How do I do this with Azure Powershell?

0
votes

I'm looking to manage certain settings of Azure via Azure Powershell from C#. I need to manage subscriptions for many many customers programmatically.

I want to ensure that anytime I open a PowerShell session to deal with particular customer's subscription, nothing of that session is left over in registry, certificate store, etc.

I have management certificates available to me as encrypted byte arrays. I can save them on the hard drive if needed.

I am also happy to call Powershell cmdlets not thru Powershell session but directly thru referencing objects in the .DLL

I would prefre to avoid the use of Management API directly in certain scenarios which is why I'd like to do so via Powershell

Is this possible? If so, how do I avoid using the certificate store? Ideally, I would prefer to just have a way to call into the cmdlet from C# without going thru Powershell session

3
azureazure-powershell
Is there a reason you want to do this via PowerShell instead of using .Net Azure Management API wrapper? - Gaurav Mantri
There are certain commands (for now the ones dealing with Diagnostics Extensions) that seemed to be very hard to deconstruct into actionable API calls. I'd prefer to not be tied to management API for this and deal with "supported" interface of cmdlets if at all possible - Igorek
Makes sense! Have you thought about creating an instance of X509Certificate2 object using something like $cert=New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(byte array)? However you must have the certificate private key as well with you otherwise authentication would fail. Or in other words, you should ask your users to give you a PFX certificate with password instead of a CER file. - Gaurav Mantri
I do have the private key, so that's not a problem. But how do I specify that my newly created object must be usedin Azure cmdlets? - Igorek
I'm no PowerShell expert but the way I understand it is that Azure Cmdlets are a PowerShell Module and it gets loaded automatically when you access it via Azure PowerShell Cmdlets shortcut on your computer. You would need to do something similar i.e. programmatically launch PowerShell and load this module. Let me ping some PowerShell experts and they can provide much better solution for this. - Gaurav Mantri

3 Answers

2
votes

You should start using Azure Active Directory credentials instead of X.509 certificates. Both the Azure Service Management (ASM) and Azure Resource Manager (ARM) mode of Azure PowerShell supports AAD while certificate authentication can only be used for ASM. Using AAD credentials means you NEVER need to use certificates of X.509 certificates, and be subject to the management difficulties they impose. You would need to be added as a co-admin to your clients subscriptions for ASM support (and the production portal) and provided an appropriate role for ARM support (and the preview portal). However, your customers could restrict your ARM and preview portal access with RBAC.

2
votes

PowerShell has one cmdlet called clear-azureprofile ... And it clears all connections ... If you really want to be sure you better also clear the IE cookies and start a new PoSh session after both actions (so best to do it at the end of each session)... I agree with Neil btw: Stay clear from the certs... Aim for AAD

BUT ... Why don't you take a look at the management libraries(MAML? It's the basis for all you don't need to call REST and you can avoid PowerShell (that also uses MAML.) it's downloadable as nuget package

Find it here http://www.nuget.org/packages/Microsoft.WindowsAzure.Management.Libraries And find info on it here http://azure.microsoft.com/en-us/updates/management-libraries-for-net-release-announcement/ and here http://www.bradygaster.com/post/getting-started-with-the-windows-azure-management-libraries Hope this helps!

-1
votes

Only automated way is with a AAD account for the subscription. Be aware, the token expires in 12 hours. See June's fantastic blog post. http://www.sapien.com/blog/2014/10/23/saving-passwords-for-add-azureaccount/