Certificate assets in Azure Automation
Certificates can be stored securely in Azure Automation so they can be accessed by runbooks or DSC configurations using the Get-AzureRmAutomationCertificate activity for Azure Resource Manager resources. This allows you to create runbooks and DSC configurations that use certificates for authentication or adds them to Azure or third-party resources.
Secure assets in Azure Automation include credentials, certificates, connections, and encrypted variables. These assets are encrypted and stored in the Azure Automation using a unique key that is generated for each automation account. This key is encrypted by a master certificate and stored in Azure Automation. Before storing a secure asset, the key for the automation account is decrypted using the master certificate and then used to encrypt the asset.
Windows PowerShell Cmdlets
The cmdlets in the following table are used to create and manage automation certificate assets with Windows PowerShell. They ship as part of the Azure PowerShell module which is available for use in Automation runbooks and DSC configurations.
|Get-AzureRmAutomationCertificate||Retrieves information about a certificate to use in a runbook or DSC configuration. You can only retrieve the certificate itself from Get-AutomationCertificate activity.|
|New-AzureRmAutomationCertificate||Creates a new certificate into Azure Automation.|
|Remove-AzureRmAutomationCertificate||Removes a certificate from Azure Automation.|
|Set-AzureRmAutomationCertificate||Sets the properties for an existing certificate including uploading the certificate file and setting the password for a .pfx.|
|Add-AzureCertificate||Uploads a service certificate for the specified cloud service.|
The function in the following table is used to access certificates in a Python2 runbook.
|automationassets.get_automation_certificate||Retrieves information about a certificate asset.|
You must import the automationassets module in the beginning of your Python runbook in order to access the asset functions.
Creating a new certificate
When you create a new certificate, you upload a .cer or .pfx file to Azure Automation. If you mark the certificate as exportable, then you can transfer it out of the Azure Automation certificate store. If it is not exportable, then it can only be used for signing within the runbook or DSC configuration.
To create a new certificate with the Azure portal
- From your Automation account, click the Assets tile to open the Assets blade.
- Click the Certificates tile to open the Certificates blade.
- Click Add a certificate at the top of the blade.
- Type a name for the certificate in the Name box.
- Click Select a file under Upload a certificate file to browse for a .cer or .pfx file. If you select a .pfx file, specify a password and whether it should be allowed to be exported.
- Click Create to save the new certificate asset.
To create a new certificate with Windows PowerShell
The following example demonstrates how to create a new Automation certificate and mark it exportable. This imports an existing .pfx file.
$certName = 'MyCertificate' $certPath = '.\MyCert.pfx' $certPwd = ConvertTo-SecureString -String 'P@$$w0rd' -AsPlainText -Force $ResourceGroup = "ResourceGroup01" New-AzureRmAutomationCertificate -AutomationAccountName "MyAutomationAccount" -Name $certName -Path $certPath –Password $certPwd -Exportable -ResourceGroupName $ResourceGroup
Using a certificate
You must use the Get-AutomationCertificate activity to use a certificate. You cannot use the Get-AzureRmAutomationCertificate cmdlet since it returns information about the certificate asset but not the certificate itself.
Textual runbook sample
The following sample code shows how to add a certificate to a cloud service in a runbook. In this sample, the password is retrieved from an encrypted automation variable.
$serviceName = 'MyCloudService' $cert = Get-AutomationCertificate -Name 'MyCertificate' $certPwd = Get-AzureRmAutomationVariable -ResourceGroupName "ResouceGroup01" ` –AutomationAccountName "MyAutomationAccount" –Name 'MyCertPassword' Add-AzureCertificate -ServiceName $serviceName -CertToDeploy $cert
Graphical runbook sample
You add a Get-AutomationCertificate to a graphical runbook by right-clicking on the certificate in the Library pane of the graphical editor and selecting Add to canvas.
The following image shows an example of using a certificate in a graphical runbook. This is the same example shown above for adding a certificate to a cloud service from a textual runbook.
The following sample shows how to access certificates in Python2 runbooks.
# get a reference to the Azure Automation certificate cert = automationassets.get_automation_certificate("AzureRunAsCertificate") # returns the binary cert content print cert
- To learn more about working with links to control the logical flow of activities your runbook is designed to perform, see Links in graphical authoring.