Forum Discussion
Key Vault + Azure Automation
We are currently working toward setting up Automation Accounts to replace our on-prem Orchestrator server and we were hoping to be able to make use of Automation Account managed identifies to connect to Key Vaults to retrieve credentials. This works great if you have both the Automation Account and Key Vault enabled for Public network access but when you use a Private Endpoint, the only way you can connect to the Key Vault is through use of a Hybrid Worker. This brings me to my questions:
1) Anyone at Microsoft - Are there any plans for making it possible to connect to Key Vaults with Automation Accounts using Private Endpoint without requiring a Hybrid worker?
2) Anyone at Microsoft - Are there any plans to make it possible to source Automation Account Credentials from a Key Vault? Essentially connecting to the Key Vault and then choosing the credentials from the Key Vault Secrets.
3) Anyone - Is anyone else using Automation Accounts and Key Vaults with Private Endpoints and how are you accomplishing what you need?
- TravisRobertsIron ContributorI can't answer your questions about private endpoints, but I store credentials used by the runbooks in a credential shared resource in the automation account. The runbooks have access to the automation account credentials and removes the need to access the Key Vault.
- agrecaIron Contributor
Thanks for the reply. That's the feature that I would love Microsoft to integrate with Key Vault. Because currently, if your credentials change, you have to go into the Automation Account Credentials and update them manually. We're actually going to try setting something up where we have a "master" Automation Account set up that has access to a Key Vault and access to manage the Credentials in other Automation Accounts and then have a schedule job update the Credentials based on what's in Key Vault. Would be nice not to have to build that though. If Microsoft built an integration between the two areas, I could store my credentials in one place (Key Vault) and when those credentials change, I only have to update them in that place since the Automation Accounts would be referencing the Key Vault.
- agrecaIron ContributorThanks for the reply but this doesn't fix the fact that Automation Accounts cannot connect to Key Vaults over Private Endpoints except through a Hybrid Worker. We opened up a case with Microsoft and they confirmed this.