DSC secure string?

Welcome Forums DSC (Desired State Configuration) DSC secure string?

This topic contains 4 replies, has 2 voices, and was last updated by

 
Participant
1 year, 2 months ago.

  • Author
    Posts
  • #80749

    Participant
    Points: 21
    Rank: Member

    Is there any way to secure the arguments string inside the package resource?

    Spent the day configuring the cert setup for using PsDscRunAsCredential and then.. oh yeah, the credentials are also in the Arguments string 🙁

  • #81151

    Keymaster
    Points: 1,704
    Helping HandTeam Member
    Rank: Community Hero

    I'm not certain I follow... "also in the Arguments string?" "Inside the package resource?"

  • #81158

    Participant
    Points: 21
    Rank: Member

    Unfortunately I have something like this. I can encrypt the PsDscRunAsCredential but I also have to use this string in the arguments.

    
    $commandargs = @" 
    /s /v" /qn SILENT_MODE=1 /Li SDInstall.log INSTALLDIR=\"c:\Program Files\NetApp\SnapDrive\" SVCUSERNAME=$SMSQLUSER SVCUSERPASSWORD=$SMSQLPASS"
    "@ 
    
    $credentials = New-Object System.Management.Automation.PSCredential($SMSQLUSER,$SMSQLPASS)
    
    WindowsFeature Netframework
    {
    Ensure = "Present"
    Name = "NET-Framework-Core"
    }
    
    Package SnapInstall 
    { 
        Ensure = "Present" 
        Path = "c:\windows\temp\SnapDrive7.1.4P1_x64.exe" 
        Name = "SnapDrive" 
        ProductId = "{0BD0F422-C9DF-4438-ABCE-74805CC8C2F5}" 
        Arguments = $commandargs
        PsDscRunAsCredential = $credentials
        DependsOn = '[WindowsFeature]Netframework'
    } 
    
    
  • #81161

    Keymaster
    Points: 1,704
    Helping HandTeam Member
    Rank: Community Hero

    Oh. So you're generally asking, "how can I protect sensitive information in an argument" regardless of whether it's a credential per se.

    That was more or less asked at https://stackoverflow.com/questions/44585764/passing-securestring-variables-to-dsc-configuration-for-read-only-domain-control also.

    Also at https://github.com/PowerShell/xPSDesiredStateConfiguration/issues/266, which gives us a clue: you can't. The intent would be to have that data live in some kind of key vault, and you'd retrieve it dynamically somehow.

  • #81365

    Participant
    Points: 21
    Rank: Member

    Thanks. I hope encrypting the entire mof is planned for the future.

The topic ‘DSC secure string?’ is closed to new replies.