Skip to content

Azure Automation Account#

An Azure Automation Account is a service in Microsoft Azure that allows you to automate the management and orchestration of tasks across Azure and non-Azure environments.

Prerequisites#

Note

These prerequisites are beyond the scope of Secrets Management to assist with setting up. This guide is intended for those already using an Azure Automation Account.

  1. Azure automation account

  2. Hybrid runbook worker on the UMN network

Approle Setup#

Vault Policies#

Teams are responsible for setting up policies to give the approle access to specific secrets or paths. Use the following CLI commands to setup a role to read any secrets at secret/azure_automation/* or a variation of the terraform code examples.

Bash
vault policy write approle_azure_automation_access_policy - <<EOF
path "secret/data/azure_automation/*" {
  capabilities = ["read"]
}
EOF

Approle#

In order for the azure automation account to connect to vault, it must authenticate. To create an approle, use the following CLI command or a variation of the terraform code examples and associate the policy that you created in the last step:

Bash
vault write auth/approle/role/azure_automation \
  token_policies="default,approle_azure_automation_access_policy"

role_id & secret_id#

The azure automation account will use a role_id & secret_id to authenticate to vault that will need to be retrieved:

Bash
# Read role-id
vault read auth/approle/role/azure_automation/role-id

# Create a secret-id
vault write -f auth/approle/role/azure_automation/secret-id

Azure Automation Credential Setup#

  1. Navigate to the Azure Portal > Automation Accounts > Select your automation account > Shared Resources > Credentials

  2. Create a new credential named vault_approle with the username being the role-id previously obtained and the password being the secret-id.

Example Powershell Runbook#

Note

The Runbook will need to run on your Hybrid Runbook Worker from within the UMN network in order to access vault.

PowerShell
## Use an approle to get the value of a secret located at secret/azure_automation/test with key foo.

# Retrieve approle credential
$approle = Get-AutomationPSCredential -Name "vault_approle"

#Define Vault parameters
$vaultAddress = "https://hcp-vault-public-vault-fc507e0d.5d5b1f21.z1.hashicorp.cloud:8200" # use if hybrid runbook worker has a UMN public IP address 
$vaultAddress = "https://hcp-vault-private-vault-fc507e0d.5d5b1f21.z1.hashicorp.cloud:8200" # use if hybrid runbook worker has a UMN RFC1918 IP address
$roleID = $approle.Username
$secretID = $approle.GetNetworkCredential().Password
$namespace = "admin/CESI"
$secretPath = "secret/data/azure_automation/test"

# Authenticate with Vault using AppRole
$authResponse = Invoke-RestMethod -Method Post -Uri "$vaultAddress/v1/auth/approle/login" -Body (@{ role_id = $roleID; secret_id = $secretID } | ConvertTo-Json) -ContentType "application/json" -Headers @{ "X-Vault-Namespace" = $namespace }
$vaultToken = $authResponse.auth.client_token

# Retrieve the secret from Vault
$secretResponse = Invoke-RestMethod -Method Get -Uri "$vaultAddress/v1/$secretPath" -Headers @{ "X-Vault-Token" = $vaultToken; "X-Vault-Namespace" = $namespace }

# Output the secret
Write-Output $secretResponse.data.data.foo