Use signed Azure Automation Runbooks with Linux Hybrid Runbook Workers

I sprained my hand yesterday so won’t be able to type in detail for this one.

I have a Runbook I am running on a Linux Hybrid Runbook Worker and it is quite sensitive in that it handles passwords etc. and I wanted to lock it down such that only the Runbook script I am creating will get executed and no one (not even anyone with access to the Automation Account) will be able to modify the script or create a new one and get access to the passwords etc. The way to do this is sign the Runbook script and have Automation only execute validly signed scripts.

I was expecting this to be more work (like getting a code signing cert maybe) but it turned out to be quite straightforward.

Official MS instructions are at this link. Those assume you have an Agent based Hybrid Runbook Worker while I have an Extension based one. Also, those instructions generate the private and public keys on the Hybrid Runbook Worker VM itself and sign things there, whereas I wanted to keep the private key on my machine so I can easily sign stuff and upload to Azure.

First step: generate a new key for yourself. I am on macOS so I do the following: gpg --generate-key

Now let’s export the public key:

This will output the key in ASCII to the terminal. We’ll come back to this.

On the Worker VM run the following:

I am using a different account compared to the official instructions because this is what Extension based Workers use. Stick with the official instructions if you are Agent based.

I copy pasted the key from my machine to a file – let’s call it import.gpg. And I imported it:

So now my Worker has my public key. I can verify it thus:

Next I opened up this file in an editor: /home/hweautomation/state/worker.conf and changed these lines:

As you can see I am enabling signature validation and also telling the worker the location to my public keyring. The latter contains my public key of course.

That’s it, now I can sign my script on the work machine thus:

This creates a file with a .asc extension. Example:

Notice the one line of PowerShell surrounded by a signature. This is signed with my private key, that’s only present on my work machine so no one else should be able to sign a script as me. If I run this in the Runbook it will verify the signature and only then execute it.

If you want to see this in action the following command should help:

It shows the output of the Worker log file and you can see it checking for signatures when you submit something. If the signature doesn’t match the Portal throws an error and you can see it in these logs too.