The Azure Automation authentication via System Assigned Managed Identity is now in public preview!
This means that you can authenticate from an Azure Automation account to a supported Azure service, without the use of a Run as Account.
Benefits include:
- Automatic credential management
- No more expiration of your Run as Account
- Simplified authentication
- Credentials are not available to you directly
I will show you an example of how this could be used for an Azure Storage Account and an Azure Key Vault.
You will need:
- An Azure Account
- An active Azure Subscription
- An Automation account
- A supported resource for testing access (Storage Account and Key Vault for the test runbook)
Enable Managed Identity
First navigate to your Automation Account. The System Managed Identity is easily enabled from here.
Then enable the System Managed Identity (user assigned not supported at the moment).
Grant resource permissions to identity
Navigate to your Azure resource, and grant the new identity the permission needed. In this case I will grant “Storage Account Contributor” on the example storage account to permit writing of data. I will also grant access on a key vault.
Search for the Automation Account name, and it will be shown in your add role assignment wizard. In this case my old Run as Account is also shown below.
Choose your automation account identity, and click save.
Key Vault Access Policy:
The Automation Account Identity should now have access to both storage account and key vault.
Access resources
This example runbook will now quickly set blob content in a storage account and a retrieve a key vault secret. Mind you, this is just a simple script with no exception handling. All with the Automation Account System Assigned Managed Identity!
The actual Azure login is now very easy:
Connect-AzAccount -Identity
In summary
Authenticating to supported Azure resources from an Automation Account is now extremely easy. This is also more secure, and with less administrative overhead, than managing your own service principals. Please be advised that this feature is still in preview, so don’t go and enable this all over critical production environments.
Don’t hesitate to add a comment if I have gotten anything wrong, or if you have suggestions for improvement!