In this blog, I will explain the concept behind azure run as account. Azure automation allows us to automate a task against azure resources by means of runbooks. These tasks can be anything like starting a virtual machine, pre or post-failover tasks. In runbooks, all such tasks that you create against azure resources using ARM or Powershell commandlets must authenticate to Azure using Azure Active Directory. For this purpose we have run-as-accounts.
A run as account is like an on behalf identity which is used to provide authentication mechanism and access to azure resources through runbooks.
There are two types of run as accounts :
1.) Azure Run as accounts :
This is used to manage access to azure resource manager resources
2.) Azure Classic run as accounts :
This is used to manage access to azure classic resources based on classic deployment model.
Run as account is created as part of Automation account creation. We can either create it while creating an automation account or chose to create it later. In the below screen capture I create azure run as account while creating an automation account.
What happens when Run as account is created :
When we create an automation account, a number of steps are executed in the background :
- An Azure Active Directory Application with a Self signed certificate and a service principal account for this application is created for this account. Please check the AAD application name and Service Principal Object ID in below screenshot.
- By default it assigns contributor role for the account in your current subscription.
- This permission can be changed as per our need.
- An automation certification asset named “AzureRunAsCertificate” in the specified automation account was creted.
- This certificate asset holds the certificate private key that AAD application uses.
- This certificate is valid for 1 year since the date of creation and must be renewed before that.
- An automation connection asset named “AzureRunAsConnection” was created in the specified automation account.
- This connection asset holds the applicationid, certificate thumbprint, subscriptionid and tenant id.
- This connection is used in runbooks for the purpose of authentication to access azure resources.
How to use a Run as account in a Runbook
This example runbook lists all ARM resources using run as account to authenticate into azure. As you can see in the first line of code, we store the name of AzureRunAsConnection in the variable $connectioname. Inside the try block we get azure run as connection asset in the variable $servicePrincipalConnecton using Get-AutomationConnection commandlet and $connectionName.
This connection asset is the azure run as connection which is stored in the run as account as we saw earlier. In the next line we loginto azure using the properties of service principal connection like tenant id, application id and certificate thumbprint.
After we successfully establish a connection, we iterate over all resources in all resource groups using for each loops