Azure Automation DSC - Using PSCredential in DSC Configuration

0
votes

I'm trying to pass pscredentials to a dsc config intended for deployment through Azure Automation DSC, though I can't seem to get it working using the two documented methods.

1) The first method indicates that a PSCredential can be added to the credential store associated with the automation account being used for dsc. All the documentation I can find refers to the azure classic portal, and instructs you to select the credential 'type.' However, Azure Automation management is no longer available in the classic portal, and the new portal doesn't have a 'type' drop-down for new credentials, and the type is 'Microsoft.Azure.Commands.Automation.Model.CredentialInfo' -- which doesn't bare the getnetworkcredential() method that pscredential types have (need to get the plain-text password from within the dsc config to set new users [user dsc resource]). Am I missing something here, or is Azure in a weird state given the cut-over from classic to new portal for Automation functionality. I also tried using the Get-AutomationPSCredential to read in the credentials I had added to the new portal to see if it implicitly does the type conversions, but that didn't work either (didn't find any objects under that name).

2) Documentation also states that adding a param() block, and specifying the the pscredentials as parameters will dynamically populate those very same parameters during compilation, so there values can be filled out when compiling through the portal...though this doesn't happen, and the compilation job fails to recognize 'param,' throws a terminating exception and halts.

code looks something like this:

$configdata = @{
    AllNodes = @(
        @{
            NodeName = "samplenode"
            PSDSCAllowPlainTextCredential = $true
}
)
}

configuration testconfig {
   Import-DSCResource -ModuleName PSDesiredStateConfiguration

    param (
        [pscredential]$cred
    )

    Node $AllNodes.NodeName {
        User testuser {
        "blah blah blah"
}
}
}

Any help would be greatly appreciated, thanks!

2
powershellazureazure-powershelldscazure-automation

2 Answers

1
votes

I ended up opening a case with MS as the documentation on github was either misleading or dowright wrong, and they offered a pretty detailed response and useful guidance...see below:

  1. For the command line, these are the best articles if you haven’t already seen them: https://msdn.microsoft.com/en-us/powershell/dsc/configData https://msdn.microsoft.com/en-us/powershell/dsc/configdatacredentials https://docs.microsoft.com/en-us/azure/automation/automation-dsc-compile#credential-assets

  2. The correct PowerShell command to use when retrieving credential assets is: Get-AutomationPSCredential I suspect this is where some additional explanation might be helpful.

One crucial difference is: • Get-AutomationPSCredential returns a value of type [PSCredential] • Get-AzureAutomationCredential returns a value of type [CredentialInfo] • Get-AzureRMAutomationCredential returns a value of type [CredentialInfo] • [CredentialInfo] cannot be used in place of [PSCredential]

Another difference is: • Get-AutomationPSCredential retrieves the credential at compile time, and not run time. • The credential is compiled into the mof • Hence the requirement for PSDscAllowPlainTextPassword = $true • The mof compiler is not aware that Azure Automation encrypts the mof

Another major difference is: • Get-AzureAutomationCredential and Get-AzureRMAutomationCredential execute at run time. • Hence, the script must login to Azure before they can be used. • There is really no reason to use these cmdlets in a DSC Configuration. • I did try it once just to see if it would work and it does (but only after a successful Azure login)

Having said this, I did notice Get-AzureRMAutomationCredential used in a Microsoft article that you referenced. https://github.com/Microsoft/azure-docs/blob/master/articles/automation/automation-dsc-compile.md#credential-assets

This articles is incorrect and the configuration will not work as-is for two reasons • Credential expects a value of type [PSCredential] (a value of type [CredentialInfo] will not work) • The DSC Configuration in the article does not login into Azure and so Get-AzureRMAutomationCredential will fail

I can understand that three different PowerShell commands for retrieving an Automation Credential Asset might be confusing. Allow me to add one further bit of clarification: • Get-AzureAutomationCredential uses the Azure Service Management API (ASM) • Get-AzureRMAutomationCredential uses the Azure Resource Management API (ARM) • ASM corresponds with the old Azure portal, ARM corresponds with the new Azure portal (Ibiza) • ASM came before ARM and continues to be supported for backward compatibility. • The Get-AutomationPSCredential was created for Automation Runbooks • It works in Azure Automation DSC (but it does not work in Windows PowerShell DSC) • All of the Orchestrator.AssetManagement.Cmdlets also in in Azure Automation DSC • You can find them in the Azure portal by editing a runbook and expanding cmdlets in the left pane • The following article also describes these cmdlets albeit in the context of a runbook. https://azure.microsoft.com/en-us/blog/getting-started-with-azure-automation-automation-assets-2/

The important thing to remember is that Orchestrator.AssetManagement.Cmdlets are • intended for use exclusively within the Automation environment (e.g., a Runbook or DSC configuration) • cannot be used anywhere else and will not work in an interactive PowerShell session. • and in a DSC configuration they are evaluated at compile time and not at runtime • DSC configurations are compiled into static definitions (MOF), not executable code • the only exception is the Script resource, which does execute PowerShell at runtime https://msdn.microsoft.com/en-us/PowerShell/DSC/scriptResource

0
votes

Go to Azure Automation credentials and create a credentials object. Upload the DSC configuration:

Import-AzureRmAutomationDscConfiguration -SourcePath 'somepath'  `
-ResourceGroupName $ResourceGroupName -AutomationAccountName $AutomationAccountName -Published -Force

prepare the configuration data and parameters:

$ConfigurationData = @{ 
    AllNodes = @(
        @{
            NodeName = $nodeName
            PSDscAllowPlainTextPassword = $true
        }
    )
}

$Parameters = @{
    "nodeName" = $nodeName
    "cred" = 'Azure Automation Credentials Name'
}

And compile it:

Start-AzureRmAutomationDscCompilationJob -ResourceGroupName $ResourceGroupName -AutomationAccountName $AutomationAccountName `
-ConfigurationName 'anything' -Parameters $Parameters -ConfigurationData $ConfigurationData