How to Run Login-AzureRmAccount to Login Silently when working with PowerShell script in azure Automation Runbooks to get data from Azure Subscription
Issue: This blogpost is to fix the below error message:
Use Azure AD Service Principal to resolve this issue. So what is Service Principal?
Service principal means running an application as a user and giving full access to it so now it can perform any action against azure subscription level. As Azure subscription is always present in the Azure Active Directory tenant; must add the information of application in Azure AD tenant and this is nothing but the service principal.
So how do we create a Service principal? Well you don’t have to create because it is already exists when we have an Azure ARM automation account created.
Open Assets -> Connections -> AzureRunAsConection
This shows type as Azure service principal and there are many Ids present.
Application Id is the one by which your Automation account is identified as Service principal in Azure AD. Tenant id is nothing but Azure AD id under which your subscription exists. Subscription Id is the actual Azure subscription Id.
Let’s verify this exist in your Azure AD as well. For the same, on Azure portal open
Azure Active Directory -> App Registrations
You will see an Application Id same as what we have observed under automation account connection.
This means AzureRunAsConection of automation account is acting as Service principal. Hence it can be used for authentication against the subscription and also to perform operations against our azure subscription. With this let’s write some PowerShell code to perform authentication using service principal.
Get-AzureRmResourceGroup : Run Login-AzureRmAccount to login.
At line:35 char:19
+ $ResourceGroups = Get-AzureRmResourceGroup
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:)PSInvalidOperationException
+ FullyQualifiedErrorId : InvalidOperation,Microsoft.Azure.Commands.Resources
When executing any AzureRM [i.e. Azure Resource Manager] PowerShell command first requires Azure authentication at Azure subscription level.
So if executing AzureRM command without Login-AzureRMAccount, we will get an error message as above.
Solution:
Use Azure AD Service Principal to resolve this issue. So what is Service Principal?
Service principal means running an application as a user and giving full access to it so now it can perform any action against azure subscription level. As Azure subscription is always present in the Azure Active Directory tenant; must add the information of application in Azure AD tenant and this is nothing but the service principal.
So how do we create a Service principal? Well you don’t have to create because it is already exists when we have an Azure ARM automation account created.
Open Assets -> Connections -> AzureRunAsConection
This shows type as Azure service principal and there are many Ids present.
Application Id is the one by which your Automation account is identified as Service principal in Azure AD. Tenant id is nothing but Azure AD id under which your subscription exists. Subscription Id is the actual Azure subscription Id.
Let’s verify this exist in your Azure AD as well. For the same, on Azure portal open
Azure Active Directory -> App Registrations
You will see an Application Id same as what we have observed under automation account connection.
This means AzureRunAsConection of automation account is acting as Service principal. Hence it can be used for authentication against the subscription and also to perform operations against our azure subscription. With this let’s write some PowerShell code to perform authentication using service principal.
Authenticating using Service principal
Code for authenticating Azure Automation account runbook using Automation connection as Service principal is shown below: Add above code segment in any runbook you wish to in Azure Automation account and you will never receive error of “Run Login-AzureRMAccount to login”. Thats it!! :-)
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
$account = Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
Write-Output $account
No comments:
Post a Comment