Managing sensitive data like connection strings, API keys, and credentials is a critical responsibility for organizations of all sizes. Azure Automation variables simplify storing and reusing this data securely across runbooks, but there’s one important caveat: not all variables are encrypted by default. This blog introduces a PowerShell script that ensures your variables are securely encrypted. Whether you choose to run the script within an Azure Automation runbook or execute it externally, the process is seamless, automated, and efficient. Best of all, converting variables to encrypted does not require any changes to your existing runbooks. Variables are accessed in the same way, regardless of encryption status.
Table of Contents
Why Encrypt Azure Automation Variables?
Sensitive data stored in plaintext variables poses a significant security risk. Encrypted variables provide an added layer of protection, ensuring that even if unauthorized access occurs, your critical data remains safe. This script automates the conversion of non-encrypted variables into encrypted ones, reducing manual effort and ensuring consistency across your Automation environment.
How It Works
The script follows a straightforward yet effective approach:
- Retrieve Variables: Gathers all variables in a specified Azure Automation Account.
- Check Encryption: Identifies any variables that are not encrypted.
- Automate Encryption: Removes non-encrypted variables and recreates them with encryption enabled.
- Log Progress: Provides clear, detailed logs throughout the process for full transparency.
Even after encryption, the way variables are called in your runbooks (using Get-AutomationVariable) remains the same. No modifications are required for your existing runbooks (unless you are using Get-AzAutomationVariable).
Prerequisites
Before running the script, ensure the following requirements are met:
- Azure PowerShell Module: Install the Az.Automation module by running the following command:
Install-Module -Name Az.Automation -Force -AllowClobber - Azure Permissions: The user (or Managed Identity) running the script must have sufficient permissions to read, delete, and recreate the Azure Automation variables.
- Authentication: Log in to Azure using Connect-AzAccount:
Connect-AzAccount
Where to get it
Below is the PowerShell script you can use to automate this process (I have also attached the digitally signed script via the zip file):
PowerShell script to convert non-encrypted variables in an Azure Automation Account to encrypted variables - GitHub
How to Use
- Set Up the Script: Copy the script into your preferred PowerShell editor or upload it to an Azure Automation runbook.
- Provide Input Parameters: Specify the Azure Resource Group and Automation Account names as input parameters.
- Run the Script:
- Within Azure Automation: Trigger it as a runbook.
- Externally: Execute it from any environment with the Az.Automation module installed.
- Verify Results: Confirm all variables are encrypted by reviewing them in the Azure portal or using PowerShell (in the below example, replace the Resource Group Name and Automation Account Name with your own):
Get-AzAutomationVariable -ResourceGroupName <resourcegroupname> -AutomationAccountName <automationaccountname>
Conclusion
By automating the encryption process, this script offers a simple, scalable, and secure way to protect sensitive data in Azure Automation. Even better, your existing runbooks require no changes—encrypted variables are accessed in exactly the same way as non-encrypted ones.
Whether you manage a handful of variables or an enterprise-scale environment, this tool ensures your secrets are safeguarded with minimal effort. Don’t leave your sensitive data unprotected—run this script today and take a proactive step toward securing your Azure Automation variables.
Microsoft