Composite resource credentials encryption

kirov · April 1, 2020, 9:33am

Hi,

I have a working configuration script which encrypts my credentials inside the MOF. I am now working on splitting the entire configuration script in composite resource. One of the composite resource installs Windows Feature role (everything works as expected) but on the second composite resource, I need to pass credentials to the resource in order to access it.

Main Configuration script:

Configuration Test {
param (
[Parameter(Mandatory = $true)]
[ValidateNotNullorEmpty()]
[System.Management.Automation.PSCredential]
[Alias('Type your username and password')]
$Credential
)

Import-DscResource -ModuleName CompositeResource

node localhost {

WebServer-CommonPackage TestResource{
CredentialShare = $CredentialShare
}

}
}

Test -ConfigurationData ConfigData.psd1 


Configuration CompositeResource
{
    param (
        [Parameter(Mandatory = $true)]
        [ValidateNotNullorEmpty()]
        [System.Management.Automation.PSCredential]
        $CredentialShare
    )
    PackageApplication {
        Ensure    = 'Present'
        Path      = "SharePath"
        Name      = Name
        ProductID = ProductID
        Arguments = Arguments
        Credential = $CredentialShare                   
    }
In configuration data I also have
@{
    AllNodes = @(
        @{
            Environment                 = 'DEV'
            NodeName                    = 'localhost'
            PSDSCAllowPlainTextPassword = $false
            Certificatefile             = 'PublicKey.cer'
            Thumbprint                  = 'thumbprint'}
)
}

Every time I try to compile I get the following errror:

ConvertTo-MOFInstance : System.InvalidOperationException error processing property 'PsDscRunAsCredential' OF TYPE 'File': Converting and storing encryp ted passwords as plain text is not recommended. For more information on securing credentials in MOF file, please refer to MSDN blog

I need to use credentials for package as I need to install multiple applications directly from share and not have to copy them locally.

Thanks

kvprasoon · April 3, 2020, 2:22pm

Are you allowing DSC to use passwords in configuration ? How are you encrypting it ?

kirov · April 6, 2020, 10:22am

Hi,

If I don’t try to do composite resource module, then everything is encrypted and working, as in my configuration data I have defined both the .cer file path, thumbprint and everything that is need.

The issue is when I try to use credentials inside the composite resource module, then I get the error. I need Credential and not PsDscRunAsCredential as my share requires authentication in order, not to run the installation under a certain user.

dan-iverson · April 14, 2020, 10:30am

Configuration DSC_Deploy
{

    param
    (
        [Parameter()]
        [ValidateNotNull()]
        [PSCredential]$Credential
    )

    $CredUser = $Credential.UserName
    $CredPass = $Credential.GetNetworkCredential().Password

    Import-DscResource -ModuleName 'PSDesiredStateConfiguration'

    Node $AllNodes.Where{$_.Property -eq "Yes"}.NodeName
    {
        Script ScriptDBBackup
        {
            SetScript = {

$query_backup = @'
                SELECT 

'@
                $backupList = Invoke-Sqlcmd -Database $BcsDbName -Username $Using:CredUser -Password $Using:CredPass -Query $query_backup 
            }
            TestScript = {

                if (  -not [string]::IsNullOrEmpty($TasksServiceName) ) {
                $ServObj = Get-Service -Name $TasksServiceName
                    if ( $ServObj.Status -eq 'Stopped' ) {
                        Write-Verbose -Message "The service $TasksServiceName has stopped."
                        return $false
                        ##########  AFTER TESING CHANGE TO FALSE
                    }else {
                        Write-Verbose -Message 'Service $TasksServiceName is not stopped.'
                        $ServObj | Stop-Service -PassThru | foreach {
                            if ( $_.Status -eq 'stopped' ) { 
                                Write-Verbose -Message "The service $TasksServiceName has stopped."
                                return $false
                            } else {
                                Write-Verbose -Message 'Service not stopped.'
                                return $true
                            }
                        }
                    }
                }else {
                    Write-Verbose -Message 'The variables not populated.'
                    return $true
                }
            }
            GetScript = {
            }
        }
    }
}

$username = 'anadm8in'
$pw = '@password123'
$pwss = (ConvertTo-SecureString $pw -AsPlainText -Force)
$creds = New-Object System.Management.Automation.PSCredential($username, $pwss)
DSC_Deploy  -Credential $creds -ConfigurationData $cfgData -OutputPath $outP

Topic		Replies	Views
Encrypting a password in a DSC Script Resource DSC	10	454	January 12, 2016
Problem with ConfiguratinData and Composite Resources DSC	5	271	January 12, 2016
DSC Encrypting multiple Credentials DSC	4	292	April 3, 2017
Facing issue while Encrypting Credentials in DSC MOF Files DSC	1	311	May 27, 2016
Import pfx DSC	1	412	December 13, 2018

Composite resource credentials encryption

Related topics