How to execute kubectl command in a PowerShell Runbook ?

Question

We are trying to use an Azure Automation Runbook to interact with an Azure Kubernetes Service (AKS) cluster using a System Assigned Managed Identity. The goal is to auto-restart a deployment in a specific namespace at 23.59 every night.

What We Are Trying to Do:

• Authenticate using Managed Identity in a PowerShell Runbook.
• Execute az aks command invoke to restart a Kubernetes deployment.

What We Have Tried:

1. Enabled System Assigned Managed Identity in our Automation Account.
2. Assigned the Contributor role to the Managed Identity at both:
   • Resource Group Level
     • AKS Cluster Level
     1. Verified role assignments using:

           bash
           CopyEdit
           az role assignment list --assignee <MANAGED_IDENTITY_OBJECT_ID>
     

     The output confirms the identity has Contributor access.
3. Used the following Runbook Script:

      # Authenticate using Managed Identity
   

$AzureContext = (Connect-AzAccount -Identity -ErrorAction Stop).context

Set Subscription Context

Set-AzContext -SubscriptionId $AzureContext.Subscription.Id -ErrorAction Stop

Verify Access to AKS

az aks show --resource-group "RESOURCE_GROUP_NAME" --name "AKS_CLUSTER_NAME"

   
Issue We Are Facing:

- The **Runbook fails** with the following error:

```sql
vbnet
CopyEdit
ERROR:

• Despite using Connect-AzAccount -Identity, the Runbook does not seem to authenticate properly.

Question:

How can we resolve this authentication issue in Azure Automation? Is there a specific dependency, permission, or configuration required to allow Connect-AzAccount -Identity to work correctly in a Runbook? Description:

We are trying to use an Azure Automation Runbook to interact with an Azure Kubernetes Service (AKS) cluster using a System Assigned Managed Identity.

What We Are Trying to Do:

• Authenticate using Managed Identity in a PowerShell Runbook.
• Execute az aks command invoke to restart a Kubernetes deployment.

What We Have Tried:

1. Enabled System Assigned Managed Identity in our Automation Account.
2. Assigned the Contributor role to the Managed Identity at both:
   • Resource Group Level
     • AKS Cluster Level
     1. Verified role assignments using:

           bash
           CopyEdit
           az role assignment list --assignee <MANAGED_IDENTITY_OBJECT_ID>
     

     The output confirms the identity has Contributor access.
     1. Used the following Runbook Script:

           powershell
           CopyEdit
           # Authenticate using Managed Identity
     

$AzureContext = (Connect-AzAccount -Identity -ErrorAction Stop).context

Set Subscription Context

Set-AzContext -SubscriptionId $AzureContext.Subscription.Id -ErrorAction Stop

Verify Access to AKS

az aks show --resource-group "RESOURCE_GROUP_NAME" --name "AKS_CLUSTER_NAME" ```

Issue We Are Facing:

• The Runbook fails with the following error:

vbnet
CopyEdit
ERROR:

• Despite using Connect-AzAccount -Identity, the Runbook does not seem to authenticate properly.
• Running the same script locally (outside of the Runbook) works without issues.

Additional Debugging Steps We Have Taken:

• Ensured Automation Account has outbound network access to:
  • management.azure.com
    • login.microsoftonline.com
      • *.azmk8s.io
      • Restarted Managed Identity and reassigned roles.
      • Checked Azure Automation logs for additional errors.

Question:

How can we resolve this authentication issue in Azure Automation? Is there a specific dependency, permission, or configuration required to allow Connect-AzAccount -Identity to work correctly in a Runbook?