Secure Credentials in PowerShell Scripts

The scripts that I write occasionally need access to specific user account credentials in order to do their work, so I wanted to write a quick note about how to securely store those credentials for scripts (especially if they're going to be run as a scheduled task)!  It all revolves around the get-credential cmdlet.

The get-credential cmdlet is made for this; by default, the object that it creates is encrypted to the account that executed it as a secure powershell object.  This means that you can easily save those credentials to a secure file with these two commands:

$creds = get-credential -message "Enter credentials"

$creds | export-clixml $credsFile

Many PowerShell cmdlets can take credentials in the form of a credentials object (frequently with the "-credential $creds" syntax), but even when you need to supply a username and password, they're really easy to get out of that $creds object:

$creds.UserName

$creds.GetNetworkCredential().password

If some other user attempts to import the xml password object, they'll get an error that reads "import-clixml : Key not valid for use in specified state."  If you just open the XML file directly, you can plainly see the password property... and that it's nice and encrypted!  So, only the account that ran the get-credential cmdlet can access the password stored in the XML file that we can generate from that object.  How's the easiest way to use this in our scripts?  If it's a script that people will be executing, I like to put it in a Try/Catch block like this:

try {

$creds = import-clixml $credsFile

}

catch {

$creds = get-credential -message "Enter credentials"

$creds | export-clixml $credsFile

}

The script will try to import the credentials in the specified file and, if that fails, will prompt the user for credentials and then save them in the file.  In practice, this means that the first time a given user runs the script, they'll need to enter their credentials, but after that they're saved in a file that only that user account can access.  But what do you do if you're preparing this script to run as a scheduled task?  Well, our old friend "runas.exe" comes in handy there!

runas.exe /user:domain\serviceAccount powershell.exe

The easiest way to create the credentials object for the account that'll be running the scheduled task is to just open up a PowerShell prompt as that user.  So, you can fire off that above command to give you such a window, and from there you can do the whole "get-credential | export-clixml $credsFile" process to pre-seed the credentials XML file for the service account!

Comments

  1. PostJuly 23, 2021 at 8:02 AM

    Might also check out the SecretManagement module which is cross-platform
    https://github.com/powershell/secretmanagement

    ReplyDelete

Post a Comment

Sorry guys, I've been getting a lot of spam recently, so I've had to turn on comment moderation. I'll do my best to moderate them swiftly after they're submitted,

Popular posts from this blog

PowerShell Sorting by Multiple Columns

PowerShell's Sort-Object cmdlet is super useful, especially when preparing output for human consumption.  A few people have found my blog while looking for more information about its use, specifically while looking for how to sort by multiple columns (well, properties, technically).  I've never done so (much less written about it), so I hope those folks found answers elsewhere.  But, it got me curious... and it turns out that it's really easy. The Technet article on Sort-Object has the answer directly spelled out: just use commas to create a list of properties to sort by (in order to precedence).  Let's look at some examples!  First, prepare a variable with some good sortable data: $myData = get-eventlog System -newest 25 And then we can get to sorting!  Say you want to sort primarily by EntryType (Warning, Information, Error) and then by Source.  Easy-peasy: $myData | sort EntryType,Source How about if you want it to be in descending order?  Yeah, there&
Read more

Clone a Standard vSwitch from one ESXi Host to Another

One of my customers is standardizing the configurations on their HP C7000 enclosures (they've been set up at various sites by various administrators with varying involvement from the architecture team).  As such, we need to stand up some temporary resources so that we can take down the main enclosure for reconfiguration.  That's fine, we can easily ship a smaller enclosure to each site for temporary compute resources.  Some of the sites are using Standard vSwitches, so we need to be able to quickly copy the networking configuration over from their existing blades to these new, slightly different blades.  As I see it, we had 2 good options: 1) Capture a Host Profile with the desired vSwitch configuration.  Delete every other component of the Host Profile so that only the networking section is applied; design the new ESXi hosts so that the vSwitches'll work with the old vmnic-to-vswitch configurations. 2) Write a script to clone the vSwitch from ones ESXi host to another.
Read more

Deleting Orphaned (AKA Zombie) VMDK Files

A problem that most Virtualization Administrators need to deal with is Orphaned VMDK files (or Zombie VMDK files, as some people call them).  These are Virtual Machine hard drive files that are just hanging out, taking up storage, but are attached to no VMs.  How can this happen?  Well, the most common way is when an administrator needs to delete a VMDK but isn't quite ready to commit... so, after pressing "remove", they select "remove from virtual machine" rather than "remove and delete files".  The intent is always good: "I want to be able to restore this if it turns out to be necessary... so I'll just come back and delete it next week if nothing breaks!"  But, of course, next week something else happens and the file doesn't get deleted.  After a little while, it turns into "which files did I rename, again?" and nothing seems to happen. So, how do you deal with these orphaned files?  Well, a few years ago I found a scrip
Read more