Using Different Credentials in Runbooks Running on Same Set of Runbook Workers

Question

Hi We're setting-up an Automation Account environment that would be doing multiple (separate) tasks using different runbooks. For example:

1. Create an AD DS (on-prem) account - uses a domain account.
2. Query a SQL Server via a custom Stored Procedure - uses a domain account (different from the previous one). I understand that we can use the "Credentials" asset in Automation Account to securely store these credentials and retrieve them using the PowerShell cmdlet as described here--> https://learn.microsoft.com/en-us/azure/automation/automation-hrw-run-runbooks?tabs=win-extn-hrw%2CLin-extn-hrw%2Csa-mi#use-runbook-authentication-to-local-resources However, when we create Hybrid Runbook Worker Group, it asks us to select the credentials that will be used by hybrid jobs (runbooks) to execute under:

I'm unsure, how the two configurations work (where you're retrieving the credentials within the code inside the Automation Runbook using the Get-AutomationPSCredential cmdlet) and the Hybrid Worker Credentials that we choose at the Worker Group level. What are our options if the Hybrid Runbook Worker Group restricts using only one credential across all the runbooks within it - do we need multiple Runbook Worker Groups (and separate Worker nodes reporting to each) in that case (this will be a huge IT infrastructure to maintain if we're working with many on-premises systems)? Any pointers will be greatly appreciated. Thanks Taranjeet Singh

Answer 1

@Taranjeet Malik , Thank you for your question. The following information should help clarify the usage scenarios of "Hybrid Worker Credential" and "Get-AutomationPSCredential"

1. By Default, Hybrid jobs run under the context of System Account. When you select the option as you have in the screenshot of question, the runbook script is run under the account that you select. It is similar to using "Shift+Right Click" for launching any application in Windows, through which you can launch an application with a different user account than through the user account used to log-in:
   In this scenario, if you are not using any cmdlet with "credential" parameter, the account selected is used for authentication.
2. When you use Get-AutomationPSCredential to get credential stored as Automation Asset, you get this credential in a variable. It will not change the context of the script itself. This credential can be used with cmdlets which supports supplying such parameter so that that particular cmdlet uses the credential retrieved using Get-AutomationPSCredential cmdlet, and other part of script still uses the default account or the hybrid worker account. For example, consider a hypothetical script as below:

#<Some other lines in script>

$Cred = Get-AutomationPSCredential -Name "MyCredential" $Computer = Get-AutomationVariable -Name #---------Line 1

"ComputerName" Restart-Computer -ComputerName $Computer -Credential $Cred #---------------Line 2

#<other part of script>

In this sample, if you have selected a Hybrid runbook worker account, everything would use that account as context. But the cmdlet in #line2 uses the credential stored as Automation credential which is being passed using the -credential parameter.

Thus, you do not need multiple hybrid worker group, if you want to use credential as shown the hypothetical script above.

Hope this helps.

If the answer did not help, please add more context/follow-up question for it, and we will help you out. Else, if the answer helped, please click Accept answer so that it can help others in the community looking for help on similar topics.