Azure Credentials error in Azure Automation

0
votes

I'm trying to create an Azure Automation job to create a standard set of tags/values in a subscription.

Working with Tags requires AzureResourceManager, which is not available in Automation out of the box (Go vote for this feedback item!), so I followed these steps to upload the ARM module.

When I test my runbook I get the following output:

-------------------------
PSComputerName        : localhost
PSSourceJobInstanceId : a8b85213-ee0f-40ea-842f-d33f2e87c910
Id                    : xxxxx-56ad-42c2-97f4-e364456fc4a6
Name                  : xxxxx
Environment           : AzureCloud
Account               : my-service-principal-app-id
Properties            : {Default, Tenants, SupportedModes}
-------------------------
New-AzureTag : Your Azure credentials have not been set up or have expired, please run Add-AzureAccount to set up your 
Azure credentials.
At Add-SubscriptionTags:41 char:41
+ 
    + CategoryInfo          : CloseError: (:) [New-AzureTag], ArgumentException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.Tags.Tag.NewAzureTagCommand

Here's my runbook:

workflow Add-SubscriptionTags
{
    param
    (
        # Subscription
        [Parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]
        [string]
        $SubscriptionName
    )

    # Get the PowerShell credential and prints its properties 
    $cred = Get-AutomationPSCredential -Name 'AzureMaint'

    # Connect to Azure
    Add-AzureAccount -Credential $cred -ServicePrincipal -Tenant 'xxx-49ab-8a9c-4abce32afc1e' | Write-Verbose

    # Set subscription
    $subscription = Select-AzureSubscription -SubscriptionName $SubscriptionName -PassThru
    write-output '-------------------------'
    write-output $subscription
    write-output '-------------------------'

    # Add tags (Requires AzureResourceManager module)
    New-AzureTag -Name 'Managed' -Value $true
    New-AzureTag -Name 'Managed' -Value $false
}

The AzureMaint PSCredential contains a service principal ID and key, and the service principal has been granted the Contributor role on the specified subscription. I can do Add-AzureAccount in the ISE with those credentials and add tags just fine. Since it successfully prints the subscription info I assume that means Add-AzureAccount was successful, so why do I get the error?

Update:

I created a new Automation Account without the ARM module and I'm still having the same issue, although the error message is slightly different:

Your Azure credentials have not been set up or have expired, please run Add-AzureAccount 
to set up your Azure credentials. (Your Azure credentials have not been set up or
have expired, please run Add-AzureAccount to set up your Azure credentials. (Unable 
to retrieve service key for ServicePrincipal account xxx-4a00-becf-952fda93edc5.
Please run the Add-AzureAccount cmdlet to supply the credentials for this service principal.))

So now I'm wondering if it doesn't like me using a Service Principal?

2
azureazure-automation
The Azure module does not support service principal for authentication, only the ARM module does. You should have the same issue with the Azure module in the PowerShell ISE, outside of Azure Automation.Joe

2 Answers

1
votes

Just to update here, we've discovered that service principal authentication does not work in Azure Automation currently. Given you are trying to use a service principal, that is the reason for the issues you are hitting.

For now, a user principal should be used to work around this issue.

Please see the following for more info:

Authenticating to Azure Resource Manager with a Service Principal in Azure Automation

https://github.com/Azure/azure-powershell/issues/655

0
votes

Using ARM cmdlets in Azure Automation is not officially supported yet. That said, various people have been successful doing so. Are your ARM and Azure PowerShell modules the same version? Weird things can happen if they are loaded side by side but are not the same version.