I have an Azure Analysis Services with S1 SKU. There is an SPN who has OWNER RBAC over the AAS. I am trying to use a PowerShell 5.1 Runbook through an Automation Account to run the Restart-AzAnalysisServicesInstance cmdlet.
When I run the Runbook, I get to see the error:
Restart-AzAnalysisServicesInstance : Response status code does not indicate success: 401 (Unauthorized).
However, when I run the cmdlet locally, using my credentials to Connect-AzAccount in Windows Powershell ISE, it works. I am also an OWNER over the AAS.
Here's the Runbook:
# Init
$ErrorActionPreference = 'Stop'
$AutomationAccountConnectionName = "Name of my Connection that uses the Owner SPN"
# Get Automation connection (SPN connection details)
$servicePrincipalConnection = Get-AutomationConnection -Name $AutomationAccountConnectionName
Write-Output "Connected using SPN:"
$servicePrincipalConnection
# Connect using SPN
Write-Output "Connecting to AZ using the SPN connection:"
$Connection | ConvertTo-Json
$azContext = Connect-AzAccount -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-Tenant $servicePrincipalConnection.TenantId -ServicePrincipal
Write-Output ("Connected to azure using certificate with app id : " + $Connection.AppId)
# Get AAS
$aasServer = "test113aas"
$subscriptionId = "GUID of my azure subscrition"
Select-AzSubscription -Subscription $subscriptionId
$resourceObj = Get-AzAnalysisServicesServer -Name $aasServer
$ResourceObj
$AnalysisServer = $resourceObj.Name
$AnalysisServerLocation = 'northeurope'
$ModelName = 'adventureworks'
# # Connect AAS Account => This did not help as well
# Write-Host "Adding AAS Account"
# Add-AzAnalysisServicesAccount -RolloutEnvironment "$AnalysisServerLocation.asazure.windows.net" `
# -ServicePrincipal -ApplicationId $servicePrincipalConnection.ApplicationId `
# -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint -TenantId $servicePrincipalConnection.TenantId
# Restart AAS server
Write-Host "Server's full name is $($resourceObj.ServerFullName)"
Write-Host "$AnalysisServer : Preparing to Restart the Analysis Server"
$result = Restart-AzAnalysisServicesInstance –Instance $resourceObj.ServerFullName -PassThru # returns true if successful
$result
Any idea as to what I am missing out here? Documentation: https://learn.microsoft.com/en-us/powershell/module/az.analysisservices/restart-azanalysisservicesinstance?view=azps-7.2.0
I even tried running the same within an Azure PowerShell Core Function, since the documentation is for PowerShell 7+, but to no avail.
Turns out that we need to whitelist the client's IP before calling the cmdlet.
The error message could have been more precise.
Related
I am trying to make a code using PowerShell so that secrets are not hardcoded on my runbook so that it will not be exposed in the script. I created encrypted variables in my automation account. These variables are AppID, AppSecret and TenantID.
This is the part of the script to login automatically to Azure. I didn't use managed identity for some compatibility reasons with the script.
My script is running fine when secrets and IDs are hardcoded but when I created variables it is not working. Error message is "Run Connect-AzAccount". Below is my code. Need help on how to correct this. Thank you in advance.
$AzVariableApplicationID = 'AppID'
$AzVariableAppSecret = 'AppSecret'
$AzVariableTenantID = 'TenantID'
$AppID = Get-AzAutomationVariable -Name $AzVariableApplicationID
$AppSecret = Get-AzAutomationVariable -Name $AzVariableAppSecret
$TenantID = Get-AzAutomationVariable -Name $AzVariableTenantID
$SecureSecret = $AppSecret | ConvertTo-SecureString -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential `
-ArgumentList $AppID, $SecureSecret
Connect-AzAccount -ServicePrincipal -Credential $Credential -Tenant $TenantID
As described in PsCustom Object - Hitchikers GUID(e) to Automation
, It is not possible to retrieve values for encrypted variables as they’re available within the runbook at runtime via the Get-AutomationVariable cmdlet
I found an alternative approach to "Connect Azure" by using "Certificate-based authentication" inside PowerShell runbook without hardcoding the values:
Created a new Service principal and provided the "Owner" role access to avoid any restrictions.
To authenticate via service principal, I create a new self-signed certificate with the command:
$cert=New-SelfSignedCertificate -Subject "CN=xxxxxCert" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature
Upload a certificate under Certifications & Secrets:
Click windows + R to open the run box and give certmgr.msc as shown here.
Export a certificate without private key.
