Imagine you want to provide specific users with the ability to start and stop VMs, but you do not want to provide access for them to the Azure portal. Then you can use Azure Automation with webhooks.
First create an Azure Automation account in the region of your choice. Make sure that the option “Create Azure Run As account” is enabled.
After the successful creation of the Automation account, go to the specific VMs the user will use and add tags to them. For example use a tag to specify the owner of the VM, so you can use it later in the runbook.
Now create the scripts for the VM start and the VM stop actions.
Start VM
$connectionName = "AzureRunAsConnection"
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName
$null = Add-AzureRmAccount -ServicePrincipal -TenantId $servicePrincipalConnection.TenantId -ApplicationId $servicePrincipalConnection.ApplicationId -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
$VMs = Get-AzureRmResource|Where-Object {$_.Tags.Keys -eq "owner" -and $_.Tags.Values -eq "daneum"}
foreach ($VM in $VMs) {
if ($VM.ResourceType -eq "Microsoft.Compute/virtualMachines") {
Start-AzureRmVM -ResourceGroupName $VM.ResourceGroupName -Name $VM.Name -Verbose
}
}
Stop VM
$connectionName = "AzureRunAsConnection"
$servicePrincipalConnection = Get-AutomationConnection -Name $connectionName
$null = Add-AzureRmAccount -ServicePrincipal -TenantId $servicePrincipalConnection.TenantId -ApplicationId $servicePrincipalConnection.ApplicationId -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint
$VMs = Get-AzureRmResource|Where-Object {$_.Tags.Keys -eq "owner" -and $_.Tags.Values -eq "daneum"}
foreach ($VM in $VMs) {
if ($VM.ResourceType -eq "Microsoft.Compute/virtualMachines") {
Stop-AzureRmVM -ResourceGroupName $VM.ResourceGroupName -Name $VM.Name -Force -Verbose
}
}
Next step is to upload the scripts into the Automation account to create the runbooks.
Publish them and create a webhook for each of them.
Set an appropriate expiration date and make sure you have copied the webhook URL. You will not have access to the URL after you hit OK. Otherwise you can create a new one.
Before you test the webhook call, you have to import the AzureRM.Tags module through the gallery. But you are not finished. You also have to update the modules AzureRM.Profile, AzureRM.Resources and AzureRM.Compute. So they have the same version as the newly imported module AzureRM.Tags. If you do not do that, your runbooks will not run.
Finally you can create the PowerShell scripts for the user to call the webhooks with them.
Start VM
Invoke-WebRequest -Method Post -Uri https://s5events.azure-automation.net/webhooks?token=xxxxxxxx
Stop VM
Invoke-WebRequest -Method Post -Uri https://s5events.azure-automation.net/webhooks?token=yyyyyyyy
Important is the option -Method with the value Post, because Azure Automation webhooks can only be called with the Post method.
Now run the PowerShell script for the VM start to call the webhook.
You are now ready to provide the PowerShell scripts for the webhook calling to the user and the user does not need any access to the Azure subscription.