Composite resource credentials encryption

Welcome Forums DSC (Desired State Configuration) Composite resource credentials encryption

Viewing 3 reply threads
  • Author
    Posts
    • #214287
      Participant
      Topics: 2
      Replies: 5
      Points: 60
      Rank: Member

      Hi,

      I have a working configuration script which encrypts my credentials inside the MOF. I am now working on splitting the entire configuration script in composite resource. One of the composite resource installs Windows Feature role (everything works as expected) but on the second composite resource, I need to pass credentials to the resource in order to access it.

      Main Configuration script:

      Configuration Test {
      param (
      [Parameter(Mandatory = $true)]
      [ValidateNotNullorEmpty()]
      [System.Management.Automation.PSCredential]
      [Alias('Type your username and password')]
      $Credential
      )
      
      Import-DscResource -ModuleName CompositeResource
      
      node localhost {
      
      WebServer-CommonPackage TestResource{
      CredentialShare = $CredentialShare
      }
      
      }
      }
      
      Test -ConfigurationData ConfigData.psd1 
      
      
      Configuration CompositeResource
      {
          param (
              [Parameter(Mandatory = $true)]
              [ValidateNotNullorEmpty()]
              [System.Management.Automation.PSCredential]
              $CredentialShare
          )
          PackageApplication {
              Ensure    = 'Present'
              Path      = "SharePath"
              Name      = Name
              ProductID = ProductID
              Arguments = Arguments
              Credential = $CredentialShare                   
          }
      In configuration data I also have
      @{
          AllNodes = @(
              @{
                  Environment                 = 'DEV'
                  NodeName                    = 'localhost'
                  PSDSCAllowPlainTextPassword = $false
                  Certificatefile             = 'PublicKey.cer'
                  Thumbprint                  = 'thumbprint'}
      )
      }
      

      Every time I try to compile I get the following errror:

      ConvertTo-MOFInstance : System.InvalidOperationException error processing property ‘PsDscRunAsCredential’ OF TYPE ‘File’: Converting and storing encryp
      ted passwords as plain text is not recommended. For more information on securing credentials in MOF file, please refer to MSDN blog

      I need to use credentials for package as I need to install multiple applications directly from share and not have to copy them locally.

      Thanks

      • This topic was modified 1 month, 4 weeks ago by kvprasoon. Reason: code formatting
    • #215157
      Senior Moderator
      Topics: 8
      Replies: 1215
      Points: 4,335
      Helping Hand
      Rank: Community Hero

      Are you allowing DSC to use passwords in configuration ? How are you encrypting it ?

      https://docs.microsoft.com/en-us/powershell/scripting/dsc/configurations/runasuser?view=powershell-7

    • #215910
      Participant
      Topics: 2
      Replies: 5
      Points: 60
      Rank: Member

      Hi,

      If I don’t try to do composite resource module, then everything is encrypted and working, as in my configuration data I have defined both the .cer file path, thumbprint and everything that is need.

      The issue is when I try to use credentials inside the composite resource module, then I get the error. I need Credential and not PsDscRunAsCredential as my share requires authentication in order, not to run the installation under a certain user.

    • #218538
      Participant
      Topics: 30
      Replies: 65
      Points: 155
      Rank: Participant
      Configuration DSC_Deploy
      {
      
          param
          (
              [Parameter()]
              [ValidateNotNull()]
              [PSCredential]$Credential
          )
      
          $CredUser = $Credential.UserName
          $CredPass = $Credential.GetNetworkCredential().Password
      
          Import-DscResource -ModuleName 'PSDesiredStateConfiguration'
      
          Node $AllNodes.Where{$_.Property -eq "Yes"}.NodeName
          {
              Script ScriptDBBackup
              {
                  SetScript = {
      
      $query_backup = @'
                      SELECT 
      
      '@
                      $backupList = Invoke-Sqlcmd -Database $BcsDbName -Username $Using:CredUser -Password $Using:CredPass -Query $query_backup 
                  }
                  TestScript = {
      
                      if (  -not [string]::IsNullOrEmpty($TasksServiceName) ) {
                      $ServObj = Get-Service -Name $TasksServiceName
                          if ( $ServObj.Status -eq 'Stopped' ) {
                              Write-Verbose -Message "The service $TasksServiceName has stopped."
                              return $false
                              ##########  AFTER TESING CHANGE TO FALSE
                          }else {
                              Write-Verbose -Message 'Service $TasksServiceName is not stopped.'
                              $ServObj | Stop-Service -PassThru | foreach {
                                  if ( $_.Status -eq 'stopped' ) { 
                                      Write-Verbose -Message "The service $TasksServiceName has stopped."
                                      return $false
                                  } else {
                                      Write-Verbose -Message 'Service not stopped.'
                                      return $true
                                  }
                              }
                          }
                      }else {
                          Write-Verbose -Message 'The variables not populated.'
                          return $true
                      }
                  }
                  GetScript = {
                  }
              }
          }
      }
      
      $username = 'anadm8in'
      $pw = '@password123'
      $pwss = (ConvertTo-SecureString $pw -AsPlainText -Force)
      $creds = New-Object System.Management.Automation.PSCredential($username, $pwss)
      DSC_Deploy  -Credential $creds -ConfigurationData $cfgData -OutputPath $outP
      
Viewing 3 reply threads
  • You must be logged in to reply to this topic.