Azure Automation: Best way to store credentials?

Question

What would be the best way to store credentials in Azure Automation? Azure Automation Assets or Azure Key Vault?

Answer 1

It depends on the use case and the level of confidentiality you want to maintain with those credentials.

• With Azure Vault, you will have to manage/create policies for the credential access, and also add few lines into your PowerShell script to access those credentials. This can enhance the security but might create an overhead depending on the use case. For example, if you are storing service principal key, I would say go for the Key vault.

• Azure Automation Credentials can be accessed easily by anyone that has access to the resource group or subscription. By adding a simple PowerShell commands, passwords can also be retrieved as plain text from the Credentials, like this:

  $(Get-AutomationPSCredential -Name $name).GetNetworkCredential().Password.ToString()

However, for storing credentials that are used during deployments or are changing every now and then, Automation Credential is a good use case.