Run runbooks on a Hybrid Runbook Worker
Runbooks that run on a Hybrid Runbook Worker typically manage resources on the local computer or against resources in the local environment where the worker is deployed. Runbooks in Azure Automation typically manage resources in the Azure cloud. Even though they are used differently, runbooks that run in Azure Automation and runbooks that run on a Hybrid Runbook Worker are identical in structure.
When you author a runbook to run on a Hybrid Runbook Worker, you should edit and test the runbook on the machine that hosts the worker. The host machine has all the PowerShell modules and network access required to manage the local resources. Once you test the runbook on the Hybrid Runbook Worker machine, you can then upload it to the Azure Automation environment, where it can be run on the worker.
Plan runbook job behavior
Azure Automation handles jobs on Hybrid Runbook Workers differently from jobs run in Azure sandboxes. If you have a long-running runbook, make sure that it's resilient to possible restart. For details of the job behavior, see Hybrid Runbook Worker jobs.
Jobs for Hybrid Runbook Workers run under the local System account on Windows, or the nxautomation account on Linux. For Linux, verify the nxautomation account has access to the location where the runbook modules are stored. When you use the Install-Module cmdlet, be sure to specify AllUsers for the
Scope parameter to ensure that the nxautomation account has access. For more information on PowerShell on Linux, see Known Issues for PowerShell on Non-Windows Platforms.
Configure runbook permissions
Define permissions for your runbook to run on the Hybrid Runbook Worker in the following ways:
- Have the runbook provide its own authentication to local resources.
- Configure authentication using managed identities for Azure resources.
- Specify a Run As account to provide a user context for all runbooks.
Use runbook authentication to local resources
If preparing a runbook that provides its own authentication to resources, use credential and certificate assets in your runbook. There are several cmdlets that allow you to specify credentials so that the runbook can authenticate to different resources. The following example shows a portion of a runbook that restarts a computer. It retrieves credentials from a credential asset and the name of the computer from a variable asset and then uses these values with the
$Cred = Get-AutomationPSCredential -Name "MyCredential" $Computer = Get-AutomationVariable -Name "ComputerName" Restart-Computer -ComputerName $Computer -Credential $Cred
You can also use an InlineScript activity.
InlineScript allows you to run blocks of code on another computer with credentials.
Use runbook authentication with managed identities
Hybrid Runbook Workers on Azure virtual machines can use managed identities to authenticate to Azure resources. Using managed identities for Azure resources instead of Run As accounts provides benefits because you don't need to:
- Export the Run As certificate and then import it into the Hybrid Runbook Worker.
- Renew the certificate used by the Run As account.
- Handle the Run As connection object in your runbook code.
Follow the next steps to use a managed identity for Azure resources on a Hybrid Runbook Worker:
Create an Azure VM.
Configure managed identities for Azure resources on the VM. See Configure managed identities for Azure resources on a VM using the Azure portal.
Give the VM access to a resource group in Resource Manager. Refer to Use a Windows VM system-assigned managed identity to access Resource Manager.
Update the runbook to use the Connect-AzAccount cmdlet with the
Identityparameter to authenticate to Azure resources. This configuration reduces the need to use a Run As account and perform the associated account management.
# Connect to Azure using the managed identities for Azure resources identity configured on the Azure VM that is hosting the hybrid runbook worker Connect-AzAccount -Identity # Get all VM names from the subscription Get-AzVM | Select Name
Connect-AzAccount -Identityworks for a Hybrid Runbook Worker using a system-assigned identity and a single user-assigned identity. If you use multiple user-assigned identities on the Hybrid Runbook Worker, your runbook must specify the
Connect-AzAccountto select a specific user-assigned identity.
Use runbook authentication with Run As account
Instead of having your runbook provide its own authentication to local resources, you can specify a Run As account for a Hybrid Runbook Worker group. To specify a Run As account, you must define a credential asset that has access to local resources. These resources include certificate stores and all runbooks run under these credentials on a Hybrid Runbook Worker in the group.
The user name for the credential must be in one of the following formats:
- username (for accounts local to the on-premises computer)
Use the following procedure to specify a Run As account for a Hybrid Runbook Worker group:
- Create a credential asset with access to local resources.
- Open the Automation account in the Azure portal.
- Select Hybrid Worker Groups, and then select the specific group.
- Select All settings, followed by Hybrid worker group settings.
- Change the value of Run As from Default to Custom.
- Select the credential and click Save.
Install Run As account certificate
As part of your automated build process for deploying resources in Azure, you might require access to on-premises systems to support a task or set of steps in your deployment sequence. To provide authentication against Azure using the Run As account, you must install the Run As account certificate.
The following PowerShell runbook, called Export-RunAsCertificateToHybridWorker, exports the Run As certificate from your Azure Automation account. The runbook downloads and imports the certificate into the local machine certificate store on a Hybrid Runbook Worker that is connected to the same account. Once it completes that step, the runbook verifies that the worker can successfully authenticate to Azure using the Run As account.
