Azure Key Vault > Azure Automation Credential Supervisor
Azure Automation has its personal Credential Supervisor.
That is the best to make use of, however has no historical past or model management.
So you possibly can’t see when the worth was final modified, or who made the change throughout the portal (this may be finished by way of Log Analytics).
The Azure Key Vault can do that and rather more. This makes the Key Vault additionally helpful for Azure Automation.
You’ll be able to implement a Key Vault in your Azure Automation atmosphere by way of PowerShell scripts & Managed Id.
Beneath I clarify to you ways that is attainable and the way you should use the PowerShell features in your atmosphere.
Do you might have any questions, or do you see one thing that may very well be improved?
Then I’d love to listen to about it within the feedback.
By way of a module or separate PowerShell features?
I give you the answer in two methods.
Each have its benefits. Learn the beneath rigorously.
In case you solely run runbooks within the Azure sandbox (cloud), a PowerShell module is extra handy. Additionally as a result of it makes it simpler to get updates and so on.
However for those who use hybrid staff, the module should even be put in on the hybrid staff. By way of the PowerShell features you possibly can dot supply the scripts to your hybrid employee from the cloud.
This isn’t but attainable with the modules. On this means you solely have one dependency and that’s the PowerShell perform in Azure.
Is it not attainable to make use of the module when utilizing hybrid staff?
Definitely sure, solely then you definitely even have to put in the modules on the hybrid staff.
Comply with these steps if you wish to use the PowerShell module along with the Azure Key Vault
- Open the suitable Azure Automation atmosphere
- Go to modules
- Click on on Add a module
- Choose Browse from gallery
- Click on Click on right here to browse from gallery
- Seek for Optimized.AzAutomation
- Import the module
You’ll now see the module within the listing of put in modules within the Azure Automation sandbox.
Now observe the steps in part Allow Managed Id.
Comply with these steps if you wish to use the PowerShell features on a hybrid employee with out module dependencies
Go to my Github repository BasWijdenes and seek for the next two recordsdata:
Get-KeyVaultCredentialNew-ManagedIdentityAccessToken
They’re two separate PowerShell features as a result of they’re each generic, making, for instance the New-ManagedIdentityAccessToken extra broadly relevant.
Proceed with the steps beneath.
Get-KeyVaultCredential perform
- Create a brand new runbook in Azure Automation and identify it
Get-KeyVaultCredential.
Preserve the identify as they’re in Github in order that the features can name one another. - Copy the script content material from Github into the runbook and publish it.
New-ManagedIdentityAccessToken perform
We additionally want the New-ManagedIdentityAccessToken perform.
This can be discovered on Github.
By this perform we request an authorization token for the Azure Key Vault.
Place it in Azure Automation in the identical means because the Get-KeyVaultCredential perform.
You don’t have to dot supply or implement it. That is finished routinely by the perform itself.
How can we use this in runbooks sooner or later?
In Azure Automation you can also make helpful use of dot sourcing.
Dot sourcing signifies that you ‘paste’ the script into the prevailing script.
You do this this fashion:
. .Get-KeyVaultCredential.ps1So the relative path to the script & a dot.
And don’t overlook the .ps1 filename extension.
This manner the script is pasted into your runbook and you’ll name the suitable features. This works within the Azure sandbox & hybrid staff.
You can even dot supply New-ManagedIdentityAccessToken, however that is additionally finished by Get-KeyVaultCredential.
For extra about dot sourcing I’d prefer to refer your to Microsoft Docs.
Allow Managed Id
We have to allow Managed Id in Azure Automation and provides it permissions to the Azure Key Vault with a minimum of learn secrets and techniques permissions.
Microsoft Docs has a tutorial to allow the Managed Id:
Utilizing a system-assigned managed identification for an Azure Automation account | Microsoft Docs
You’ll be able to assign entry to the Azure Automation Managed Id in two methods.
By way of Entry Insurance policies or RBAC.
Microsoft Docs has a tutorial for each.
The selection is yours.
The Managed Id identify is the identify of your Azure Automation atmosphere.
The screenshot exhibits my Entry Insurance policies.
Now let’s begin utilizing the cmdlets!
Do you utilize the separate perform? Don’t overlook to dot supply Get-KeyVaultCredential.
The UserName parameter is the key identify within the Azure Key Vault.
I primarily use the cmdlets for credentials, so the cmdlet routinely turns them right into a person. You routinely obtain a Credential Object that you should use as credentials with out seeing the key as plain textual content.
Beneath is an instance.
Get-KeyVaultCredential -UserName 'TestUserName' -KeyVault 'KV-XXXX'
UserName Password
-------- --------
TestUserName System.Safety.SecureStringA credential object just isn’t all the time usable.
For this I made the -SecretOnly change that ensures that you simply get the worth again as plain textual content.
Get-KeyVaultCredential -UserName 'TestUserName' -KeyVault 'KV-HR-XXXX' -SecretOnly
TestUserValueAnd that’s it. Any more you should use the Azure Key Vault in collaboration with Azure Automation as a substitute of the built-in credential supervisor.
Associated
