How to Run Python on a Hybrid Runbook Worker: Replace automationassets with Get-AutomationPSCredential via PowerShell

Fix Python automationassets on Azure Automation Hybrid Runbook Workers: use Get-AutomationPSCredential in PowerShell and pass credentials to Python via env vars.

Running Python on a Hybrid Runbook Worker is a great way to bring existing automation to your own infrastructure, but there’s a catch: the familiar automationassets module that exposes Get-AutomationPSCredential equivalents in Python only works in Azure Automation’s cloud sandbox. When the same code executes on a Hybrid Runbook Worker, credential retrieval fails and you’re left wondering how to securely bridge Automation assets into Python.

Problem

The following Python snippet runs fine in cloud-based runbooks, but fails on a Hybrid Runbook Worker:

#!/usr/bin/env python3
import automationassets

print("hello world")
auth_obj = automationassets.get_automation_credential("TestCredentials")
print(auth_obj["username"])
print(auth_obj["password"])
print("---DONE---")

On a Hybrid Runbook Worker it produces the following error:

AttributeError: 'dict' object has no attribute 'iteritems'

Attempting to import an exception type from the same module doesn’t help either:import automationassets
from automationassets import AutomationAssetNotFound


Which results in:

ImportError: cannot import name 'AutomationAssetNotFound' from 'automationassets'

Why this happens

The automationassets module relies on local Automation assets that only exist inside Azure Automation’s cloud sandbox. On a Hybrid Runbook Worker there’s no direct access to those assets, so calls like automationassets.get_automation_credential() don’t work. In practice, this means the Hybrid Runbook Worker behaves like a regular Windows or Linux machine that can run your scripts, but does not provide the cloud sandbox’s special asset plumbing.

Microsoft’s guidance for running runbooks on Hybrid Runbook Workers is here: Run runbooks on a Hybrid Runbook Worker.

Solution

Use a PowerShell runbook to fetch credentials via Get-AutomationPSCredential on the Hybrid Runbook Worker and pass them to your Python process through environment variables. This pattern uses the native Azure Automation credential retrieval that does work on Hybrid Runbook Workers, while handing off the actual username/password to Python without exposing them as runbook inputs.

Below is a PowerShell example that retrieves the stored credential and invokes your Python script with environment variables set:

$creds = Get-AutomationPSCredential -Name "TestCredentials"
$env:RB_USER = $creds.UserName
$env:RB_PASS = $creds.GetNetworkCredential().Password

$pyFile = "C:\scripts\run_task.py"
python $pyFile

And here is the corresponding Python script reading those values:

import os

user_val = os.getenv("RB_USER")
pass_val = os.getenv("RB_PASS")
print(f"Username: {user_val}")
print(f"Password: {pass_val}")
print("---DONE---")

This approach keeps secrets out of runbook input parameters. Passing passwords as inputs to Start-AzAutomationRunbook can expose them in plain text in the runbook’s Input view, so avoid that path.

If you’re evolving your Hybrid Runbook Worker setup, you may also find this guidance helpful: Migrate to extension-based Hybrid Runbook Workers.

Why it’s important

Hybrid Runbook Workers do not replicate the Azure Automation sandbox’s asset system, which means code written for cloud runbooks cannot assume automationassets exists or behaves the same way. Bridging credentials through a PowerShell wrapper via environment variables gives you a straightforward, repeatable mechanism to run Python securely on your own machines under Automation control.

Some teams also prefer to centralize secrets outside Automation assets. Using Azure Key Vault from Python with azure-identity and azure-keyvault-secrets is a viable pattern that keeps secrets retrieval entirely within the Python code path. In other cases, developers have chosen the keyring module for local secret storage. Choose the one that fits your operational and compliance requirements.

Wrap-up and practical advice

If you need Azure Automation credentials inside Python on a Hybrid Runbook Worker, don’t reach for automationassets. Fetch the credential with Get-AutomationPSCredential in PowerShell and pass it to Python using environment variables set right before process invocation. Avoid supplying passwords via runbook inputs to prevent accidental exposure in logs. For broader secret management, consider Azure Key Vault to keep sensitive material out of your runbook wrapper entirely. With this pattern, you get reliable credential flow on Hybrid Runbook Workers without depending on cloud-only modules.