Reputation: 3100
How does one access a different subscription from a runbook
Currently, I have two subscriptions: S01 and S02. I have a runbook running in S02 that needs to access resources in S01.
When I run the command Get-AzureRmSubscription -SubscriptionName S01, it fails to even find the subscription. Below is an example of code and output:
$connectionName = "AzureRunAsConnection"
try
{
# Get the connection "AzureRunAsConnection "
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName
Write-Output "Logging in to Azure..."
$Account = Add-AzureRmAccount `
-ServicePrincipal `
-TenantId $servicePrincipalConnection.TenantId `
-ApplicationId $servicePrincipalConnection.ApplicationId `
-CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint `
-Verbose `
-ErrorAction Stop
Write-Output "***** LOGGED IN ($((Get-AzureRmContext).Subscription.SubscriptionName)). *******"
}
catch {
if (!$servicePrincipalConnection)
{
$ErrorMessage = "Connection $connectionName not found."
throw $ErrorMessage
}
else
{
Write-Error -Message $_.Exception
throw $_.Exception
}
}
Write-Output "Current subscription using Get-AzureRmSubscription:"
Get-AzureRmSubscription
Write-Output "==============================================================="
Write-Output "Switch subscription using Select-AzureRmSubscription:"
Get-AzureRmSubscription -SubscriptionName "S01" | Select-AzureRmSubscription
Write-Output "==============================================================="
Write-Output "Switch subscription using Set-AzureRmContext:"
Set-AzureRmContext -SubscriptionName "S01"
Write-Output "==============================================================="
Output:
Logging in to Azure...
VERBOSE: Performing the operation "log in" on target "ServicePrincipal account in environment 'AzureCloud'".
***** LOGGED IN (S02). *******
Current subscription using Get-AzureRmSubscription:
WARNING: Unable to acquire token for tenant 'Common'
SubscriptionId : 2f301a20-22a3-b321-2a3c-829ac3d4e39a
SubscriptionName : S02
State : Enabled
TenantId : e2g374a3-8732-3466-9876-a7cd32b208de
CurrentStorageAccountName :
===============================================================
Switch subscription using Select-AzureRmSubscription:
WARNING: Unable to acquire token for tenant 'Common'
ERROR: Get-AzureRmSubscription : Subscription S01 was not found in tenant . Please verify that the subscription
exists in this tenant.
At line:37 char:2
+ Get-AzureRmSubscription -SubscriptionName "S01" | Sele ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Get-AzureRmSubscription], PSArgumentException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.GetAzureRMSubscriptionCommand
===============================================================
Switch subscription using Set-AzureRmContext:
ERROR: Set-AzureRmContext : Provided subscription S01 does not exist
At line:41 char:2
+ Set-AzureRmContext -SubscriptionName "S01"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Set-AzureRmContext], ArgumentException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Profile.SetAzureRMContextCommand
===============================================================
I guess it all revolves around the AzureRunAsConnection and AzureRunAsCertificate and using the ServicePrincipal. My guess is that I need to log in using S01's AzureRunAsConnect which I assume means I need to get the certificate out of S01 and into S02, but I am not having much luck exporting and importing the RunAsCertificate from S01, into S02.
I've tried creating my own AD Application, but I can't seem to get that to work either.
I'm sure it has to be possible, but how? Am I close and what is the correct way?
P.S. Both subscriptions "share" the same Azure AD.
TIA
Upvotes: 0
Views: 2247
Answers (1)
Reputation: 329
You can't export once assigned certificate to Service Principal. So you have two options:
- Create a new service principal with a certificate and use the same certificate for both subscriptions
- If you have a copy of existing service principal's certificate then use it to authenticate to your second Azure subscription.
No matter which approach you choose, you should take a look here for step by step description of creating service principal, certificate, etc.: https://learn.microsoft.com/en-us/azure/automation/automation-sec-configure-azure-runas-account#update-an-automation-account-using-powershell
Upvotes: 1
Related Questions
- Azure Automation / Runbooks / Authentication
- Runbook Run Powershell as azure acccount
- Get current Subscription ID
- Azure Run as account across subscriptions
- Retrieve something from different Azure subscriptions at the same time
- Azure Runbook - No subscription found in the context
- How to login from an Azure Resource Manager Runbook?
- Listing all Azure Runbooks in Automation accounts across multiple subscriptions
- Azure Runbook : What credential to use?
- How do I get the subscriptions of an Azure account via PowerShell when I am logged into Windows using a different account?