Upload a certificate in the below path:
AzureAD -> App registrations -> Serviceprincipal
Now, I have exported the same certificate with key and uploaded inside my automation account to authenticate Service principal connection:
Added an "Azure Service Principal" connection inside automation accounts by providing "ApplicationID, TenantID, Certificate Thumbprint" of my Service principal as shown:
Inside PowerShell runbook, I ran the below script that works for me:
$connectionName = "serviceprincipalname"
try
{
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Add-AzureRMAccount
-ServicePrincipal `
-TenantID $servicePrincipalConnection.TenantID `
-ApplicationID $servicePrincipalConnection.applicationID `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found. "
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
Logged in to Azure:
Register an App in App registrations and create a service principal in AzureAD
Azure Automation runbook fails when triggered from a Webhook
We have a runbook that runs just fine when launched via the “Start” button in the Azure Portal.
The exact same runbook fails when launched from a webhook using the exact same parameters.
The issue is that after the code in the runbook opens a valid connection to Azure, it tries to get one of the databases we are going to work with and it fails with an exception that reads “Resource group '''' could not be found.”
The same exact code and parameters work without any issues when run outside the Webhook.
We added code to get the context after the code does the login and we checked that the context name, subscription ID and Tenant ID are valid, and we even pass the context to the Get-AzSqlDatabase call and still it fails when triggered via the webhook. We are not sure what else we can try to diagnose and correct the issue.
Here is a sample of the code we run and where it fails...
. . .
Function Login {
Disable-AzContextAutosave -Scope Process
Write-Output "Logging in to Azure..."
$connectionName = "GoodTestingConnection"
try{
Connect-AzAccount -ServicePrincipal -Tenant $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
Write-Output "Error loging in to Azure: $_"
throw "Error loging in to Azure: $_"
}
}
$ErrorActionPreference = "Stop"
if ($WebHookData) {
Write-Output "Running runbook from web hook request"
$wbRunParams = (ConvertFrom-Json -InputObject $WebHookData.RequestBody)
Write-Output "Webhook parameters $wbRunParams"
$client = $wbRunParams.client
Write-Output "Running process for client $client"
}
Login
$ctx = Get-AzContext
Write-Output "Context nanme: $($ctx.Name)"
Write-Output "Environment name: $($ctx.Environment.Name)"
Write-Output "Subscription ID: $($ctx.Subscription.Id)"
Write-Output "Tenant ID: $($ctx.Tenant.Id)"
Write-Output "Getting the 'from' Db..."
$fromDb = Get-AzSqlDatabase `
-DatabaseName $copyFromDbName `
-ServerName $copyFromServer `
-ResourceGroupName $copyFromRG `
-DefaultProfile $ctx
$fromDb
#The code never reaches this point as it fails on the previous call
. . .
I had the same issue. Here is what worked for me.
When the automation runbook is triggered via the start option or via the test pane, the, the format needs to be converted. This is when you would use
$wbRunParams = (ConvertFrom-Json -InputObject $WebHookData.RequestBody)
When the runbook has to be triggered directly by webhook, no need to convert and the below would work.
$wbRunParams = $WebHookData.RequestBody
I am currently trying to write a powershell script which logs into azure and then deletes an SQL database.
When it gets to the database deletion it gives an error:
Remove-AzureSqlDatabase : No default subscription has been designated. Use Select-AzureSubscription -Default <subscriptionName> to set the default
subscription.
When i try to add a default subscription with Select-AzureSubscription -Default -SubscriptionName Pay-As-You-Go i get an error aswell:
Select-AzureSubscription : The subscription name Pay-As-You-Go doesn't exist.
I'm confused as to what the problem is and have tried connecting to the account via connect-AzAccount aswell.
The full script is:
$passwd = ConvertTo-SecureString password -AsPlainText -Force
$pscredential = New-Object System.Management.Automation.PSCredential('accountname', $passwd)
Connect-AzureRmAccount -Credential $pscredential -Tenant "tenant string"
# Set-AzContext -SubscriptionId "subscription id"
Select-AzureSubscription -Default -SubscriptionName Pay-As-You-Go
# Get-AzureSubscription -SubscriptionName “Pay-As-You-Go” | Select-AzureSubscription -Default
Remove-AzureSqlDatabase -ServerName migrate -DatabaseName "AWS-Copy"
You could not mix the three powershell module Azure, Az, AzureRm together, and if you have installed the Az module, I recommend you to uninstall the AzureRm module, it was deprecated and will never be updated.
To remove sql db with Az module, your script should be like below. Make sure your account has an RBAC role(e.g. Owner, Contributor) of your subscription/SQL Server.
