Configure Azure Cloud Service App Pool Identity

As I am learning more about how Cloud Services work in Azure, I came across an interesting problem. I wanted my Cloud Service to run under a specific user account for security reasons. Since instances can be spun up/down/replaced (such is the nature of PaaS), I needed to figure out how to do this programmatically.

One of the challenges is that the Web Role's web site in IIS is named something like "CloudService_IN_0_Web", and it increments for each instance. Also, the app pool's name is a random GUID so it's tough to reference either one of those directly in any script.

After some dead ends, I was finally able to piece together a Powershell script to set the application pool's identity. This runs in the Cloud Service's startup command. Hopefully this will help you too!

Import-Module WebAdministration
$appPool = Get-Website | Select-Object applicationPool
$name = $appPool.applicationPool
Set-ItemProperty -Path "IIS:\AppPools\$name" -Name processModel.userName -Value "username"
Set-ItemProperty -Path "IIS:\AppPools\$name" -Name processModel.password -Value "password"
Set-ItemProperty -Path "IIS:\AppPools\$name" -Name processModel.identityType -Value 3

A couple notes on this script:

  • Import-Module WebAdministration is necessary to be able to use the "IIS:\" path.
  • I'm cheating a little using the Get-Website command. It normally returns a list of websites in IIS, and with a single web role deployed I'm able to get at the correct (and only) site using this command. Your mileage may vary if you attempt this with multiple sites.
  • I was also unable to get -Path "IIS:\AppPools\($appPool.applicationPool)" to resolve correctly, hence the $name variable. It's very possible that some Powershell ninjitsu may be able to get rid of that.

Good luck with your coding, and if you find a improvement on the method listed here, feel free to let me know on Twitter!

[h/t The Inadvertant IIS Admin]