Search code examples
azurepowershellazure-runbookrunbook

Runbook Run Powershell as azure acccount

I got a script on a VM within the subscription/rg that runs a ps module called Qlik-Cli, it uses a certificate and a login.

The certificate is stored in the local store for the serviceaccount, not a choise, how the product works. I need to trigger this thorgh a powershell runbook.

In order for this to work, I need to trigger this with the service account, cause it won't find the certificate otherwise.

This is something we are going to schedule so it has to be done this way.

How can I run it this way, or is it not possible? I can't find any good option when googeling it.

> Import-Module -Name Qlik-Cli
> [Net.ServicePointManager]::SecurityProtocol =
> [Net.SecurityProtocolType]::Tls12 $logpath =
> "E:\Tools\Scripts\log.txt" get-childitem cert:\currentuser\My\  |
> where {$_.Thumbprint -eq '"thumbprint"'} |
> Connect-Qlik "DNS" -UserName
> "user" -TrustAllCerts -verbose 4>&1 | Out-File
> -Append $logpath Start-QlikTask -id df9dfa2f-32ca-4db4-bdce-15ad924fd59f -verbose 4>&1 | Out-File -Append
> $logpath

The script in the runbook:

$ServicePrincipalConnection = Get-AutomationConnection -Name 'AzureRunAsConnection'
Add-AzAccount -ServicePrincipal -TenantId $ServicePrincipalConnection.TenantId  -ApplicationId $ServicePrincipalConnection.ApplicationId -CertificateThumbprint $ServicePrincipalConnection.CertificateThumbprint
$rgname ="Resource-Group"
$vmname ="Virtual machine name"
$ScriptToRun = "E:\Tools\Scripts\Tasktrigger.ps1"
Out-File -InputObject $ScriptToRun -FilePath ScriptToRun.ps1 
Invoke-AzVMRunCommand -ResourceGroupName $rgname -Name $vmname -CommandId 'RunPowerShellScript' -ScriptPath ScriptToRun.ps1
Remove-Item -Path ScriptToRun.ps1

What the logs says from the script (local script) when I execute the runbook is that it can't find the certificate which is not strange.

Raw output: Found 0 certificates in the current user store Found 0 certificates in the local machine store No valid certificate found, using windows credentials

Solution

  • Used the code on Github for the module Click-Cli to backtrack the error message. Had to change certificate and imporrt the new one in personal / machine store.

    Also the default username when running it from outside the QlikServer is domain\Servername$, which means you have to change permissions on the account in QlikSense to allow it to execute tasks.

    You can see the name if you use verbose logging to file once you added the right certficate all the way.