About Key Vault and Automation Accounts

Today's blog post comes from Fabian Gonzales, a CSS support engineer working in our new Costa Rica support center.

I was recently working with a customer that was configuring a PowerShell Run Book for an Automation Account, the purpose of that script was to Encrypt Virtual Machines Disks using the Automation account to authenticate with Azure AD and then perform the encryption operation.

 

The connection looked similar to this:

 

The customer was getting 'Forbidden'  status code: 403 when running the script. It is known that the 403 code is mainly related to access policies issues, but the customer did not know to which identity he needed to provide a policy, he had already added himself.

 

I reproduced the customer issue and found out that when you create an Automation Account and you want it to have an Identity(Service Principal) in your Azure AD. You must select 'Yes' to 'Create Azure Run As account'

 

 

The 'Run as account' will generate a new Service Principal for the Automation Account(And adds it to the subscription level as a contributor) that you will be able to use for authenticating to Azure AD. if you go to Azure Active Directory > App Registrations > My apps you will see the Service Principal, the name format of the Service Principal will be: automationaccountname + _ + SP key

 

 

Then you just need to add the Service Principal as part of you Azure Key Vault Access policies and then you will be able to use the Runbook + Key Vault for the purpose you have. In this case, we added the SP to the Access policies using the Key management template and then the customer was able to Encrypt his Virtual Machines successfully using the script.

 

 

Note: This Run as account can be used for different purposes, you can also limit the account by removing it from the subscription contributor role. For additional information about the 'Run As accounts' refer to https://docs.microsoft.com/en-us/azure/automation/manage-runas-account

 

Thank you Fabian!

I hope this helps you out when using the Azure Key Vault!  Please follow us on Twitter and tweet about it!
@WinDevMatt @AzIdentity

Add comment