I wish to select a subscription available for my service principle within an Azure Automation PS job. Running the following code locally works fine, but within the automation job, I only get the following error
Provided subscription xxxx-xxxx-xxxx-xxx-xxxx does not exist.
The subscription does exist, and the service principal has access to it when I log onto it locally.
$id = "someid"
$pass = "somepass"
$securePass = $pass | ConvertTo-SecureString -AsPlainText -Force
$cred = new-object -TypeName System.Management.Automation.PsCredential -ArgumentList $id, $securePass
$tenantId = "someID"
Add-AzureRmAccount -Credential $cred -TenantId $tenantId -ServicePrincipal
Select-AzureRmSubscription -SubscriptionId "someID"
Finally, I figured out this issue, after some days.
This issue is already reported here.
It is due to the issue related to Add-AzureRmAccount cmdlets with Service Principal.
There is a workaround to solve this issue, as mentioned by Hariharan
$connectionAssetName = "AzureRunAsConnection"
$conn = Get-AutomationConnection -Name $ConnectionAssetName
Login-AzureRmAccount `
-ServicePrincipal `
-CertificateThumbprint $conn.CertificateThumbprint `
-ApplicationId $conn.ApplicationId `
-TenantId $conn.TenantID `
-Environment AzureGermanCloud
Refer this S.O
For using Azure Automation, you should create the Automation account with AzureRunAsConnection enabled. Then from the script you utilize it like this
$connectionName = "AzureRunAsConnection"
try {
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Connect-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection) {
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
}
else {
Write-Error -Message $_.Exception
throw $_.Exception
}
}
Hope this helps
Related
I am trying to run a simple powershell runbook using Azure automation account. I have a RunasAccount setup which has contributor previlege over the subscription and I am trying to get a list of IP's whitelisted in one of my Sql server.
Import-Module Az.Sql
Import-Module Az.Accounts
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
Get-AzSqlServerFirewallRule -ResourceGroupName test-rg -ServerName test-server101
While I run this I get the below error.
Get-AzSqlServerFirewallRule : No subscription found in the context. Please ensure that the credentials you provided are authorized to access an Azure subscription, then run Connect-AzAccount to login. At line:36 char:1 + Get-AzSqlServerFirewallRule -ResourceGroupName test-rg -ServerName te ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (:) [Get-AzSqlServerFirewallRule], AzPSApplicationException + FullyQualifiedErrorId : Microsoft.Azure.Commands.Sql.FirewallRule.Cmdlet.GetAzureSqlServerFirewallRule
I noticed that the Get-AzSqlServerFirewallRule commandlet has an option to set -DefaultProfile. However I am not sure what is to be given here.
What am I doing wrong here?
You're mixing PowerShell modules. If you're using the Az module, then you need to use Connect-AzAccount rather than Add-AzureRmAccount. If you're using the AzureRm module, then you need to use Get-AzureRmSqlServerFirewallRule rather than Get-AzSqlServerFirewallRule.
I have three subscription in same tenant say Sub1, Sub2 and Sub3. I have created Automation Account is in Sub1 and my VMs are in Sub3. (Cant create Automation account in Sub3 due to some restrictions). I want to write a powershell script which will start Sub3 VM.
When I ran Get-AzureRmSubscription it is giving me only my current subscription i.e. Sub1
My azure automation script is as below -
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
Get-AzureRmSubscription
# $context = Get-AzureRmSubscription -SubscriptionId {subId}
# Set-AzureRmContext $context
# Start-AzureRmVM -ResourceGroupName "ResourceName" -Name "VMName"
Can you please guide how can I go this?
Since your subscriptions are in the same tenant, you can directly assign an Azure RABC role to your Azure Automation connection(service principal ) in your Sub3. Then you can manage Azure resource in Sub3
For example
Get the Connection Application ID
Assign role
Connect-AzAccount
$sp=Get-AzADServicePrincipal -ApplicationId < the appId you copy>
Set-AzContext -SubscriptionId <the id of sub3>
#assign Contributor role to the connection at subsciprion level
New-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionName Contributor
Test
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
Get-AzureRmSubscription
i have some issues.
I have in key vault some SSL certs from LetsEncrypt,and i want to automate installing certificates to VM in azure. I create runbook with some code:
$connectionName = "AzureRunAsConnection"
try
{# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}$certUrl = (Get-AzureKeyVaultSecret -VaultName "MyVault" -Name "letsecrypt-my-cert").Id;
$vm=Get-AzureRmVM -ResourceGroupName "MyRS" -Name "MyVm"
$vaultId=(Get-AzureRmKeyVault -VaultName "MyVault").ResourceId
$certStore = "MySSL"
$vm = Add-AzureRmVMSecret -VM $vm -SourceVaultId $vaultId -CertificateStore $certStore -CertificateUrl $certURL
Update-AzureRmVM -ResourceGroupName "MyRS" -VM $vm
It install ssl to my VM, but i want to check some parameters of certificate and run this script, for example: if certificate updated run install to vm and if not do nothing. What parameters i must use and how check them. Maybe someone do similar task?
