Variables in Azure Automation

Azure Automation Variables as Shared Resources

Shared Resources in Azure Automation allow us to reuse credentials, modules, schedules, connections, certificates and variables which will be will be the main focus of the post.

To better understand the importance of shared resources and variables in Azure Automation let’s go through a practical example. I have a runbook pulling data from a web service which requires to reference an API secret as part of the process to obtain an authentication token.

When running the script through a scheduled task or through on-prem System Center Orchestrator you would either need to store the key in plain text in the script itself or use methods described in my post Store Credentials in PowerShell Script

# Plain text
[strint]$apiSecrect = '14??!==AbZyC78mk'

# Use New-StringDecryption cmdlet from IT-ToolBox module
New-StringDecryption -EncryptedString $apiSecret

While both approaches will work that’s not without drawbacks implying security considerations. Another consideration is the fact secret key at some point could change and, if a large number of scripts/runbooks, is using it we would need to update code all of solutions using it. This is were Azure Automation variables come into play.

Azure Automation Variables Types

Azure Automations supports two types of variables Encrypted and Unenrcrypted with the following types being supported:

• Integers
• Strings
• DateTime
• Boolean
• Null

Full documentation it is available here.

Unencrypted variables

As the name implies an unencrypted variables are stored in Azure with their values being visible and to both runbooks/scripts and administrators.

An unencrypted variable can be created in the Azure portal going to [Automation Account] / [Shared Resources] / [Variables] and selecting Add Variable being sure to select No under the Encrypted section.

Note: Typo in the above variable value is intended.

The same operation can be achieved via PowerShell assuming the Az module is installed on the system:

$paramNewAzAutomationVariable = @{
    ResourceGroupName     = $azResourceGroup
    AutomationAccountName = $azAccount
    Name                  = 'Test Variable'
    Encrypted             = $false
    Value                 = 'Test Value'
}

New-AzAutomationVariable @paramNewAzAutomationVariable

# Output
Value                 : Test Value
Encrypted             : False
ResourceGroupName     : Dev-PsCustomObject-AutomationRsg
AutomationAccountName : Dev-PsCustomObject
Name                  : Test Variable
CreationTime          : 26.09.2020 17:53:23 +02:00
LastModifiedTime      : 26.09.2020 17:53:23 +02:00
Description           :

Once variable has been created it will be visible in the console:

As you can see values of the variable is visible both in the PowerShell output and the Value column of the variables blade in Azure Portal. We will discuss this in more detail in a minute.

Encrypted variables

Creation encrypted variables is identical in terms of steps in the console and via PowerShell simply requires us to specify the -Encrypted $True parameter.

$paramNewAzAutomationVariable = @{
    ResourceGroupName     = $azResourceGroup
    AutomationAccountName = $azAccount
    Name                  = 'Test Encrypted Variable'
    Encrypted             = $true
    Value                 = 'Test Value'
}

New-AzAutomationVariable @paramNewAzAutomationVariable

# Output
Value                 :
Encrypted             : True
ResourceGroupName     : Dev-PsCustomObject-AutomationRsg
AutomationAccountName : Dev-PsCustomObject
Name                  : Test Encrypted Variable
CreationTime          : 26.09.2020 18:51:53 +02:00
LastModifiedTime      : 26.09.2020 18:51:53 +02:00
Description           :

As you can see when creating an encrypted variable Value is omitted in the output, in the variables blade it will be displayed like this

  <a href="https://pscustomobject.github.io//assets/images/Add_Application.png">   <img src="/assets/images/Add_Application.png"></a>

This is the expected behaviour as encrypted variables are secured with a unique key generated for each automation account. It goes alone encrypted variables are more secure in nature but it has to be kept in mind that, once created, azure automation variables have been created values cannot be seen only updated.

Update and Retrieve Azure Automation variable values

Now that we know how to create azure automation variables lets see how to work with them and update their values. Recall I had a typo in the unencrypted variable, trailing ‘[’ character, let’s fix that from the console

Or from PowerShell

$paramSetAzAutomationVariable = @{
    ResourceGroupName     = $azResourceGroup
    AutomationAccountName = $azAccount
    Name                  = 'Test Variable'
    Value                 = 'Setting new value from PowerShell'
    Encrypted             = $False
}

Set-AzAutomationVariable @paramSetAzAutomationVariable

Value                 : Setting new value from PowerShell
Encrypted             : False
ResourceGroupName     : Dev-PsCustomObject-AutomationRsg
AutomationAccountName : Dev-PsCustomObject
Name                  : Test Variable
CreationTime          : 26.09.2020 17:53:23 +02:00
LastModifiedTime      : 26.09.2020 19:08:28 +02:00
Description           : Fixed typo in value

When working with an encrypted variable things will be slightly different. Encrypted variables can only have their value updated but never shown to do so simply click the Edit value button and then save it

From PowerShell command will not be much different but, again, we will not get back the value from the cmdlet

$paramSetAzAutomationVariable = @{
    ResourceGroupName     = $azResourceGroup
    AutomationAccountName = $azAccount
    Name                  = 'Test Encrypted Variable'
    Value                 = 'Setting new value from PowerShell'
    Encrypted             = $true
}

Set-AzAutomationVariable @paramSetAzAutomationVariable

Value                 :
Encrypted             : True
ResourceGroupName     : Dev-PsCustomObject-AutomationRsg
AutomationAccountName : Dev-PsCustomObject
Name                  : Test Encrypted Variable
CreationTime          : 26.09.2020 18:51:53 +02:00
LastModifiedTime      : 26.09.2020 19:14:46 +02:00
Description

Getting Variable Values

Up to this point we’ve seen how to create and update Azure Automation variables, let’s explore how to get values for configured variables. Az module makes available a cmdlet for the purpose

Get-AzAutomationVariable -ResourceGroupName $azureResourceGroup -AutomationAccountName $azureAccount -Name 'Test Variable'

Value                 : Setting new value from PowerShell
Encrypted             : False
ResourceGroupName     : Dev-PsCustomObject-AutomationRsg
AutomationAccountName : Dev-PsCustomObject
Name                  : Test Variable
CreationTime          : 26/09/2020 17:53:23 +02:00
LastModifiedTime      : 26/09/2020 19:08:28 +02:00
Description           : Fixed typo in value

Note: Omitting the -Name parameter will return all configured variables

As I mentioned it is not possible to retrieve values for encrypted variables as they’re available within the runbook at runtime via the Get-AutomationVariable cmdlet. Using the Test Encrypted Variable as example I’ve created a small script that will show this behaviour

$encryptedVariableValue = Get-AutomationVariable -Name 'Test Encrypted Variable'

Write-output "The encrypted variable value is: $encryptedVariableValue"

And here the result from Azure Automation test pane:

As simple as that, the same snippet can be used in production script to safely store secrets in our scripts.