I have a couple of Azure Runbooks which use AzureRM to automatically scale service plans depending in some configuration.
That configuration is saved on my Azure Storage Account as entities in a table.
However, I can't find a way to read the entities from that table using AzureRM in my runbooks...
I can't use any Az modules because it would complain about also importing AzureRM next to Az. And I don't want to have 2 separate automation accounts just to be able to use AzureRM and Az at the same time.
So is there any way to get all the entities from an Azure Storage Table using the AzureRM module?
According to my test, if you want to use AzureRm module to get all the entities from an Azure Storage Table, you can use the modlue AzureRmStorageTable. But please note that its version only lows than 1.0.0.23. For more details, please refer to https://github.com/paulomarquesc/AzureRmStorageTable/blob/master/ReleaseNotes.md.
For example:
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
$table = Get-AzureStorageTableTable -resourceGroup jimtest -tableName SchemasTable -storageAccountName jimtestdiag417
Get-AzureStorageTableRowAll -table $table
Update
Regarding how to install the special version module for Azure Automation account, you can do that via the page.
Thank to the comment of Michale B. on my question, the following has fixed my problem:
Could also make use of the alias option in the Az module. learn.microsoft.com/en-us/powershell/module/az.accounts/… . This will allow you to use (most) AzureRM functions, while also using the Az module
Related
I am preparing automated solution in my Azure environment. I have to provide automation that will be able to manage resources in multiple Azure subscriptions spread across different Azure tenants. I am currently testing Azure Lighthouse, and its very useful service in case of backup and Update Management service management (multiple subscription, many tenants). In MS documentation - Azure Lighthouse - cross-tenant-management-experience there is a section Azure Automation and short description Use Automation accounts to access and work with delegated resources. Question is how does it work? I didn't find method how to run a runbook from one central subscription and manage resources (list VMs, Storage Account) in remote/customers subscription. Is there any way to use Azure Lighthouse for running Automation runbooks from one central point and manage resources in customer's account. I know that we can use Azure Monitor and create alerts and using them run runbooks to manage resources in customers accounts.
This answer is not related to Azure Light house, but you can have an Automation Runbook to access multiple subscriptions by providing necessary permissions.
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Connect-AzAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
$Subs = Get-AzSubscription # filter by name
Select-AzSubscription -SubscriptionName $Subs.Name
Set-AzContext -SubscriptionId $RunAsConnection.SubscriptionId
# Rest of your script goes here
I have created a Run As Account for an Azure automation account. Is it possible to use the same Run As Account in a different automation account by creating a new automation connection with the same service principal?
I have tried to create a new automation connection in a different automation account with the same service principal but in the runbook, i get
No certificate was found in the certificate store with thumbprint xxxxxxxxxxxxxxxxxxxx
error.
Any idea?
Let's say the old automation account is account 1, the new one is account 2.
If you create a Run As Account for account 2, it will create a new service principal. If you want to use the service principal of the Run As Account in account 1, you could simply add a new Connection in account 2 like below.
Fix the values with the ones in Run As Account of account 1.
No certificate was found in the certificate store with thumbprint xxxxxxxxxxxxxxxxxxxx
For this issue, maybe there are some issues with the old certificate, you could click the Renew certificate and try again.
Then in your runnbook, e.g. powershell runbook, you could use the new connection to auth with the same service principal.
$connectionName = "testconn"
try
{
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Connect-AzAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
I was looking for a way to get notified before an Azure AD App key/credential is expired. The link shows the script to list the details of account and expiration date. Is it possible to somehow automate using azure native apps such as Logic app or azure monitor to notify via email/SMS before 1 week of expiration.
In my personal opinion, I recommend you to use Azure automation runbook to do that.
1.Create automation account(need to create Run As account) and runbook(powershell type).
2.navigate to the automation account in the portal-> Modules -> Browse Gallery -> import the AzureAD module.
3.Follow this link to assign directory role to the service principal generated by the Run As account(I am not sure which role will be enough to Get-AzureADApplication , you could try the Global Administrator directly).
4.In your runbook, use the script as below to login with the service principal. Then run the sample in your question to get the expiry date, write some if else statement to compare with the current time and judge, then use Send-MailMessage to send a mail message. Then save and publish your runbook.
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection=Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Connect-AzureAD `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
} else{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
5.Navigate to the runbook in the portal -> Schedules -> create and link a recurrence schedule to your runbook, maybe every hour or every day, details depend on you.
1)What is the difference between 'Azure' and 'AzureServicePrincipal' in -ConnectionTypeName in New-AzureRMAutomationConnection ?
2) when to use 'Azure' and when to use 'AzureServicePrinciple' ?
Good question (+1), Actually I also tried to figure out the answer to your question for many days, but guess what! Microsoft itself doesn't have enough documentation to explain this.
Actually, there are 3 different connection types
Azure
Azure Service Principal
Azure Classic Certificate
Azure Service Principal (Azure Run As Account)
Azure Run As Account - This account is used to manage Resource Manager
deployment model resources.
Azure Classic Certificate (Azure Classic Run As Account)
This account is used to manage Classic deployment model resources.
You can find the full details here
But regarding the connection type as Azure is not able to find from any Microsoft official docs
So, I open an Issue regarding the same at Github.
You can track that below
https://github.com/Azure/azure-powershell/issues/7048
So as you are trying to Automate the Runbook, you can use the below script for Authenticating with Azure inside your workflow/script. Create Automation account using Create AzureRunAsAccount as Yes.
Then you can include this piece of code in your workflow.
Write-Output "------------------------ Authentication ------------------------"
$connectionName = "AzureRunAsConnection"
try {
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName
"Logging in to Azure..."
Connect-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
}
catch {
if (!$servicePrincipalConnection) {
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
}
else {
Write-Error -Message $_.Exception
throw $_.Exception
}
}
## End of authentication
Trying to perform some updates to CosmosDB with the Azure automation run books. I have made a RunAs service principal Account to authenticate with Azure
Updating the Modules used for the Get-AzureRmResource appear to cause some issues where I can no longer retrieve the CosmosDB object.
$Conn = Get-AutomationConnection -Name "AzureRunAsConnection"
Add-AzureRmAccount -ServicePrincipal -Tenant $Conn.TenantID `
-ApplicationID $Conn.ApplicationID -CertificateThumbprint
$Conn.CertificateThumbprint
Select-AzureRmSubscription -SubscriptionName "Visual Studio Enterprise" -ErrorAction SilentlyContinue
#resource and app variables declared here.
$cosmosDbResource = (Get-AzureRmResource -ResourceType
"Microsoft.DocumentDb/DatabaseAccounts" -ResourceGroup $applicationGroup -
ApiVersion "2015-04-08" -Name $cosmosDBName)
"Before CosmosDB Resource"
$cosmosDbResource | FT
"Cosmos DB Properties"
$cosmosDbResource.Properties
This code works just fine on the plain deployment of automation accounts with the module. AzureRM.Resources at 1.0.3.
If I try and update the AzureRM.Resource and its dependencies to 6.1.0 I can no longer retrieve my CosmosDB instance.
I think that there may be a conflict with the powershell modules with the update
Depending on what you wish to update within cosmosdb.....
The official cosmosdb powershell modules are pretty laking at the moment, take a look at the community cosmosdb powershell module it is far more feature rich and easier to work with:
https://github.com/PlagueHO/CosmosDB