Merge pull request #265628 from johnmarco/jm-arc-run-command-update

ARC: Update Run Command article

Author: v-shils

articles/azure-arc/servers/run-command.md

@@ -1,7 +1,7 @@
 ---
 title: How to remotely and securely configure servers using Run command (Preview)
 description: Learn how to remotely and securely configure servers using Run Command.
-ms.date: 12/22/2023
+ms.date: 02/07/2024
 ms.topic: conceptual
 ---
 
@@ -22,6 +22,181 @@ Run Command on Azure Arc-enabled servers (Public Preview) uses the Connected Mac
 - **Configuration:** Run Command doesn't require more configuration or the deployment of any extensions. The
 Connected Machine agent version must be 1.33 or higher. 
 
+
+## Limiting access to Run Command using RBAC
+
+Listing the run commands or showing details of a command requires the `Microsoft.HybridCompute/machines/runCommands/read` permission. The built-in [Reader](/azure/role-based-access-control/built-in-roles) role and higher levels have this permission.
+
+Running a command requires the `Microsoft.HybridCompute/machines/runCommands/write` permission. The [Azure Connected Machine Resource Administrator](/azure/role-based-access-control/built-in-roles) role and higher levels have this permission.
+
+You can use one of the [built-in roles](/azure/role-based-access-control/built-in-roles) or create a [custom role](/azure/role-based-access-control/custom-roles) to use Run Command.
+
+## Blocking run commands locally
+
+The Connected Machine agent supports local configurations that allow you to set an allowlist or a blocklist. See [Extension allowlists and blocklists](security-overview.md#extension-allowlists-and-blocklists) to learn more.
+
+For Windows:
+
+`azcmagent config set extensions.blocklist " microsoft.cplat.core/runcommandhandlerwindows"`
+
+For Linux:
+
+`azcmagent config set extensions.blocklist " microsoft.cplat.core/runcommandhandlerlinux"`
+
+
+## Azure CLI
+
+The following examples use [az connectedmachine run-command](/cli/azure/connectedmachine/run-command) to run a shell script on an Azure Windows machine.
+
+### Execute a script with the machine
+
+This command delivers the script to the machine, executes it, and returns the captured output.
+
+```azurecli
+az connectedmachine run-command create –-name "myRunCommand" --machine-name "myMachine" --resource-group "myRG" --script "Write-Host Hello World!"
+```
+
+### List all deployed RunCommand resources on a machine
+
+This command returns a full list of previously deployed run commands along with their properties.
+
+```azurecli
+az connectedmachine run-command list --machine-name "myMachine" --resource-group "myRG"
+```
+
+### Get execution status and results
+
+This command retrieves current execution progress, including latest output, start/end time, exit code, and terminal state of the execution.
+
+```azurecli
+az connectedmachine run-command show --name "myRunCommand" --machine-name "myMachine" --resource-group "myRG"
+```
+
+> [!NOTE]
+> Output and error fields in `instanceView` is limited to the last 4KB. To access the full output and error, you can forward the output and error data to storage append blobs using `-outputBlobUri` and `-errorBlobUri` parameters while executing Run Command.
+> 
+
+### Delete RunCommand resource from the machine
+
+Remove the RunCommand resource previously deployed on the machine. If the script execution is still in progress, execution will be terminated.
+
+```azurecli
+az connectedmachine run-command delete --name "myRunCommand" --machine-name "myMachine" --resource-group "myRG"
+```
+
+## PowerShell
+
+### Execute a script with the machine
+
+```powershell
+New-AzConnectedMachineRunCommand -ResourceGroupName "myRG" -MachineName "myMachine" -Location "EastUS" -RunCommandName "RunCommandName" –SourceScript "echo Hello World!"
+```
+
+### Execute a script on the machine using SourceScriptUri parameter
+
+`OutputBlobUri` and `ErrorBlobUri` are optional parameters.
+
+```powershell
+New-AzConnectedMachineRunCommand -ResourceGroupName -MachineName -RunCommandName -SourceScriptUri “< SAS URI of a storage blob with read access or public URI>” -OutputBlobUri “< SAS URI of a storage append blob with read, add, create, write access>” -ErrorBlobUri “< SAS URI of a storage append blob with read, add, create, write access>”
+```
+
+### List all deployed RunCommand resources on a machine
+
+This command returns a full list of previously deployed Run Commands along with their properties.
+
+```powershell
+Get-AzConnectedMachineRunCommand -ResourceGroupName "myRG" -MachineName "myMachine"
+```
+
+### Get execution status and results
+
+This command retrieves current execution progress, including latest output, start/end time, exit code, and terminal state of the execution.
+
+```powershell
+Get-AzConnectedMachineRunCommand -ResourceGroupName "myRG" - MachineName "myMachine" -RunCommandName "RunCommandName"
+```
+
+### Create or update Run Command on a machine using SourceScriptUri (storage blob SAS URL)
+
+Create or update Run Command on a Windows machine using a SAS URL of a storage blob that contains a PowerShell script. `SourceScriptUri` can be a storage blob’s full SAS URL or public URL.
+
+```powershell
+New-AzConnectedMachineRunCommand -ResourceGroupName MyRG0 -MachineName MyMachine -RunCommandName MyRunCommand -Location EastUS2EUAP -SourceScriptUri <SourceScriptUri>
