从ARM模板安全地将凭证传递给DSC Extension

时间:2017-04-19 14:34:41

标签: json azure dsc

根据https://docs.microsoft.com/en-gb/azure/virtual-machines/windows/extensions-dsc-template,用于将凭证从ARM模板传递到DSC扩展的最新方法是将整个凭据放在 protectedSettings 部分,如下所示:

"properties": {
    "publisher": "Microsoft.Powershell",
    "type": "DSC",
    "typeHandlerVersion": "2.24",
    "autoUpgradeMinorVersion": true,
    "settings": {
        "wmfVersion": "latest",
        "configuration": {
            "url": "[concat(parameters('_artifactsLocation'), '/', variables('artifactsProjectFolder'), '/', variables('dscArchiveFolder'), '/', variables('dscSitecoreInstallArchiveFileName'))]",
            "script": "[variables('dscSitecoreInstallScriptName')]",
            "function": "SitecoreInstall"
        },
        "configurationArguments": {
            "nodeName": "[parameters('CMCD VMName')]",
            "sitecorePackageUrl": "[concat(parameters('sitecorePackageLocation'), '/',  parameters('sitecoreRelease'), '/', parameters('sitecorePackageFilename'))]",
            "sitecorePackageUrlSasToken": "[parameters('sitecorePackageLocationSasToken')]",
            "sitecoreLicense": "[concat(parameters('sitecorePackageLocation'), '/', parameters('sitecoreLicenseFilename'))]",
            "domainName": "[parameters('domainName')]",
            "joinOU": "[parameters('domainOrgUnit')]"
        },
        "configurationData": {
            "url": "[concat(parameters('_artifactsLocation'), '/', variables('artifactsProjectFolder'), '/', variables('dscArchiveFolder'), '/', variables('dscSitecoreInstallConfigurationName'))]"
        }
    },
    "protectedSettings": {
        "configurationUrlSasToken": "[parameters('_artifactsLocationSasToken')]",
        "configurationDataUrlSasToken": "[parameters('_artifactsLocationSasToken')]",
        "configurationArguments": {
            "domainJoinCredential": {
                "userName": "[parameters('domainJoinUsername')]",
                "password": "[parameters('domainJoinPassword')]"
            }
        }
    }
}

Azure DSC应该为我处理protectedSettings的加密/解密。这似乎有效,因为我可以看到protectedSettings在VM上的设置文件中加密,但操作最终失败了:

VM has reported a failure when processing extension 'dsc-sitecore-de
v-install'. Error message: "The DSC Extension received an incorrect input: Comp
ilation errors occurred while processing configuration 'SitecoreInstall'. Pleas
e review the errors reported in error stream and modify your configuration code
 appropriately. System.InvalidOperationException error processing property 'Cre
dential' OF TYPE 'xComputer': Converting and storing encrypted passwords as pla
in text is not recommended. For more information on securing credentials in MOF
 file, please refer to MSDN blog: http://go.microsoft.com/fwlink/?LinkId=393729
At C:\Packages\Plugins\Microsoft.Powershell.DSC\2.24.0.0\DSCWork\dsc-sitecore-d
ev-install.0\dsc-sitecore-dev-install.ps1:103 char:3
+   xComputer Converting and storing encrypted passwords as plain text is not r
ecommended. For more information on securing credentials in MOF file, please re
fer to MSDN blog: http://go.microsoft.com/fwlink/?LinkId=393729 Cannot find pat
h 'HKLM:\SOFTWARE\Microsoft\PowerShell\3\DSC' because it does not exist. Cannot
 find path 'HKLM:\SOFTWARE\Microsoft\PowerShell\3\DSC' because it does not exis
t.

Another common error is to specify parameters of type PSCredential without an e
xplicit type. Please be sure to use a typed parameter in DSC Configuration, for
 example:

    configuration Example {
        param([PSCredential] $UserAccount)
        ...
    }.
Please correct the input and retry executing the extension.".

我可以使其工作的唯一方法是将PsDscAllowPlainTextPassword = $true添加到我的configurationData,但我认为我使用protectedSettings部分避免使用纯文本密码... < / p>

我做错了什么,或者仅仅是我的理解是错误的?

2 个答案:

答案 0 :(得分:2)

正确的方法:

"settings": {
    "configuration": {
        "url": "xxx",
        "script": "xxx",
        "function": "xx"
    },
    "configurationArguments": {
        "param1": xxx,
        "param2": xxx
        etc...
    }
},
"protectedSettings": {
    "configurationArguments": {
        "NameOfTheCredentialsParameter": {
            "userName": "USERNAME",
            "password": "PASSWORD!1"
        }
    }
}

这样您就不需要PsDSCAllowPlainTextPassword = $true

然后,您可以在配置中使用

接收参数 
Configuration MyConf
param (
    [PSCredential] $NameOfTheCredentialsParameter
)

在您的资源中使用它

Registry DoNotOpenServerManagerAtLogon {
    Ensure = "Present"
    Key = "HKEY_CURRENT_USER\SOFTWARE\Microsoft\ServerManager"
    ValueName = "DoNotOpenServerManagerAtLogon"
    ValueData = 1
    ValueType = REG_DWORD"
    PsDscRunAsCredential = $NameOfTheCredentialsParameter
}

答案 1 :(得分:0)

您仍然需要使用df[df.USER.apply(lambda lst: any(d['NAME']=='abc' and d['STATUS']=='ACTV' for d in lst))] # USER id #3 [{'STATUS': 'ACTV', 'NAME': 'abc'}, {'STATUS':... 631426 <{3}}

以下是引用的部分:

  

但是,目前您必须告诉PowerShell DSC在节点配置MOF生成期间以纯文本格式输出凭据是可以的,因为PowerShell DSC不知道Azure Automation将在生成后通过以下方式加密整个MOF文件编译工作。

基于以上所述,似乎是一个操作顺序问题。 MOF已生成并已加密。

相关问题
最新问题