2

I have created a Run As Account for an Azure automation account. Is it possible to use the same Run As Account in a different automation account by creating a new automation connection with the same service principal?

I have tried to create a new automation connection in a different automation account with the same service principal but in the runbook, i get

No certificate was found in the certificate store with thumbprint xxxxxxxxxxxxxxxxxxxx

error.

Any idea?

MoonHorse
  • 1,966
  • 2
  • 24
  • 46

1 Answers1

0

Let's say the old automation account is account 1, the new one is account 2.

If you create a Run As Account for account 2, it will create a new service principal. If you want to use the service principal of the Run As Account in account 1, you could simply add a new Connection in account 2 like below.

enter image description here

Fix the values with the ones in Run As Account of account 1.

enter image description here

No certificate was found in the certificate store with thumbprint xxxxxxxxxxxxxxxxxxxx

For this issue, maybe there are some issues with the old certificate, you could click the Renew certificate and try again.

Then in your runnbook, e.g. powershell runbook, you could use the new connection to auth with the same service principal.

$connectionName = "testconn"
try
{
    $servicePrincipalConnection=Get-AutomationConnection -Name $connectionName         

    "Logging in to Azure..."
    Connect-AzAccount `
        -ServicePrincipal `
        -TenantId $servicePrincipalConnection.TenantId `
        -ApplicationId $servicePrincipalConnection.ApplicationId `
        -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint 
}
catch {
    if (!$servicePrincipalConnection)
    {
        $ErrorMessage = "Connection $connectionName not found."
        throw $ErrorMessage
    } else{
        Write-Error -Message $_.Exception
        throw $_.Exception
    }
}
Joy Wang
  • 39,905
  • 3
  • 30
  • 54
  • I have renewed the certificate but still i am having the same error. – MoonHorse Jul 01 '21 at 12:24
  • What intrigues me as well, is that certificateThumbprint is clear text. I am not sure if we can use the same RunAsAccount in the different automation accounts. – MoonHorse Jul 01 '21 at 12:27
  • @MoonHorse Yes, it is clear text, of course, to be more precise, you can use the same service principal of the RunAsAccount rather than RunAsAccount, as the RunAsAccount will be created automatically, different automation accounts can not bind the same one. Just use the service principal as mentioned in my answer, essentially it uses the same RunAsAccount. – Joy Wang Jul 02 '21 at 01:09
  • I have done the exact same thing as you suggested but it is not working, i get the same error. That was what i had done actually. I have checked furthermore the issue. It found out that when you create a run as account, it is creating a certificate under the certicate section of that automation account. I guess that certificate is needed to be copied to the second automation account. Likewise, the automation connection can be succesful. But i don't know how to transfer that certicate to the second automation account. Do you have any idea? – MoonHorse Jul 02 '21 at 07:26