Can you pass a $PSCredential down, maybe as a File resource that the script can rely on? The scripts may need modified per https://technet.microsoft.com/en-us/magazine/ff714574.aspx
Rob Nelson [email protected] On Wed, Apr 20, 2016 at 10:52 AM, Ian Oberst <[email protected]> wrote: > I've had a number of conversations with various Puppet folks about this > and it remains a bit of a sticky issue, namely *how do we safely handle > powershell scripts where we need to pass credentials or other sensitive > information to Powershell?* > > The scenario here is that we have a situation where we need to give > Powershell some credentials to perform some sort of work on the system. Due > to restrictions we have to pass these credentials via Puppet in some > fashion, e.g. we can't or don't have access to a key manager that > Powershell can talk to directly, meaning that Puppet is the only route of > providing the secrets to the node. (I do understand there are other > issues here as well, such as getting secrets securely passed in the > catalog, but I'm setting that aside for now.) > > > Recent incarnations of the Powershell provider all write a temp file to > disk that contains the powershell code to be invoked. This means that if I > have the credentials placed directly in the script (which generally seems > the route I have to take) that I'll have written them to disk. > Additionally, the exec module itself has logging that will log the command > out to both the event log and the Puppet report, which will expose > credentials. None of these outcomes are very good. > > > The approach I've tried to take is going the route of signed powershell > scripts so we can invoke them with command line parameters rather than > using stdin, which is the route the current Powershell provider takes. This > seems at the moment to side-step some of the above mentioned problems > depending on how you communicate those command line parameters to the > provider. However, I'd like to align with the longer-term strategy, if > possible, of how Powershell scripts are invoked within the Puppet supported > provider. > > > So...what's the best way of handling this? > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-dev/5bd0c1ad-d53a-4135-872c-62cfe4463cf5%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-dev/5bd0c1ad-d53a-4135-872c-62cfe4463cf5%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/CAC76iT8uj_pPuBzJzeX0%3Ds2yBJDAC-dtZS4VS0SMUgqaeBDwAg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
