Original conversation at https://github.com/puppetlabs/puppetlabs-powershell/issues/85
On Wed, Apr 20, 2016 at 10:49 AM, Rob Nelson <[email protected]> wrote: > Can you pass a $PSCredential down, maybe as a File resource that the > script can rely on? The scripts may need modified per > https://technet.microsoft.com/en-us/magazine/ff714574.aspx > > > Rob Nelson > [email protected] > > On Wed, Apr 20, 2016 at 10:52 AM, Ian Oberst <[email protected]> wrote: > >> I've had a number of conversations with various Puppet folks about this >> and it remains a bit of a sticky issue, namely *how do we safely handle >> powershell scripts where we need to pass credentials or other sensitive >> information to Powershell?* >> >> The scenario here is that we have a situation where we need to give >> Powershell some credentials to perform some sort of work on the system. Due >> to restrictions we have to pass these credentials via Puppet in some >> fashion, e.g. we can't or don't have access to a key manager that >> Powershell can talk to directly, meaning that Puppet is the only route of >> providing the secrets to the node. (I do understand there are other >> issues here as well, such as getting secrets securely passed in the >> catalog, but I'm setting that aside for now.) >> >> >> Recent incarnations of the Powershell provider all write a temp file to >> disk that contains the powershell code to be invoked. This means that if I >> have the credentials placed directly in the script (which generally seems >> the route I have to take) that I'll have written them to disk. >> > Additional information here - when the 1.x PowerShell provider writes this file to disk, it holds an exclusive lock on the file and it deletes it immediately after use. Still touches the disk, so I understand your concern. The 2.x PowerShell provider (unreleased at this time) does not write out a file to disk. > Additionally, the exec module itself has logging that will log the command >> out to both the event log and the Puppet report, which will expose >> credentials. None of these outcomes are very good. >> >> >> The approach I've tried to take is going the route of signed powershell >> scripts so we can invoke them with command line parameters rather than >> using stdin, which is the route the current Powershell provider takes. This >> seems at the moment to side-step some of the above mentioned problems >> depending on how you communicate those command line parameters to the >> provider. However, I'd like to align with the longer-term strategy, if >> possible, of how Powershell scripts are invoked within the Puppet supported >> provider. >> >> >> So...what's the best way of handling this? >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-dev/5bd0c1ad-d53a-4135-872c-62cfe4463cf5%40googlegroups.com >> <https://groups.google.com/d/msgid/puppet-dev/5bd0c1ad-d53a-4135-872c-62cfe4463cf5%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-dev/CAC76iT8uj_pPuBzJzeX0%3Ds2yBJDAC-dtZS4VS0SMUgqaeBDwAg%40mail.gmail.com > <https://groups.google.com/d/msgid/puppet-dev/CAC76iT8uj_pPuBzJzeX0%3Ds2yBJDAC-dtZS4VS0SMUgqaeBDwAg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- Rob Reynolds Developer, Puppet PuppetConf 2016 <http://2016.puppetconf.com/>, October 17-21, San Diego, California *Early Birds save $350* <https://www.eventbrite.com/e/puppetconf-2016-october-17-21-tickets-18750712887?discount=EarlyBird> - Register by June 30th -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/CAMJiBK77X1DmoZvL7O_zTaWYRc6OgRgq9mLvMrWOejndeNoX6Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
