I’ve recently been investigating Azure Automation RunBooks. Essentially, this gives you a way to execute some code (currently Powershell or Python) to perform some basic tasks against your infrastructure.
For this post, we’ll focus on setting up a (default) runbook, and just making it run. Let’s start by creating an automation account:
From here, you can create your automation account:
Once this creates, it gives you a couple of example run-books:
If we have a look at the tutorial with identity, it gives us the following Powershell Script:
<# .DESCRIPTION An example runbook which gets all the ARM resources using the Managed Identity .NOTES AUTHOR: Azure Automation Team LASTEDIT: Oct 26, 2021 #> "Please enable appropriate RBAC permissions to the system identity of this automation account. Otherwise, the runbook may fail..." try { "Logging in to Azure..." Connect-AzAccount -Identity } catch { Write-Error -Message $_.Exception throw $_.Exception } #Get all ARM resources from all resource groups $ResourceGroups = Get-AzResourceGroup foreach ($ResourceGroup in $ResourceGroups) { Write-Output ("Showing resources in resource group " + $ResourceGroup.ResourceGroupName) $Resources = Get-AzResource -ResourceGroupName $ResourceGroup.ResourceGroupName foreach ($Resource in $Resources) { Write-Output ($Resource.Name + " of type " + $Resource.ResourceType) } Write-Output ("") }
Looking at this script, it only really does two things: connects to Azure using managed identity, and then runs through all the resource groups in the subscription and prints them out.
If you run this:
Then you’ll see the following warning in the output (basically saying that you should set-up the permissions, or things won’t work):
If you now switch to Errors, you’ll see a confusing error (caused by the fact that we haven’t set-up the permissions, and so things don’t work):
In order to correct this, you need to give the run-book appropriate permissions. Head over to the automation account resource, and select Identity:
Select Add role assignments.
Because this script is listing the resources in the subscription, you’ll need to be generous with the permissions:
If you run that now, it should display all the resource groups fine: