403 error in Invoke-webrequest azure automation account

Deepaklal-FT 66 Reputation points
2022-06-08T09:18:25.87+00:00

Hello,
I am writing the below code in Azure automation account in powershell 5.1 

$connectionName = "AzureRunAsConnection"  
 try  
 {  
     # Get the connection "AzureRunAsConnection "  
     $servicePrincipalConnection=Get-AutomationConnection -Name $connectionName           

      
     Connect-AzAccount `  
         -ServicePrincipal `  
         -TenantId $servicePrincipalConnection.TenantId `  
         -ApplicationId $servicePrincipalConnection.ApplicationId `  
         -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint   
 }  
 catch {  
     if (!$servicePrincipalConnection)  
     {  
         $ErrorMessage = "Connection $connectionName not found."  
         throw $ErrorMessage  
     } else{  
         Write-Error -Message $_.Exception  
         throw $_.Exception  
     }  
 }  
 $filename="terms.html"  
Invoke-webrequest -URI "{VALIDURL}" -Method Get -OutFile $filename  

  
Invoke-webrequest -URI "{VALIDSTORAGEACCOUNTURL}" -Method Get -OutFile $filename1  

  
if(Compare-Object -ReferenceObject $(Get-Content $filename) -DifferenceObject $(Get-Content $filename1))  
{$uploadstorage=Get-AzStorageAccount -ResourceGroupName "{RG_NAME}" -Name "{STORAGEACCOUNTNAME}"  
$storcontext=$uploadstorage.Context  
Set-AzStorageBlobContent -Container "`$web" -File $filename -Context $storcontext -Properties @{ ContentType = "text/html"; } -Force}  

  
Else {"Files are the same"}

And its throwing below error after running,
Invoke-webrequest : The remote server returned an error: (403) Forbidden. At line:24 char:1 + Invoke-webrequest -URI
Tried below methods,

  1. add the -UseBasicParsing parameter to the Invoke-WebRequest
  2. Added -Method Get parameter to the Invoke-WebRequest
Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,173 questions
Azure ISV (Independent Software Vendors) and Startups
Azure ISV (Independent Software Vendors) and Startups
Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.ISV (Independent Software Vendors) and Startups: A Microsoft program that helps customers adopt Microsoft Cloud solutions and drive user adoption.
91 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. ShaikMaheer-MSFT 38,321 Reputation points Microsoft Employee
    2022-06-09T07:07:50.51+00:00

    Hi @Deepaklal-FT ,

    Thank you for posting query in Microsoft Q&A Platform.

    Please note, when we create azure automation resource behind scenes it creates a service principle with which it actually runs the scripts. Lets say as part of our script execution we written PowerShell code to pause a Azure VM called demoVM1. In this case the service principle of Azure automation resource should have proper roles on demoVM1 to perform that action. For example, If we grant contributor role to that service principle then when you run script it will perform the action and pause the demoVM1 successfully.

    Now, coming to your script, I could see at line 24, you are making an API call to some API URL. So here if that API has some mechanism to authenticate and authorize then we need to make sure to follow that.
    Also, in line 25, I could see you are trying to make API call to storage account. So here we need to make sure Azure automation account service principle should has proper role lets say contributor role on storage account.

    From error message, it seems currently error is happening at line 24, that means access related issues with API call to some URL. Kindly check with admins of that APIs and get details on how actually to authenticate and authorize with that API and make API call successful.

    How to check the service principle of Azure Automation resource?
    Inside Azure automation resource, go to connections and Click on "AzureRunAsConnection".
    209793-image.png
    Go to Azure active directory, Click on App registrations and search with App id here.
    209794-image.png

    Please note, usually this service principle display name will start with Azure automation resource name and then have some guid in it.

    Hope this helps. Please let us know if any further queries.

    ------------

    Please consider hitting Accept Answer button. Accepted answers help community as well.

    0 comments
  2. Limitless Technology 39,496 Reputation points
    2022-06-09T08:11:41.457+00:00

    Hello

    Thank you for your question and reaching out. I can understand you are having issues related to Azure Automation account.

    Please make sure the account is member of DeviceManagementServiceConfig.ReadWrite.All

    Also Please try to Disable or Check rules in Azure Firewall.

    --------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments
  3. Deepaklal-FT 66 Reputation points
    2022-06-13T09:14:32.483+00:00

    Hello Everyone ,

    In my case all the above mentioned details were available. The problem was with the URL which I used to get data, and it was DDoS protected with WAF.

    0 comments