Azure Automation: Best way to store credentials?

2
votes

What would be the best way to store credentials in Azure Automation? Azure Automation Assets or Azure Key Vault?

3
azureazure-keyvaultazure-automation

3 Answers

2
votes

Unless there’s a particular reason to store the cred in keyvault. E.g single source of truth etc. It would be best to store as a credential asset in the run book. There a variety of reason for this, which include:

  • inclusion in graphical run book
  • ease of retrieving the credential in one line of PowerShellGet-AzureRmAutomationCredential

The biggest reason for not storing it in key vault is because with the cred in the keyvault you would have to manage the access policies associated with the keyvault and will change the sort of run book you need.

0
votes

It depends on the use case and the level of confidentiality you want to maintain with those credentials.

  • With Azure Vault, you will have to manage/create policies for the credential access, and also add few lines into your PowerShell script to access those credentials. This can enhance the security but might create an overhead depending on the use case. For example, if you are storing service principal key, I would say go for the Key vault.

  • Azure Automation Credentials can be accessed easily by anyone that has access to the resource group or subscription. By adding a simple PowerShell commands, passwords can also be retrieved as plain text from the Credentials, like this:

    $(Get-AutomationPSCredential -Name $name).GetNetworkCredential().Password.ToString()

However, for storing credentials that are used during deployments or are changing every now and then, Automation Credential is a good use case.

0
votes

If you use Runbook Studio it stores not only credentials (super encrypted in a propriety database) it also stores variables, certificates, schedules under your solution.

The easiest way to get started is to download Runbook Studio. Its like Visual Studio for Azure Automation runbooks.

You can download for free here; https://www.kelverion.com/runbook-studio-download-request/ If you share with me your Automation Plan, or I can help you design it using the RADP, Rapid Automation Development Plan Guide, I can direct you to prebuilt solutions and integrations. Also use PowerShell Gallery, its free.

Regards Sean.