+```
+
+> [!NOTE]
+> SAS URL must provide read access to the blob. An expiration time of 24 hours is suggested for SAS URL. SAS URLs can be generated on the Azure portal using blob options, or SAS token using `New-AzStorageBlobSASToken`. If generating SAS token using `New-AzStorageBlobSASToken`, your SAS URL = "base blob URL" + "?" + "SAS token from `New-AzStorageBlobSASToken`"
+> 
+
+### Get a Run Command Instance View for a machine after creating or updating Run Command
+
+Get a Run Command for machine with Instance View. Instance View contains the execution state of run command (Succeeded, Failed, etc.), exit code, standard output, and standard error generated by executing the script using Run Command. A non-zero ExitCode indicates an unsuccessful execution.
+
+```powershell
+Get-AzConnectedMachineRunCommand -ResourceGroupName MyRG -MachineName MyMachine -RunCommandName MyRunCommand
+```
+
+`InstanceViewExecutionState`: Status of user's Run Command script. Refer to this state to know whether your script was successful or not. 
+
+`ProvisioningState`: Status of general extension provisioning end to end (whether extension platform was able to trigger Run Command script or not).
+
+### Create or update Run Command on a machine using SourceScript (script text)
+
+Create or update Run Command on a machine passing the script content directly to `-SourceScript` parameter. Use `;` to separate multiple commands.
+
+```powershell
+New-AzConnectedMachineRunCommand -ResourceGroupName MyRG0 -MachineName MyMachine -RunCommandName MyRunCommand2 -Location EastUS2EUAP -SourceScript "id; echo HelloWorld"
+```
+
+### Create or update Run Command on a machine using OutputBlobUri, ErrorBlobUri to stream standard output and standard error messages to output and error Append blobs
+
+Create or update Run Command on a machine and stream standard output and standard error messages to output and error Append blobs.
+
+```powershell
+New-AzConnectedMachineRunCommand -ResourceGroupName MyRG0 - MachineName MyMachine -RunCommandName MyRunCommand3 -Location EastUS2EUAP -SourceScript "id; echo HelloWorld"-OutputBlobUri <OutPutBlobUrI> -ErrorBlobUri <ErrorBlobUri>
+```
+
+> [!NOTE]
+> Output and error blobs must be the AppendBlob type and their SAS URLs must provide read, append, create, write access to the blob. An expiration time of 24 hours is suggested for SAS URL. If output or error blob does not exist, a blob of type AppendBlob will be created. SAS URLs can be generated on Azure portal using blob's options, or SAS token from using `New-AzStorageBlobSASToken`.
+> 
+
+### Create or update Run Command on a machine as a different user using RunAsUser and RunAsPassword parameters
+
+Create or update Run Command on a machine as a different user using `RunAsUser` and `RunAsPassword` parameters. For RunAs to work properly, contact the administrator the of machine and make sure user is added on the machine, user has access to resources accessed by the Run Command (directories, files, network etc.), and in case of Windows machine, 'Secondary Logon' service is running on the machine.
+
+```powershell
+New-AzMachineRunCommand -ResourceGroupName MyRG0 -MachineName MyMachine -RunCommandName MyRunCommand -Location EastUS2EUAP -SourceScript "id; echo HelloWorld" -RunAsUser myusername -RunAsPassword mypassword
+```
+
+### Create or update Run Command on a machine resource using SourceScriptUri (storage blob SAS URL)
+
+Create or update Run Command on a Windows machine resource using a SAS URL of a storage blob that contains a PowerShell script.
+
+
+```powershell
+New-AzMachineRunCommand -ResourceGroupName MyRG0 -MachineName MyMachine -RunCommandName MyRunCommand -Location EastUS2EUAP -SourceScriptUri <SourceScriptUri>
+```
+
+> [!NOTE]
+> SAS URL must provide read access to the blob. An expiry time of 24 hours is suggested for SAS URL. SAS URLs can be generated on Azure portal using blob options or SAS token using `New-AzStorageBlobSASToken`. If generating SAS token using `New-AzStorageBlobSASToken`, the SAS URL format is: base blob URL + "?" + the SAS token from `New-AzStorageBlobSASToken`.
+> 
+
+### Create or update Run Command on a machine instance using Parameter and ProtectedParameter parameters (Public and Protected Parameters to script)
+
+Use ProtectedParameter to pass any sensitive inputs to script such as passwords, keys etc.
+
+- Windows: Parameters and ProtectedParameters are passed to script as arguments are passed to script and run like this: `myscript.ps1 -publicParam1 publicParam1value -publicParam2 publicParam2value -secret1 secret1value -secret2 secret2value`
+
+- Linux: Named Parameters and its values are set to environment config, which should be accessible within the .sh script. For Nameless arguments, pass an empty string to name input. Nameless arguments are passed to script and run like this: `myscript.sh publicParam1value publicParam2value secret1value secret2value`
+
+### Delete RunCommand resource from the machine
+
+Remove the RunCommand resource previously deployed on the machine. If the script execution is still in progress, execution will be terminated.
+
+```powershell
+Remove-AzConnetedMachineRunCommand -ResourceGroupName "myRG" -MachineName "myMachine" -RunCommandName "RunCommandName"
+```
+
 ## Run Command operations
 
 Run Command on Azure Arc-enabled servers supports the following operations: