Certificate assets in Azure Automation
Certificates can be stored securely in Azure Automation so they can be accessed by runbooks or DSC configurations using the Get-AzureRmAutomationCertificate activity for Azure Resource Manager resources. This capability allows you to create runbooks and DSC configurations that use certificates for authentication or adds them to Azure or third-party resources.
Secure assets in Azure Automation include credentials, certificates, connections, and encrypted variables. These assets are encrypted and stored in Azure Automation using a unique key that is generated for each automation account. This key is stored in Key Vault. Before storing a secure asset, the key is loaded from Key Vault and then used to encrypt the asset.
AzureRM PowerShell cmdlets
For AzureRM, the cmdlets in the following table are used to create and manage automation credential assets with Windows PowerShell. They ship as part of the AzureRM.Automation module which is available for use in Automation runbooks and DSC configurations.
|Get-AzureRmAutomationCertificate||Retrieves information about a certificate to use in a runbook or DSC configuration. You can only retrieve the certificate itself from Get-AutomationCertificate activity.|
|New-AzureRmAutomationCertificate||Creates a new certificate into Azure Automation.|
|Remove-AzureRmAutomationCertificate||Removes a certificate from Azure Automation.|
|Set-AzureRmAutomationCertificate||Sets the properties for an existing certificate including uploading the certificate file and setting the password for a .pfx.|
|Add-AzureCertificate||Uploads a service certificate for the specified cloud service.|
The activities in the following table are used to access certificates in a runbook and DSC configurations.
|Get-AutomationCertificate||Gets a certificate to use in a runbook or DSC configuration. Returns a System.Security.Cryptography.X509Certificates.X509Certificate2 object.|
You should avoid using variables in the –Name parameter of Get-AutomationCertificate in a runbook or DSC configuration as it complicates discovering dependencies between runbooks or DSC configuration, and Automation variables at design time.
The function in the following table is used to access certificates in a Python2 runbook.
|automationassets.get_automation_certificate||Retrieves information about a certificate asset.|
You must import the automationassets module in the beginning of your Python runbook in order to access the asset functions.
Creating a new certificate
When you create a new certificate, you upload a .cer or .pfx file to Azure Automation. If you mark the certificate as exportable, then you can transfer it out of the Azure Automation certificate store. If it is not exportable, then it can only be used for signing within the runbook or DSC configuration. Azure Automation requires the certificate to have the provider: Microsoft Enhanced RSA and AES Cryptographic Provider.
To create a new certificate with the Azure portal
- From your Automation account, click the Assets tile to open the Assets blade.
- Click the Certificates tile to open the Certificates blade.
- Click Add a certificate at the top of the blade.
- Type a name for the certificate in the Name box.
- To browse for a .cer or .pfx file, click Select a file under Upload a certificate file. If you select a .pfx file, specify a password and whether it is allowed to be exported.
- Click Create to save the new certificate asset.
To create a new certificate with Windows PowerShell
The following example demonstrates how to create a new Automation certificate and mark it exportable. This imports an existing .pfx file.
$certName = 'MyCertificate' $certPath = '.\MyCert.pfx' $certPwd = ConvertTo-SecureString -String 'P@$$w0rd' -AsPlainText -Force $ResourceGroup = "ResourceGroup01" New-AzureRmAutomationCertificate -AutomationAccountName "MyAutomationAccount" -Name $certName -Path $certPath –Password $certPwd -Exportable -ResourceGroupName $ResourceGroup
Using a certificate
To use a certificate, use the Get-AutomationCertificate activity. You cannot use the Get-AzureRmAutomationCertificate cmdlet since it returns information about the certificate asset but not the certificate itself.
Textual runbook sample
The following sample code shows how to add a certificate to a cloud service in a runbook. In this sample, the password is retrieved from an encrypted automation variable.
$serviceName = 'MyCloudService' $cert = Get-AutomationCertificate -Name 'MyCertificate' $certPwd = Get-AzureRmAutomationVariable -ResourceGroupName "ResouceGroup01" ` –AutomationAccountName "MyAutomationAccount" –Name 'MyCertPassword' Add-AzureCertificate -ServiceName $serviceName -CertToDeploy $cert
Graphical runbook sample
You add a Get-AutomationCertificate to a graphical runbook by right-clicking on the certificate in the Library pane of the graphical editor and selecting Add to canvas.
The following image shows an example of using a certificate in a graphical runbook. This is the same as the preceding example for adding a certificate to a cloud service from a textual runbook.
The following sample shows how to access certificates in Python2 runbooks.
# get a reference to the Azure Automation certificate cert = automationassets.get_automation_certificate("AzureRunAsCertificate") # returns the binary cert content print cert
- To learn more about working with links to control the logical flow of activities your runbook is designed to perform, see Links in graphical authoring.