Share via

How to execute kubectl command in a PowerShell Runbook ?

Niccolo 20 Reputation points
2025-02-25T22:28:13.9733333+00:00

We are trying to use an Azure Automation Runbook to interact with an Azure Kubernetes Service (AKS) cluster using a System Assigned Managed Identity. The goal is to auto-restart a deployment in a specific namespace at 23.59 every night.

What We Are Trying to Do:

  • Authenticate using Managed Identity in a PowerShell Runbook.
  • Execute az aks command invoke to restart a Kubernetes deployment.

What We Have Tried:

  1. Enabled System Assigned Managed Identity in our Automation Account.
  2. Assigned the Contributor role to the Managed Identity at both:
    • Resource Group Level
      • AKS Cluster Level
      1. Verified role assignments using:
            bash
      CopyEdit
      az role assignment list --assignee <MANAGED_IDENTITY_OBJECT_ID>
      The output confirms the identity has Contributor access.
  3. Used the following Runbook Script: 
       # Authenticate using Managed Identity

$AzureContext = (Connect-AzAccount -Identity -ErrorAction Stop).context

Set Subscription Context

Set-AzContext -SubscriptionId $AzureContext.Subscription.Id -ErrorAction Stop

Verify Access to AKS

az aks show --resource-group "RESOURCE_GROUP_NAME" --name "AKS_CLUSTER_NAME"

   
Issue We Are Facing:

- The **Runbook fails** with the following error:

```sql
vbnet
CopyEdit
ERROR:
  • Despite using Connect-AzAccount -Identity, the Runbook does not seem to authenticate properly.

Question:

How can we resolve this authentication issue in Azure Automation? Is there a specific dependency, permission, or configuration required to allow Connect-AzAccount -Identity to work correctly in a Runbook? Description:

We are trying to use an Azure Automation Runbook to interact with an Azure Kubernetes Service (AKS) cluster using a System Assigned Managed Identity.

What We Are Trying to Do:

  • Authenticate using Managed Identity in a PowerShell Runbook.
  • Execute az aks command invoke to restart a Kubernetes deployment.

What We Have Tried:

  1. Enabled System Assigned Managed Identity in our Automation Account.
  2. Assigned the Contributor role to the Managed Identity at both:
    • Resource Group Level
      • AKS Cluster Level
      1. Verified role assignments using:
            bash
      CopyEdit
      az role assignment list --assignee <MANAGED_IDENTITY_OBJECT_ID>
      The output confirms the identity has Contributor access.
      1. Used the following Runbook Script:
            powershell
      CopyEdit
      # Authenticate using Managed Identity

$AzureContext = (Connect-AzAccount -Identity -ErrorAction Stop).context

Set Subscription Context

Set-AzContext -SubscriptionId $AzureContext.Subscription.Id -ErrorAction Stop

Verify Access to AKS

az aks show --resource-group "RESOURCE_GROUP_NAME" --name "AKS_CLUSTER_NAME" ```

Issue We Are Facing:

  • The Runbook fails with the following error:
vbnet
CopyEdit
ERROR:
  • Despite using Connect-AzAccount -Identity, the Runbook does not seem to authenticate properly.
  • Running the same script locally (outside of the Runbook) works without issues.

Additional Debugging Steps We Have Taken:

  • Ensured Automation Account has outbound network access to:
    • management.azure.com
      • login.microsoftonline.com
        • *.azmk8s.io
        • Restarted Managed Identity and reassigned roles.
        • Checked Azure Automation logs for additional errors.

Question:

How can we resolve this authentication issue in Azure Automation? Is there a specific dependency, permission, or configuration required to allow Connect-AzAccount -Identity to work correctly in a Runbook?

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,321 questions
Accepted answer
  1. Ashok Gandhi Kotnana 3,975 Reputation points Microsoft Vendor
    2025-02-26T09:08:33.1266667+00:00

    Hi @Niccolo ,

    Welcome to Microsoft Q&A Forum, thank you for posting your query here!

    Please follow the instructions below for this to work. Add the two lines to the runbook as mentioned. I see you have enabled the managed identity, so I'm providing a step-by-step process for clarity.

    1. Please enable managed identity of your automation account keep it on User's image
    2. Once you have enabled provide this managed identity copy paste the identity in IAM and provide that identity with contributor access find the below screenshot, please provide it to the appropriate managed identity User's image
    3. Please add the below script before you run any commands Azure PowerShell Copy

    Please add these 2 lines to your runbook.

    
#Connect to Azure with system-assigned managed identity
 
$AzureContext = (Connect-AzAccount -Identity).context
 
# set and store context
 
$AzureContext = Set-AzContext -SubscriptionName $AzureContext.Subscription -DefaultProfile $AzureContext

    User's image

    My example i have used get-azvm you can use whatever the commands you want to, please find the below output screenshot for azvm

    User's image

    let us know if you have any further queries. I’m happy to assist you further.  

    Please provide your valuable comments User's image

    Please do not forget to "Accept the answer” wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.