Azure Automation: Secure your webhook

Windows PowerShell, Azure Infrastructure

In my previous post titled Azure Automation: Sync Runbooks from Visual Studio Team Services, I used a webhook. The webhook is just a URL that will be triggered using an HTTP POST. In Azure Automation, they look like this:

https://s1events.azure-automation.net/webhooks?token=xxyyzzaabbcc

Anyone who got the URL, could simply do an HTTP POST and your webhook would be invoked. For example:

Invoke-WebRequest -Uri https://s1events.azure-automation.net/webhooks?token=xxyyzzaabbcc -Method POST

All is not lost, we can add *some* security to this using WebhookData.

Using the example from my previous post, I had a runbook called “Sync-AzureRmRunbooks” that was triggered with a webhook. We’re going to edit that runbook slightly. All we need to do is insert some additional PowerShell near the beginning of the file to authenticate the request. Here are the lines:

if ($webhookHeaders.message -eq 'sUp3rS3cr3TP@zzwerD')
{Write-Output "Webhook authenticated"}
else
{
    Write-Output "Got unauthenticated request :( ";
    exit;
}

Very simply, we’re checking to see if there is a “message” property with a value of “sUp3rS3cr3TP@zzwerD”– make yours harder to guess/crack. Because you’ll never have to type it in, you can make it something ridiculously randomized and long.

Last step? We need to go back into Visual Studio Team Services and update our Service Hook with this new information. Edit the Service Hook, skip past the first screen (condition) and to the next one (action). In the HTTP Headers section, just enter message:sUp3rS3cr3TP@zzwerD like so:

image

That’s it. When code is pushed to our repository now, it will also send this “message” and therefore be authenticated. If you tried to just do an HTTP POST to your webhook URL, you’ll see the “Got unauthentication request” message. To read more about webhooks, take a look at the Azure documentation.

0 comments… add one

Leave a Reply