This PowerShell runbook is not designed or intended to be run outside of your Automation account as a script on the target machine.
<#PSScriptInfo .VERSION 1.0 .GUID 3a796b9a-623d-499d-86c8-c249f10a6986 .AUTHOR Azure Automation Team .COMPANYNAME Microsoft .COPYRIGHT .TAGS Azure Automation .LICENSEURI .PROJECTURI .ICONURI .EXTERNALMODULEDEPENDENCIES .REQUIREDSCRIPTS .EXTERNALSCRIPTDEPENDENCIES .RELEASENOTES #> <# .SYNOPSIS Exports the Run As certificate from an Azure Automation account to a hybrid worker in that account. .DESCRIPTION This runbook exports the Run As certificate from an Azure Automation account to a hybrid worker in that account. Run this runbook on the hybrid worker where you want the certificate installed. This allows the use of the AzureRunAsConnection to authenticate to Azure and manage Azure resources from runbooks running on the hybrid worker. .EXAMPLE .\Export-RunAsCertificateToHybridWorker .NOTES LASTEDIT: 2016.10.13 #> # Generate the password used for this certificate Add-Type -AssemblyName System.Web -ErrorAction SilentlyContinue | Out-Null $Password = [System.Web.Security.Membership]::GeneratePassword(25, 10) # Stop on errors $ErrorActionPreference = 'stop' # Get the management certificate that will be used to make calls into Azure Service Management resources $RunAsCert = Get-AutomationCertificate -Name "AzureRunAsCertificate" # location to store temporary certificate in the Automation service host $CertPath = Join-Path $env:temp "AzureRunAsCertificate.pfx" # Save the certificate $Cert = $RunAsCert.Export("pfx",$Password) Set-Content -Value $Cert -Path $CertPath -Force -Encoding Byte | Write-Verbose Write-Output ("Importing certificate into $env:computername local machine root store from " + $CertPath) $SecurePassword = ConvertTo-SecureString $Password -AsPlainText -Force Import-PfxCertificate -FilePath $CertPath -CertStoreLocation Cert:\LocalMachine\My -Password $SecurePassword -Exportable | Write-Verbose # Test to see if authentication to Azure Resource Manager is working $RunAsConnection = Get-AutomationConnection -Name "AzureRunAsConnection" Connect-AzAccount ` -ServicePrincipal ` -Tenant $RunAsConnection.TenantId ` -ApplicationId $RunAsConnection.ApplicationId ` -CertificateThumbprint $RunAsConnection.CertificateThumbprint | Write-Verbose Set-AzContext -Subscription $RunAsConnection.SubscriptionID | Write-Verbose # List automation accounts to confirm that Azure Resource Manager calls are working Get-AzAutomationAccount | Select-Object AutomationAccountName
For PowerShell runbooks,
Add-AzureRMAccount are aliases for
Connect-AzAccount. When searching your library items, if you do not see
Connect-AzAccount, you can use
Add-AzAccount, or you can update your modules in your Automation account.
To finish preparing the Run As account:
- Save the Export-RunAsCertificateToHybridWorker runbook to your computer with a .ps1 extension.
- Import it into your Automation account.
- Edit the runbook, changing the value of the
Passwordvariable to your own password.
- Publish the runbook.
- Run the runbook, targeting the Hybrid Runbook Worker group that runs and authenticates runbooks using the Run As account.
- Examine the job stream to see that it reports the attempt to import the certificate into the local machine store, followed by multiple lines. This behavior depends on how many Automation accounts you define in your subscription and the degree of success of the authentication.
Work with signed runbooks on a Windows Hybrid Runbook Worker
You can configure a Windows Hybrid Runbook Worker to run only signed runbooks.
Once you've configured a Hybrid Runbook Worker to run only signed runbooks, unsigned runbooks fail to execute on the worker.
Create signing certificate
The following example creates a self-signed certificate that can be used for signing runbooks. This code creates the certificate and exports it so that the Hybrid Runbook Worker can import it later. The thumbprint is also returned for later use in referencing the certificate.
# Create a self-signed certificate that can be used for code signing $SigningCert = New-SelfSignedCertificate -CertStoreLocation cert:\LocalMachine\my ` -Subject "CN=contoso.com" ` -KeyAlgorithm RSA ` -KeyLength 2048 ` -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" ` -KeyExportPolicy Exportable ` -KeyUsage DigitalSignature ` -Type CodeSigningCert # Export the certificate so that it can be imported to the hybrid workers Export-Certificate -Cert $SigningCert -FilePath .\hybridworkersigningcertificate.cer # Import the certificate into the trusted root store so the certificate chain can be validated Import-Certificate -FilePath .\hybridworkersigningcertificate.cer -CertStoreLocation Cert:\LocalMachine\Root # Retrieve the thumbprint for later use $SigningCert.Thumbprint
Import certificate and configure workers for signature validation
Copy the certificate that you've created to each Hybrid Runbook Worker in a group. Run the following script to import the certificate and configure the workers to use signature validation on runbooks.
