DSC icon indicating copy to clipboard operation
DSC copied to clipboard
verified publisher icon PowerShell

Support for Credentials

Open rdbartram opened this issue 1 year ago • 2 comments

Summary of the new feature / enhancement

In order to be able to call certain types of resources, credential objects are required. I would be very useful to have an intuitive way to do this.

# example.dsc.config.yaml
$schema: https://raw.githubusercontent.com/PowerShell/DSC/main/schemas/2023/10/config/document.json
resources:
  - name: Get info from classic DSC resources
    type: DSC/PowerShellGroup
    properties:
      resources:
      - name: Get Teams App Permission Policy
        type: Microsoft365DSC/MSFT_TeamsAppPermissionPolicy
        properties:
          Identity: Global
          Credential:
            userName: "[email protected]"
            Password: "MyPassword"

Being able to define and then reference would be great but maybe some interp. from dsc exec itself to get values from environment or a secret manager would be great too

Proposed technical implementation details (optional)

No response

rdbartram avatar Feb 25 '24 23:02 rdbartram

Since credentials are sensitive, we wouldn't want the password to be in cleartext within the configuration itself. Currently, you can use a SecretString parameter to pass it to the configuration and reference it via the parameter() function. It would look something like:

# example.dsc.config.yaml
$schema: https://raw.githubusercontent.com/PowerShell/DSC/main/schemas/2023/10/config/document.json
parameters:
  globalCredential:
    type: secureObject
resources:
  - name: Get info from classic DSC resources
    type: DSC/PowerShellGroup
    properties:
      resources:
      - name: Get Teams App Permission Policy
        type: Microsoft365DSC/MSFT_TeamsAppPermissionPolicy
        properties:
          Identity: Global
          Credential:
            userName: "[parameters('globalCredential').username)]"
            Password: "[parameters('globalCredential').password]"

Where globalCredential would look like:

{
  "username": "[email protected]",
  "password": "MyPassword"
}

So the parameters input or file would look like:

parameters:
  globalCredential:
    username: [email protected]
    password: MyPassword

And you would call dsc using:

dsc config -f ./globalCredentials.parameters.yaml get -p ./example.dsc.config.yaml

where -f specifies the file path to the parameters to be used and -p to the configuration file.

SteveL-MSFT avatar Apr 03 '24 21:04 SteveL-MSFT

@SteveL-MSFT unfortunately, the adapter doesn't support it because it doesn't cast the Credential to a PSCredential object. For example, running the following configuration:

$schema: https://aka.ms/dsc/schemas/v3/bundled/config/document.json
parameters:
  CredentialObject:
    type: secureObject
resources:
  - name: Configure service 
    type: Microsoft.Windows/WindowsPowerShell 
    properties: 
      resources:
      - name: Configure service
        type: PSDesiredStateConfiguration/Service
        properties:
          Name: 'MSSQLSERVER'
          Credential:
            Username: "[parameters('CredentialObject').username]"
            Password: "[parameters('CredentialObject').password]"

Dumps out the following.

Image

Just looking for an easy approach to solve this by searching for the Credential input and then attempt to cast it to a PSCredential object?

Gijsreyn avatar Apr 21 '25 07:04 Gijsreyn