Auto-renew Letsencrypt certificates in Azure Automation Account with managed identity

Recently my Job for renewing Letsencrypt certificates in KeyVault has stopped working. Upon closer look I found that my Run As account certificate expired:


I navigated to certificate’s properties to renew it as described in Microsoft documentation and thouhgt I have 1 minute work to fix that but no! There is no option to renew it anymore!


I generated completely new certificate instead of expired one and renewed thumbprint in AzureRunAsConnection properties but that did not help.

Microsoft now encouraages us to use managed identities instead of certificates in Automation Account and that’s what I decided to do. I moved to Identity and created new system-managed identity that I was going to use in my certificate renewal runbooks:


Copy principal ID and in Key Vault access policy add this principal with necessary permissions to access certificates.

Next, in Azure role assignments I added permissions to access Key Vault and resource group that contains storage account for Letsencrypt challenges


Now we all done with prerequisites!

And the last thing to do before testing our runbook is to change authentication from Run As account with a certificate to system-managed identity. We need to delete

strings (I left them commented so you may notice the difference) and replace them with

Here are all three runbooks:

Good luck!

Want me to do this for you? Drop me a line: itgalaxyzzz {at} gmail [dot] com