcript file is a specialized JSON file that preserves the interactions between a user and your bot. A transcript file preserves not only the contents of a message, but also interaction details such as the user id, channel id, channel type, channel capabilities, time of the interaction, etc. All of this information can then be used to help find and resolve issues when testing or debugging your bot." If we look closely at this definition, we can see that a transcript is much more than just contents of messages exchanged between user and bot. It contains a lot more information in it's raw form. Thereby, it is quite evident that a transcript has use for both business users and developers. How can a business user use
Read more

Managing built-in cache in Azure API Management

-
Image
 Azure API Management offers caching possibilities to improve performance.  There are 2 caching options: Response Caching - Useful for caching entire HTTP responses Value Caching - To cache arbitrary pieces of data from within policy definitions. When it comes to the actual store, APIM supports: Built-in cache External Redis Compatible cache In this blog I will focus on how to manage "Value Caching". How do we set/retrieve/delete values using APIM policies? Typically, Value storage is used for fragment caching - where responses contain data that is expensive to determine and yet remains fresh for a reasonable amount of time. Also, within the APIM policies, we want to cache certain values e.g. OAuth tokens, key-vault secrets, etc. because these remain relatively fresh for a longer period of time. With caching comes the need to manage the cache specially when you need to clear cached values because they are stale.  In some scenarios, where OAuth tokens or secrets are cached, yo
Read more