# Install the certificate into a location that will be used for validation. New-Item -Path Cert:\LocalMachine\AutomationHybridStore Import-Certificate -FilePath .\hybridworkersigningcertificate.cer -CertStoreLocation Cert:\LocalMachine\AutomationHybridStore # Import the certificate into the trusted root store so the certificate chain can be validated Import-Certificate -FilePath .\hybridworkersigningcertificate.cer -CertStoreLocation Cert:\LocalMachine\Root # Configure the hybrid worker to use signature validation on runbooks. Set-HybridRunbookWorkerSignatureValidation -Enable $true -TrustedCertStoreLocation "Cert:\LocalMachine\AutomationHybridStore"
Sign your runbooks using the certificate
With the Hybrid Runbook Workers configured to use only signed runbooks, you must sign runbooks that are to be used on the Hybrid Runbook Worker. Use the following sample PowerShell code to sign these runbooks.
$SigningCert = ( Get-ChildItem -Path cert:\LocalMachine\My\<CertificateThumbprint>) Set-AuthenticodeSignature .\TestRunbook.ps1 -Certificate $SigningCert
When a runbook has been signed, you must import it into your Automation account and publish it with the signature block. To learn how to import runbooks, see Import a runbook.
Work with signed runbooks on a Linux Hybrid Runbook Worker
To be able to work with signed runbooks, a Linux Hybrid Runbook Worker must have the GPG executable on the local machine.
Once you've configured a Hybrid Runbook Worker to run only signed runbooks, unsigned runbooks fail to execute on the worker.
You will perform the following steps to complete this configuration:
- Create a GPG keyring and keypair
- Make the keyring available to the Hybrid Runbook Worker
- Verify that signature validation is on
- Sign a runbook
Create a GPG keyring and keypair
To create the GPG keyring and keypair, use the Hybrid Runbook Worker nxautomation account.
Use the sudo application to sign in as the nxautomation account.
sudo su – nxautomation
Once you are using nxautomation, generate the GPG keypair. GPG guides you through the steps. You must provide name, email address, expiration time, and passphrase. Then you wait until there is enough entropy on the machine for the key to be generated.
sudo gpg --generate-key
Because the GPG directory was generated with sudo, you must change its owner to nxautomation using the following command.
sudo chown -R nxautomation ~/.gnupg
Make the keyring available to the Hybrid Runbook Worker
Once the keyring has been created, make it available to the Hybrid Runbook Worker. Modify the settings file home/nxautomation/state/worker.conf to include the following example code under the file section
gpg_public_keyring_path = /home/nxautomation/run/.gnupg/pubring.kbx
Verify that signature validation is on
If signature validation has been disabled on the machine, you must turn it on by running the following sudo command. Replace
<LogAnalyticsworkspaceId> with your workspace ID.
sudo python /opt/microsoft/omsconfig/modules/nxOMSAutomationWorker/DSCResources/MSFT_nxOMSAutomationWorkerResource/automationworker/scripts/require_runbook_signature.py --true <LogAnalyticsworkspaceId>
Sign a runbook
Once you have configured signature validation, use the following GPG command to sign the runbook.
gpg –-clear-sign <runbook name>
The signed runbook is called
You can now upload the signed runbook to Azure Automation and execute it like a regular runbook.
Start a runbook on a Hybrid Runbook Worker
Start a runbook in Azure Automation describes different methods for starting a runbook. Starting a runbook on a Hybrid Runbook Worker uses a Run on option that allows you to specify the name of a Hybrid Runbook Worker group. When a group is specified, one of the workers in that group retrieves and runs the runbook. If your runbook does not specify this option, Azure Automation runs the runbook as usual.
When you start a runbook in the Azure portal, you're presented with the Run on option for which you can select Azure or Hybrid Worker. If you select Hybrid Worker, you can choose the Hybrid Runbook Worker group from a dropdown.
When starting a runbook using PowerShell, use the
RunOn parameter with the Start-AzAutomationRunbook cmdlet. The following example uses Windows PowerShell to start a runbook named Test-Runbook on a Hybrid Runbook Worker group named MyHybridGroup.
Start-AzAutomationRunbook –AutomationAccountName "MyAutomationAccount" –Name "Test-Runbook" -RunOn "MyHybridGroup"
To help troubleshoot issues with your runbooks running on a hybrid runbook worker, logs are stored locally in the following location:
On Windows at
C:\ProgramData\Microsoft\System Center\Orchestrator\<version>\SMA\Sandboxesfor detailed job runtime process logging. High-level runbook job status events are written to the Application and Services Logs\Microsoft-Automation\Operations event log.
On Linux, the user hybrid worker logs can be found at
/home/nxautomation/run/worker.log, and system runbook worker logs can be found at