hoping someone has a brilliant solution for me, spent a few days beating on this.
I’m in a fully monitored environment, so all posh logging is enabled.
I retrieve a password from our cyberark vault via API. The results is always plaintext/json
I need to build a pscredential object from the password that is retrieved to connect to O365.
Pscredential only allows securestrings for the password value.
If I execute $pw|convertto-securestring -asplaintext -force
the contents of $pw is stored in the eventviewer as pipeline details, thus password in plaintext.
kind of at the end of my rope on this one, hoping someone has some solution that i haven’t run across.
Logging is always good, but if you don’t want it get logged there is no skip option, instead you can disable the logging.
IMO, PowerShell wont show this unless you enable additional logging(module logging or scriptblock logging)
Yah, that’s the issue, we definitely have to have logging for secops purposes. So just turning logging off probably isn’t an option
Seems MS has encrypted logging that “might” give me a shot.
Super frustrating to build a credential object, but MS doesn’t give us an option to build one with strings without exposing them.
Does your logging software capture the contents of all variables? I note in your original post you state
But I’m guess it’s not as straightforward as not using the pipeline and using
ConvertTo-SecureString $pw -AsPlainText -Force ?
Yah, not that straightforward.
The contents of the variable are being caught up in scriptblock logging.
Logging captures all things being executed, as well as contents of all variables being passed.
I thought that was probably the case.
Is this something you need to automate on lots of machines or with a frequently changing password? If not, using Get-Credential and storing the PSCredential object could be an option. I can’t think of any other way you can prevent the password being logged.