THE SQL Server Blog Spot on the Web

Welcome to SQLblog.com - The SQL Server blog spot on the web Sign in | |
in Search

Jamie Thomson

This is the blog of Jamie Thomson, a data mangler in London working for Dunnhumby

Passing credentials between Azure Automation runbooks

Update: Turns out there's an even easier way of achieving this than the method I've described in this blog post. Joe Levy explains all in the comments below. 

I’ve been doing a lot of work lately using Azure Automation to run (what are essentially) Powershell scripts against Azure. Recently the ability for those scripts authenticate against your Azure subscription using a username and password was provided (see Authenticating to Azure using Azure Active Directory) and it basically involves a call to Get-AutomationPSCredential, here’s a handy screenshot (stolen from the aforementioned blog post) to illustrate:

image

That’s all fine and dandy however you may find that you want to modularise your runbooks so that you have lots of smaller discrete code modules rather than one monolithic script, if you do so you’re probably not going to want to make a call to Get-AutomationPSCredential each time (for a start, such calls make it hard to unit test your runbooks) hence you may prefer to pass the credentials between your runbooks instead.

Here is how I do this. In your calling runbook get the credentials, extract the username and password and pass them to the called runbook:

workflow CallingRunbook
{
    $AzureCred = Get-AutomationPSCredential -Name "MyCreds"
    $AzureUserName = $AzureCred.GetNetworkCredential().UserName
    $AzurePassword = $AzureCred.GetNetworkCredential().Password
   
    CalledRunbook -AzureUserName $AzureUserName -AzurePassword $AzurePassword
}

In the called runbook use the passed-in values to authenticate to Azure

workflow CalledRunbook
{
    param(
        [String]$AzureUserName,
        [String]$AzurePassword
    )
    $SecurePassword = $AzurePassword | ConvertTo-SecureString -AsPlainText -Force
    $AzureCred = New-Object System.Management.Automation.PSCredential `
            -ArgumentList $AzureUserName, $SecurePassword
    Add-AzureAccount -Credential $AzureCred
}

Job done!

image

A quick and dirty blog post but one which folks should find useful if they’re using Azure Automation. Feedback welcome.

@Jamiet

Published Thursday, October 16, 2014 3:09 PM by jamiet
Filed under: ,

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

 

Joe Levy said:

Hi Jamie,

Passing credentials between runbooks definitely makes sense. However, my recommendation would be to pass this info between runbooks using a [PSCredential] type parameter, instead of string username and string password parameters. In addition to making it easier for the user to pass the credential since they don't need to extract the username and password, it also means if the child runbook is called using Start-AzureAutomationRunbook, or started directly from the Automation UI, the password field won't be logged in plaintext.

If you have a PSCredential parameter in a runbook, and call that runbook directly inline within another runbook, you can pass the PSCredential directly. If you call this same runbook using Start-AzureAutomationRunbook or from the Automation UI, you should provide the string name of an Azure Automation PSCredential asset for this parameter value, and Automation will find the credential asset with that name and pass the credential value of that asset through for the PSCredential parameter. See http://azure.microsoft.com/blog/2014/08/12/azure-automation-runbook-input-output-and-nested-runbooks/ for more details.

October 16, 2014 2:42 PM
 

jamiet said:

Hi Joe,

From that article:

"f a runbook parameter takes a PSCredential type then you need to pass the string name of a Azure Automation credential asset.  Behind the scenes, the Azure Automation credential asset with that name will be retrieved and passed to the runbook."

So I'm trying to get that working. Here's the code:

workflow CalledRunbook

{

   param(

       [Parameter(Mandatory=$true)]

       [PSCredential]

       $Credential

   )

   Add-AzureAccount -Credential $Credential

}

workflow CallingRunbook

{

   $AzureCred = Get-AutomationPSCredential -Name "MyCreds"

   $AzureUserName = $AzureCred.GetNetworkCredential().UserName

   $AzurePassword = $AzureCred.GetNetworkCredential().Password

   CalledRunbook -AzureUserName $AzureUserName -AzurePassword $AzurePassword

}

workflow CallingRunbook

{

   CalledRunbook -Credential "MyCreds"

}

When I run it it fails with:

Cannot process argument transformation on parameter 'Credential'. Cannot convert the "MyCreds" value of type "System.String" to type "System.Management.Automation.PSCredential"

Anything obvious that I'm doing wrong? (I promise its a valid asset name).

JT

October 17, 2014 11:22 AM
 

Joe Levy said:

In the above example, CallingRunbook is invoking CalledRunbook directly inline, so you just pass the credential object through in that case, rather than the string name of a credential asset. Just like if you were calling a function from a runbook.

It is only when you are calling CalledRunbook through an Azure Automation interface that you pass the credential asset name. So when using Start-AzureAutomationRunbook, or starting the runbook through the Azure Automation UI, for example.

October 17, 2014 3:20 PM
 

jamiet said:

Ah, easy. And I was being dumb. Again.

Thanks Joe.

October 20, 2014 3:34 AM
 

dopi said:

I too am dumb, any chance you could post a working example of Joe Levy's suggestion?

pretty please? ^^

September 2, 2015 3:32 PM

Leave a Comment

(required) 
(required) 
Submit

This Blog

Syndication

Privacy Statement