$passwd = ConvertTo-SecureString password -AsPlainText -Force
$pscredential = New-Object System.Management.Automation.PSCredential('accountname', $passwd)
Connect-AzAccount -Credential $pscredential -Tenant "<tenant-id>"
Set-AzContext -Subscription "<subscription-id>"
Remove-AzSqlDatabase -ResourceGroupName "<ResourceGroupName>" -ServerName "<ServerName>" -DatabaseName "<DatabaseName>"
I am trying to run a powershell script against all VMs in an azure subscription. I used AzureRunAsConnection to connect to the service principal. Using Get-AzureVM gives an error that I haven't set the default Subscription. When I try to set it using Select-AzureSubscription I am given an error message stating the subscription doesn't exist. Here's what I am using in the runbook.
'''
$conn = Get-AutomationConnection -Name 'AzureRunAsConnection'
Add-AzureRmAccount -ServicePrincipal -TenantId $conn.TenantID -ApplicationID $conn.ApplicationID -CertificateThumbprint $conn.CertificateThumbprint
Select-AzureSubscription -SubscriptionName *********
'''
The exact error message is:
'''
Select-AzureSubscription : The subscription name ***** doesn't exist.
Parameter name: id
At line:3 char:1
+ Select-AzureSubscription -Current -SubscriptionName "******** ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Select-AzureSubscription], ArgumentException
+ FullyQualifiedErrorId : Microsoft.WindowsAzure.Commands.Profile.SelectAzureSubscriptionCommand
'''
What am I doing wrong to keep getting this error?
There are three generations of Azure powershell modules, "Azure", "AzureRM", and "AZ". Looks like you've got multiple installed. Try
Select-AzureRmSubscription
instead.
#david is right you are confusing the commands, Classic (Azure) vs AzureRM.
If the goal is to get VM in subscripts below are sample code for Calssic and AzureRM
Classic
$ConnectionAssetName = "AzureClassicRunAsConnection"
$connection = Get-AutomationConnection -Name $connectionAssetName
$Conn = Get-AutomationConnection -Name $ConnectionAssetName
$CertificateAssetName = $Conn.CertificateAssetName
$AzureCert = Get-AutomationCertificate -Name $CertificateAssetName
Set-AzureSubscription -SubscriptionName $Conn.SubscriptionName -SubscriptionId $Conn.SubscriptionID -Certificate $AzureCert
Select-AzureSubscription -SubscriptionId $Conn.SubscriptionID
Get-AzureVM
AzureRM
$connectionName = "AzureRunAsConnection"
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
Add-AzureRmAccount -ServicePrincipal -TenantId $servicePrincipalConnection.TenantId -ApplicationId $servicePrincipalConnection.ApplicationId -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
Get-AzureRMVM
Also keep in mind that connections are tied to a subscription so for AzureRM you do not needed to select a subscription. If you want to select one (Select-AzureRmSubscription) it should be the same as the one in the connection properties.
Simply, I'm running Connect-AzureRmAccount using runbook automation in Azure, it gives me the error below:
Unable to find an entry point named 'GetPerAdapterInfo' in DLL
'iphlpapi.dll'.
I already imported the Azureprofile module and I can not figure out what is the issue.
If you want to connect to the Azure account with the PowerShell command Connect-AzureRmAccount in your Runbook, then it is really unnecessary. Just as I said in the comment, when you use the Runbook, you are already in an exact subscription of the tenant with an account. So just run your script without connecting the account.
If you really want to connect with the PowerShell, you can use the service principal like this:
Disable-AzureRmContextAutosave –Scope Process
$Conn = Get-AutomationConnection -Name AzureRunAsConnection
Connect-AzureRmAccount -ServicePrincipal -Tenant $Conn.TenantID -ApplicationID $Conn.ApplicationID -CertificateThumbprint $Conn.CertificateThumbprint
But I really suggest you can just run the PowerShell script in your Runbook directly.
Update
When you create the Runbook, there will be a connection for you to run the PowerShell script. Or you can create the connection as your requirement. See Connection assets in Azure Automation. You could just use the default connection use the code like this:
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
I had the same problem, in my case I was trying to simply use the Azure Cmdlet Get-AzVm.
I previously used code similar to what Charles posted above, the problem is that doesn't work with the Az Cmdlets as you can't use both the AzureRM and the new Azure modules at the same time.
I replaced all of that with the following and now it works:
Disable-AzContextAutosave –Scope Process
$Conn = Get-AutomationConnection -Name AzureRunAsConnection
Connect-AzAccount -ServicePrincipal -Tenant $Conn.TenantID `
-ApplicationId $Conn.ApplicationID -CertificateThumbprint $Conn.CertificateThumbprint
$AzureContext = Select-AzSubscription -SubscriptionId $Conn.SubscriptionID
I found this in the following article: https://learn.microsoft.com/en-us/azure/automation/automation-first-runbook-textual