I solve this issues with these code modification:
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
$certUrl = (Get-AzureKeyVaultSecret -VaultName "MyVault" -Name "letsecrypt-MyCert").Id
$vm=Get-AzureRmVM -ResourceGroupName "MyRG" -Name "MyVm"
$certUrlOnVM=$vm.osProfile.secrets.vaultCertificates.certificateUrl
$vaultId=(Get-AzureRmKeyVault -VaultName "MyVault").ResourceId
$curentDate = Get-Date
$d = $curentDate.day
$m = $curentDate.month
$y = $curentDate.year
$curentDateStr = "$d/$m/$y"
$certStore = "MySSL_"+$curentDateStr
if ($certUrl.equals($certUrlOnVM)){
"Certificate already installed on VM"
} else {
Get-AzureRmVM -ResourceGroupName "MyRG" -Name "MyVm" | Remove-AzureRmVMSecret | Update-AzureRmVM
$vm = Add-AzureRmVMSecret -VM $vm -SourceVaultId $vaultId -CertificateStore $certStore -CertificateUrl $certURL
Update-AzureRmVM -ResourceGroupName "MyRG" -VM $vm
"Certificate installed on VM successfully"
}
I add some variables for get certificate url in key vault and section certificateUrl from OSProfile on vm. I check if cert in keyvault and vm are identical, i do nothing, if not i do remove old section on vm and install new cert.
We have multiple VM's in our azure environment with multiple resourcegroups. Some of the resourcegroups have multiple VM's. We are now using an URL triggers webhook that will start or stop VM's. This is working, but when a resourcegroup contains multiple VM's all the VM's will start or all the VM's will stop instead of the one you want to start/stop.
Tried multiple scripts but it's isn't working or give me errors.
param(
[Parameter(Mandatory=$false)]
[object]
$WebHookData
)
write output "Data WebHook $WebHookData"
#retrieve ResourceGroup
$ResourceGroupName = $WebHookData.RequestBody
write output "Data ResourceGroup $ResourceGroupName"
$Conn = Get-AutomationConnection -Name AzureRunAsConnection
Connect-AzureRmAccount -ServicePrincipal -Tenant $Conn.TenantID -ApplicationId $Conn.ApplicationID -CertificateThumbprint $Conn.CertificateThumbprint
$VMs = Get-AzureRmVM -ResourceGroupName $ResourceGroupName
if(!$VMs)
{
Write-Output -InputObject 'No VMs were found in the specified Resource Group.'
}
else
{
ForEach ($VM in $VMs)
{
$StartVM = Stop-AzureRmVM -ResourceGroupName $ResourceGroupName -Name $VM.Name -Force #-ErrorAction SilentlyContinue
}
}
$message = ConvertTo-Json -Compress -InputObject ([ordered]#{
headers = #{'content-type' = 'text/plain'}
body = ''
statusCode = 200
})
You could try below script for Start/Stop Virtual machine.
Start VM
$connectionName = "AzureRunAsConnection"
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName
$null = Add-AzureRmAccount -ServicePrincipal -TenantId $servicePrincipalConnection.TenantId -ApplicationId $servicePrincipalConnection.ApplicationId -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
$VMs = Get-AzureRmResource|Where-Object {$_.Tags.Keys -eq "owner" -and $_.Tags.Values -eq "daneum"}
foreach ($VM in $VMs) {
if ($VM.ResourceType -eq "Microsoft.Compute/virtualMachines") {
Start-AzureRmVM -ResourceGroupName $VM.ResourceGroupName -Name $VM.Name -Verbose
}
}
Stop VM
$connectionName = "AzureRunAsConnection"
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName
$null = Add-AzureRmAccount -ServicePrincipal -TenantId $servicePrincipalConnection.TenantId -ApplicationId $servicePrincipalConnection.ApplicationId -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
$VMs = Get-AzureRmResource|Where-Object {$_.Tags.Keys -eq "owner" -and $_.Tags.Values -eq "daneum"}
foreach ($VM in $VMs) {
if ($VM.ResourceType -eq "Microsoft.Compute/virtualMachines") {
Stop-AzureRmVM -ResourceGroupName $VM.ResourceGroupName -Name $VM.Name -Force -Verbose
}
}
For webhook integration procedure you could take a look here
I am trying to run a Hive query using powershell against my HDInsight cluster. The Hadoop job completes successfully as i can see the logs in the yarn UI. But the Invoke-AzureRmHDInsightHiveJob command fails with the below error. What i doing wrong?
This is the complete code :
$RunAsConnection = Get-AutomationConnection -Name AzureRunAsConnection;
try
{
$Login=Add-AzureRmAccount -ServicePrincipal -TenantId $RunAsConnection.TenantId -ApplicationId $RunAsConnection.ApplicationId -CertificateThumbprint $RunAsConnection.CertificateThumbprint -ErrorAction Stop
}
catch
{
Sleep 10;
$Login=Add-AzureRmAccount -ServicePrincipal -TenantId $RunAsConnection.TenantId -ApplicationId $RunAsConnection.ApplicationId -CertificateThumbprint $RunAsConnection.CertificateThumbprint
};
Set-AzureRmContext -SubscriptionId $RunAsConnection.SubscriptionID
Connect-AzureRmAccount -ServicePrincipal -Tenant $RunAsConnection.TenantID -ApplicationId $RunAsConnection.ApplicationID -CertificateThumbprint $RunAsConnection.CertificateThumbprint
$ResourceGroupName = "xxxxxx"
$StorageAccountName = "xxxxxx"
$StorageAccountKey = (Get-AzureRmStorageAccountKey -ResourceGroupName $ResourceGroupName -AccountName $StorageAccountName).Value[0]
$StorageAccountName -StorageAccountKey $StorageAccountKey
$StorageAccountContainer = "xxxxxx"
$clusterName = "xxxxxx"
$creds=Get-Credential -Message "Enter the login for the cluster"
Use-AzureRmHDInsightCluster -ClusterName $clusterName -HttpCredential $creds
$queryString = "select 1"
Invoke-AzureRmHDInsightHiveJob -Query $queryString -Verbose -DefaultStorageAccountName "$StorageAccountName.blob.core.windows.net" -DefaultStorageAccountKey $StorageAccountKey -DefaultContainer $StorageAccountContainer