Runbook Run Powershell as azure acccount

143 views Asked by At

I got a script on a VM within the subscription/rg that runs a ps module called Qlik-Cli, it uses a certificate and a login.

The certificate is stored in the local store for the serviceaccount, not a choise, how the product works. I need to trigger this thorgh a powershell runbook.

In order for this to work, I need to trigger this with the service account, cause it won't find the certificate otherwise.

This is something we are going to schedule so it has to be done this way.

How can I run it this way, or is it not possible? I can't find any good option when googeling it.

> Import-Module -Name Qlik-Cli
> [Net.ServicePointManager]::SecurityProtocol =
> [Net.SecurityProtocolType]::Tls12 $logpath =
> "E:\Tools\Scripts\log.txt" get-childitem cert:\currentuser\My\  |
> where {$_.Thumbprint -eq '"thumbprint"'} |
> Connect-Qlik "DNS" -UserName
> "user" -TrustAllCerts -verbose 4>&1 | Out-File
> -Append $logpath Start-QlikTask -id df9dfa2f-32ca-4db4-bdce-15ad924fd59f -verbose 4>&1 | Out-File -Append
> $logpath

The script in the runbook:

$ServicePrincipalConnection = Get-AutomationConnection -Name 'AzureRunAsConnection'
Add-AzAccount -ServicePrincipal -TenantId $ServicePrincipalConnection.TenantId  -ApplicationId $ServicePrincipalConnection.ApplicationId -CertificateThumbprint $ServicePrincipalConnection.CertificateThumbprint
$rgname ="Resource-Group"
$vmname ="Virtual machine name"
$ScriptToRun = "E:\Tools\Scripts\Tasktrigger.ps1"
Out-File -InputObject $ScriptToRun -FilePath ScriptToRun.ps1 
Invoke-AzVMRunCommand -ResourceGroupName $rgname -Name $vmname -CommandId 'RunPowerShellScript' -ScriptPath ScriptToRun.ps1
Remove-Item -Path ScriptToRun.ps1   

What the logs says from the script (local script) when I execute the runbook is that it can't find the certificate which is not strange.

Raw output: Found 0 certificates in the current user store Found 0 certificates in the local machine store No valid certificate found, using windows credentials

2

There are 2 answers

0
Gatewarden On BEST ANSWER

Used the code on Github for the module Click-Cli to backtrack the error message. Had to change certificate and imporrt the new one in personal / machine store.

Also the default username when running it from outside the QlikServer is domain\Servername$, which means you have to change permissions on the account in QlikSense to allow it to execute tasks.

You can see the name if you use verbose logging to file once you added the right certficate all the way.

0
Vbakke On

The Qlik-CLI module, reads the client, QlikClient, certificate from cert:\\CurrentUser\My.

So, if you are trying to run Qlik-CLI scripts as a different user than the Qlik Sense service user account (or on another machine), you need to log in as the service account, export the QlikClient certificate, including the private key, and install it under the user running the script.

The -UserName argument is just to tell Qlik who you want to be, given that you have the certificate in order.

To cut it short: Run the script as the Qlik service user. It will save you a lot of hassle. :)