Creating VICredentialStore Items without Typing Your Password into the Command Line

I use PowerCLI a lot.  Like, when VMware said to stop using the C# client, I just started using PowerCLI instead of learning the Flash based web client.  As such, I log into many vCenter servers many times each day, and creating a VICredentialStore item for each vCenter that I use is one trick that saves me a lot of typing and therefore time.

The New-VICredentialStoreItem cmdlet is super easy to use, which creates these credential store items.  Once you have an item created, those credentials get used automatically when you connect to a vCenter server, making the logon faster and easier.  To use it, just follow this syntax:

New-VICredentialStoreItem -Host vCenterServer -User JColeman -Password SuperSecretPassword

And there you go, next time you use connect-viserver vCenterServer, it will automatically pass JColeman as the username and SuperSecretPassword as the password.

Of course, no one ever wants to do this.  Who in their right mind would want to type their password, in plain text, into the PowerCLI console?  Anyone shoulder surfing would be able to see it and, even worse, any time you print your PowerShell history, it'll pop up again!

Fortunately, there's a way to protect yourself against this issue.  It's an ugly command line, but use this instead:

New-VICredentialStoreItem -Host vCenterServer -User JColeman -Password ((get-credential).GetNetworkCredential().password)

When you fire that off, it will prompt you for a username/password in a popup window, which will star out the password and won't record it in the command history.  The "username" field in that popup window doesn't matter, it just can't be blank; all that we're doing is grabbing the password that was typed into that window and passing that to the New-VICredentialStoreItem cmdlet.

Bear in mind, there are some security concerns with the VICredentialStore though.  It uses encryption to store your username/password so that only your user account can access them, but if you leave your desktop unlocked, someone could walk up and use (get-vicredentialstoreitem).password to get your password.  That'll only work if they can already open up a PowerCLI session with your credentials, so the risk is manageable, but it does exist.

Comments

Popular posts from this blog

Orphaned VMDK Files

Deleting Orphaned (AKA Zombie) VMDK Files

Clone a Standard vSwitch from one ESXi Host to Another