[英]Securely pass credentials to DSC Extension from ARM Template
根據https://docs.microsoft.com/zh-cn/azure/virtual-machines/windows/extensions-dsc-template ,將憑據從ARM模板傳遞到DSC擴展的最新方法是放置整個憑據在protectedSettings部分的configurationArguments中,如下所示:
"properties": {
"publisher": "Microsoft.Powershell",
"type": "DSC",
"typeHandlerVersion": "2.24",
"autoUpgradeMinorVersion": true,
"settings": {
"wmfVersion": "latest",
"configuration": {
"url": "[concat(parameters('_artifactsLocation'), '/', variables('artifactsProjectFolder'), '/', variables('dscArchiveFolder'), '/', variables('dscSitecoreInstallArchiveFileName'))]",
"script": "[variables('dscSitecoreInstallScriptName')]",
"function": "SitecoreInstall"
},
"configurationArguments": {
"nodeName": "[parameters('CMCD VMName')]",
"sitecorePackageUrl": "[concat(parameters('sitecorePackageLocation'), '/', parameters('sitecoreRelease'), '/', parameters('sitecorePackageFilename'))]",
"sitecorePackageUrlSasToken": "[parameters('sitecorePackageLocationSasToken')]",
"sitecoreLicense": "[concat(parameters('sitecorePackageLocation'), '/', parameters('sitecoreLicenseFilename'))]",
"domainName": "[parameters('domainName')]",
"joinOU": "[parameters('domainOrgUnit')]"
},
"configurationData": {
"url": "[concat(parameters('_artifactsLocation'), '/', variables('artifactsProjectFolder'), '/', variables('dscArchiveFolder'), '/', variables('dscSitecoreInstallConfigurationName'))]"
}
},
"protectedSettings": {
"configurationUrlSasToken": "[parameters('_artifactsLocationSasToken')]",
"configurationDataUrlSasToken": "[parameters('_artifactsLocationSasToken')]",
"configurationArguments": {
"domainJoinCredential": {
"userName": "[parameters('domainJoinUsername')]",
"password": "[parameters('domainJoinPassword')]"
}
}
}
}
Azure DSC應該為我處理protectedSettings的加密/解密。 這似乎確實有效,因為我可以看到protectedSettings在VM上的設置文件中已加密,但是該操作最終因以下原因而失敗:
VM has reported a failure when processing extension 'dsc-sitecore-de
v-install'. Error message: "The DSC Extension received an incorrect input: Comp
ilation errors occurred while processing configuration 'SitecoreInstall'. Pleas
e review the errors reported in error stream and modify your configuration code
appropriately. System.InvalidOperationException error processing property 'Cre
dential' OF TYPE 'xComputer': Converting and storing encrypted passwords as pla
in text is not recommended. For more information on securing credentials in MOF
file, please refer to MSDN blog: http://go.microsoft.com/fwlink/?LinkId=393729
At C:\Packages\Plugins\Microsoft.Powershell.DSC\2.24.0.0\DSCWork\dsc-sitecore-d
ev-install.0\dsc-sitecore-dev-install.ps1:103 char:3
+ xComputer Converting and storing encrypted passwords as plain text is not r
ecommended. For more information on securing credentials in MOF file, please re
fer to MSDN blog: http://go.microsoft.com/fwlink/?LinkId=393729 Cannot find pat
h 'HKLM:\SOFTWARE\Microsoft\PowerShell\3\DSC' because it does not exist. Cannot
find path 'HKLM:\SOFTWARE\Microsoft\PowerShell\3\DSC' because it does not exis
t.
Another common error is to specify parameters of type PSCredential without an e
xplicit type. Please be sure to use a typed parameter in DSC Configuration, for
example:
configuration Example {
param([PSCredential] $UserAccount)
...
}.
Please correct the input and retry executing the extension.".
我可以使其工作的唯一方法是將PsDscAllowPlainTextPassword = $true添加到我的configurationData中,但是我認為我正在使用protectedSettings部分來避免使用純文本密碼...
我是在做錯什么,還是僅僅是我的理解錯了?
正確的方法是:
"settings": {
"configuration": {
"url": "xxx",
"script": "xxx",
"function": "xx"
},
"configurationArguments": {
"param1": xxx,
"param2": xxx
etc...
}
},
"protectedSettings": {
"configurationArguments": {
"NameOfTheCredentialsParameter": {
"userName": "USERNAME",
"password": "PASSWORD!1"
}
}
}
這樣,您不需要PsDSCAllowPlainTextPassword = $true
然后,您可以使用
Configuration MyConf
param (
[PSCredential] $NameOfTheCredentialsParameter
)
在您的資源中使用它
Registry DoNotOpenServerManagerAtLogon {
Ensure = "Present"
Key = "HKEY_CURRENT_USER\SOFTWARE\Microsoft\ServerManager"
ValueName = "DoNotOpenServerManagerAtLogon"
ValueData = 1
ValueType = REG_DWORD"
PsDscRunAsCredential = $NameOfTheCredentialsParameter
}
你仍然需要使用的事實PsDSCAllowPlainTextPassword = $true的記錄
這是引用的部分:
但是,當前,您必須告訴PowerShell DSC在節點配置MOF生成期間以純文本格式輸出憑據是可以的,因為PowerShell DSC不知道Azure Automation將在通過編譯作業生成整個MOF文件之后對其進行加密。
基於上述情況,看來這是一個操作順序問題。 生成MOF,然后加密。
Azure ARM模板-運行DSC腳本而不觸發擴展安裝?
[英]Azure ARM Template - Running DSC script without triggering extension install?
ARM模板DSC:配置未“看到” protectedSettings.configurationArguments
[英]ARM Template DSC: configuration does not 'see' protectedSettings.configurationArguments
從 Blob 存儲部署 ARM 模板時無法在 powershell 中傳遞參數
[英]Unable to pass parameters in powershell while deploying ARM Template from Blob Storage
Azure ARM模板 - DSC(新架構)沒有運行腳本而沒有返回錯誤?
[英]Azure ARM Templates - DSC (new schema) not running scripts and not returning an error?
從(ARM模板)WebSite.json訪問連接字符串或使用ARM模板設置覆蓋Web.config
[英]Access connection string from (ARM Template) WebSite.json OR override Web.config with ARM Template Settings
通過 CLI 部署 Azure ARM 模板失敗並出現 .ps1 腳本擴展錯誤
[英]Azure ARM template deployment via CLI failing with .ps1 script extension error
將輸出從一個Arm部署資源鏈接模板傳遞給另一個
[英]Passing the output from one arm deployment resource linked template to another
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.