Manage credentials in Azure Automation
An Automation credential asset holds an object that contains security credentials, such as a user name and a password. Runbooks and DSC configurations use cmdlets that accept a PSCredential object for authentication. Alternatively, they can extract the user name and password of the
PSCredential object to provide to some application or service requiring authentication.
Secure assets in Azure Automation include credentials, certificates, connections, and encrypted variables. These assets are encrypted and stored in Azure Automation using a unique key that is generated for each Automation account. Azure Automation stores the key in the system-managed Key Vault. Before storing a secure asset, Automation loads the key from Key Vault and then uses it to encrypt the asset.
For information about viewing or deleting personal data, see Azure Data Subject Requests for the GDPR. For more information about GDPR, see the GDPR section of the Microsoft Trust Center and the GDPR section of the Service Trust portal.
PowerShell cmdlets used to access credentials
The cmdlets in the following table create and manage Automation credentials with PowerShell. They ship as part of the Az modules.
|Get-AzAutomationCredential||Retrieves a CredentialInfo object containing metadata about the credential. The cmdlet doesn't retrieve the
|New-AzAutomationCredential||Creates a new Automation credential.|
|Remove-AzAutomationCredential||Removes an Automation credential.|
|Set-AzAutomationCredential||Sets the properties for an existing Automation credential.|
Other cmdlets used to access credentials
The cmdlets in the following table are used to access credentials in your runbooks and DSC configurations.
|Get-Credential||Gets a credential with a prompt for user name and password. This cmdlet is part of the default Microsoft.PowerShell.Security module. See Default modules.|
|New-AzureAutomationCredential||Creates a credential asset. This cmdlet is part of the default Azure module. See Default modules.|
PSCredential objects in your code, you must import the
Orchestrator.AssetManagement.Cmdlets module. For more information, see Manage modules in Azure Automation.
Import-Module Orchestrator.AssetManagement.Cmdlets -ErrorAction SilentlyContinue
You should avoid using variables in the
Name parameter of
Get-AutomationPSCredential. Their use can complicate discovery of dependencies between runbooks or DSC configurations and credential assets at design time.
Python functions that access credentials
The function in the following table is used to access credentials in a Python 2 and 3 runbook. Python 3 runbooks are currently in preview.
||Retrieves information about a credential asset.|
automationassets module at the top of your Python runbook to access the asset functions.
Create a new credential asset
You can create a new credential asset using the Azure portal or using Windows PowerShell.
Create a new credential asset with the Azure portal
From your Automation account, on the left-hand pane select Credentials under Shared Resources.
On the Credentials page, select Add a credential.
In the New Credential pane, enter an appropriate credential name following your naming standards.
Type your access ID in the User name field.
For both password fields, enter your secret access key.
If the multifactor authentication box is checked, uncheck it.
Click Create to save the new credential asset.
Azure Automation does not support user accounts that use multifactor authentication.
Create a new credential asset with Windows PowerShell
The following example shows how to create a new Automation credential asset. A
PSCredential object is first created with the name and password, and then used to create the credential asset. Instead, you can use the
Get-Credential cmdlet to prompt the user to type in a name and password.
$user = "MyDomain\MyUser" $pw = ConvertTo-SecureString "PassWord!" -AsPlainText -Force $cred = New-Object –TypeName System.Management.Automation.PSCredential –ArgumentList $user, $pw New-AzureAutomationCredential -AutomationAccountName "MyAutomationAccount" -Name "MyCredential" -Value $cred
Get a credential asset
A runbook or DSC configuration retrieves a credential asset with the internal
Get-AutomationPSCredential cmdlet. This cmdlet gets a
PSCredential object that you can use with a cmdlet that requires a credential. You can also retrieve the properties of the credential object to use individually. The object has properties for the user name and the secure password.
Get-AzAutomationCredential cmdlet does not retrieve a
PSCredential object that can be used for authentication. It only provides information about the credential. If you need to use a credential in a runbook, you must retrieve it as a
PSCredential object using
Alternatively, you can use the GetNetworkCredential method to retrieve a NetworkCredential object that represents an unsecured version of the password.
Textual runbook example
The following example shows how to use a PowerShell credential in a runbook. It retrieves the credential and assigns its user name and password to variables.
$myCredential = Get-AutomationPSCredential -Name 'MyCredential' $userName = $myCredential.UserName $securePassword = $myCredential.Password $password = $myCredential.GetNetworkCredential().Password
You can also use a credential to authenticate to Azure with Connect-AzAccount after first connecting with a managed identity. This example uses a system-assigned managed identity.
# Ensures you do not inherit an AzContext in your runbook Disable-AzContextAutosave -Scope Process # Connect to Azure with system-assigned managed identity $AzureContext = (Connect-AzAccount -Identity).context # set and store context $AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext # Get credential $myCred = Get-AutomationPSCredential -Name "MyCredential" $userName = $myCred.UserName $securePassword = $myCred.Password $password = $myCred.GetNetworkCredential().Password $myPsCred = New-Object System.Management.Automation.PSCredential ($userName,$securePassword) # Connect to Azure with credential $AzureContext = (Connect-AzAccount -Credential $myPsCred -TenantId $AzureContext.Subscription.TenantId).context # set and store context $AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription ` -TenantId $AzureContext.Subscription.TenantId ` -DefaultProfile $AzureContext
Graphical runbook example
You can add an activity for the internal
Get-AutomationPSCredential cmdlet to a graphical runbook by right-clicking on the credential in the Library pane of the graphical editor and selecting Add to canvas.
The following image shows an example of using a credential in a graphical runbook. In this case, the credential provides authentication for a runbook to Azure resources, as described in Use Azure AD in Azure Automation to authenticate to Azure. The first activity retrieves the credential that has access to the Azure subscription. The account connection activity then uses this credential to provide authentication for any activities that come after it. A pipeline link is used here since
Get-AutomationPSCredential is expecting a single object.
Use credentials in a DSC configuration
While DSC configurations in Azure Automation can work with credential assets using
Get-AutomationPSCredential, they can also pass credential assets via parameters. For more information, see Compiling configurations in Azure Automation DSC.
- To learn more about the cmdlets used to access certificates, see Manage modules in Azure Automation.
- For general information about runbooks, see Runbook execution in Azure Automation.
- For details of DSC configurations, see Azure Automation State Configuration overview.
Submit and view feedback for