As I am learning more about how Cloud Services work in Azure, I came across an interesting problem. I wanted my Cloud Service to run under a specific user account for security reasons. Since instances can be spun up/down/replaced (such is the nature of PaaS), I needed to figure out how to do this programmatically.
One of the challenges is that the Web Role's web site in IIS is named something like "CloudService_IN_0_Web", and it increments for each instance. Also, the app pool's name is a random GUID so it's tough to reference either one of those directly in any script.
After some dead ends, I was finally able to piece together a Powershell script to set the application pool's identity. This runs in the Cloud Service's startup command. Hopefully this will help you too!
Import-Module WebAdministration $appPool = Get-Website | Select-Object applicationPool $name = $appPool.applicationPool Set-ItemProperty -Path "IIS:\AppPools\$name" -Name processModel.userName -Value "username" Set-ItemProperty -Path "IIS:\AppPools\$name" -Name processModel.password -Value "password" Set-ItemProperty -Path "IIS:\AppPools\$name" -Name processModel.identityType -Value 3
A couple notes on this script:
Import-Module WebAdministrationis necessary to be able to use the "IIS:\" path.
- I'm cheating a little using the
Get-Websitecommand. It normally returns a list of websites in IIS, and with a single web role deployed I'm able to get at the correct (and only) site using this command. Your mileage may vary if you attempt this with multiple sites.
- I was also unable to get
-Path "IIS:\AppPools\($appPool.applicationPool)"to resolve correctly, hence the
$namevariable. It's very possible that some Powershell ninjitsu may be able to get rid of that.
Good luck with your coding, and if you find a improvement on the method listed here, feel free to let me know on Twitter!
[h/t The Inadvertant IIS Admin]