Powershell 使用Azure Automation在DSC中正确保护凭据
在Azure Automation中正确使用凭据的DSC配置的安全性如何 例如:Powershell 使用Azure Automation在DSC中正确保护凭据,powershell,azure,dsc,Powershell,Azure,Dsc,在Azure Automation中正确使用凭据的DSC配置的安全性如何 例如: configuration MyServer { param( [Parameter(Mandatory=$true)][PSCredential]$MyCredential ); # Some configuration using credentials } 通常,我会在每个节点上安装公钥和适当的证书,并在编译配置文档时将CertificateFile和指纹传递给Configuratio
configuration MyServer {
param(
[Parameter(Mandatory=$true)][PSCredential]$MyCredential
);
# Some configuration using credentials
}
通常,我会在每个节点上安装公钥和适当的证书,并在编译配置文档时将CertificateFile和指纹传递给ConfigurationData
在Azure自动化中,我找不到任何好的解决方案
文档中说Azure automation自己对整个MOF进行加密:文章指定使用PSAllowPlainTextCredentials
然后,当您将一个节点注册到其pull服务器并获取其配置时,只要您具有本地admin/read访问权限,就可以在下拉/更新后以明文形式读取密码。从安全角度来看,这是不好的
理想情况下,我希望将此类公钥/证书上载到Azure Automation凭据,并在启动编译作业时将其用作ConfigurationData的一部分
但是今天,“CertificateFile”需要的是路径,而不是AutomationCertificate,因此我看不到使用Azure Automation中存在的任何公钥启动编译作业的方法。运行作业时,我看不到任何引用我的资产证书的方法
如果这在Azure automation的当前状态下是可能的,以及他们使用DSC/pull的方式使用Azure automation或Azure Key vault中的资产存储来正确保护它,有什么想法吗?您应该创建Azure automation凭据并在配置中引用它,如下所示:
# Compile mof
$ConfigurationData = @{
AllNodes = @(
@{
NodeName = $nodeName
PSDscAllowPlainTextPassword = $true
}
)
}
$Parameters = @{
"nodeName" = $nodeName
"credential" = $credName ##### Notice this is only the name on Azure Automation Credential Asset, Azure Automation will securely pull those and use in the compilation
}
Start-AzureRmAutomationDscCompilationJob -ResourceGroupName $ResourceGroupName -AutomationAccountName $AutomationAccountName `
-ConfigurationName $configurationName -Parameters $Parameters -ConfigurationData $ConfigurationData
您不应该担心PSDscAllowPlainTextPassword
,因为Azure Automation会为您加密所有静止的内容,只是DSC不知道这一点(因此您必须将其提供给DSC引擎)
在DSC中,您应该有如下内容:
Configuration name
{
Param (
[Parameter(Mandatory)][ValidateNotNullOrEmpty()][String]$nodeName,
[Parameter(Mandatory)][ValidateNotNullOrEmpty()][pscredential]$credential
)
Import-DscResource -Module modules
Node $nodeName {DOSTUFF}
}
您应该创建Azure Automation凭据并在配置中引用它,如下所示:
# Compile mof
$ConfigurationData = @{
AllNodes = @(
@{
NodeName = $nodeName
PSDscAllowPlainTextPassword = $true
}
)
}
$Parameters = @{
"nodeName" = $nodeName
"credential" = $credName ##### Notice this is only the name on Azure Automation Credential Asset, Azure Automation will securely pull those and use in the compilation
}
Start-AzureRmAutomationDscCompilationJob -ResourceGroupName $ResourceGroupName -AutomationAccountName $AutomationAccountName `
-ConfigurationName $configurationName -Parameters $Parameters -ConfigurationData $ConfigurationData
您不应该担心PSDscAllowPlainTextPassword
,因为Azure Automation会为您加密所有静止的内容,只是DSC不知道这一点(因此您必须将其提供给DSC引擎)
在DSC中,您应该有如下内容:
Configuration name
{
Param (
[Parameter(Mandatory)][ValidateNotNullOrEmpty()][String]$nodeName,
[Parameter(Mandatory)][ValidateNotNullOrEmpty()][pscredential]$credential
)
Import-DscResource -Module modules
Node $nodeName {DOSTUFF}
}
从Azure Automation向DSC文件传递凭据的正确方法是使用Azure Automation凭据 然后在DSC文件中使用命令Get AutomationPSCredential 例如:
Configuration BaseDSC
{
Import-DscResource -ModuleName xActiveDirectory
Import-DscResource -ModuleName PSDesiredStateConfiguration
Import-DscResource -ModuleName XNetworking
$Credential = Get-AutomationPSCredential -Name "CredentialName"
Node $AllNodes.Nodename
{ ...
凭据在Azure Automation中加密存储,并在运行编译作业时放入Azure Automation中的加密MOF文件中
此外,可以在Azure Automation中更新密码,然后只需重新编译即可在MOFs中更新密码
无法从Azure以明文形式检索密码。从Azure Automation向DSC文件传递凭据的正确方法是使用Azure Automation凭据 然后在DSC文件中使用命令Get AutomationPSCredential 例如:
Configuration BaseDSC
{
Import-DscResource -ModuleName xActiveDirectory
Import-DscResource -ModuleName PSDesiredStateConfiguration
Import-DscResource -ModuleName XNetworking
$Credential = Get-AutomationPSCredential -Name "CredentialName"
Node $AllNodes.Nodename
{ ...
凭据在Azure Automation中加密存储,并在运行编译作业时放入Azure Automation中的加密MOF文件中
此外,可以在Azure Automation中更新密码,然后只需重新编译即可在MOFs中更新密码
无法从Azure以明文形式检索密码。使用安全凭据,将用户创建到Windows服务器,并使用dsc添加到管理员组: **解决方案(PowerShell DSC)** 首先:从azure门户或使用任何azure模块在自动化帐户中创建凭据 主页>资源组>自动化帐户>凭据
Configuration user_windows_user
{
param
(
[Parameter()][string]$username,
[Parameter()]$azurePasswordCred **#name (string)of the credentials**
)
$passwordCred = Get-AutomationPSCredential -Name $azurePasswordCred
Node "localhost"
{
User UserAdd
{
Ensure = "Present" # To ensure the user account does not exist, set Ensure to "Absent"
UserName = $username
FullName = "$username-fullname"
PasswordChangeRequired = $false
PasswordNeverExpires = $false
Password = $passwordCred # This needs to be a credential object
}
Group AddtoAdministrators
{
GroupName = "Administrators"
Ensure = "Present"
MembersToInclude = @($username)
}
}
} # end of Configuration
#
$cd = @{
AllNodes = @(
@{
NodeName = 'localhost'
PSDscAllowPlainTextPassword = $true
}
)
}
- 在azure automation>configuration中上载Dsc文件
- 编译配置(提供输入-用户名、凭证名称(字符串)
- 将配置添加到节点并等待配置部署
Configuration user_windows_user
{
param
(
[Parameter()][string]$username,
[Parameter()]$azurePasswordCred **#name (string)of the credentials**
)
$passwordCred = Get-AutomationPSCredential -Name $azurePasswordCred
Node "localhost"
{
User UserAdd
{
Ensure = "Present" # To ensure the user account does not exist, set Ensure to "Absent"
UserName = $username
FullName = "$username-fullname"
PasswordChangeRequired = $false
PasswordNeverExpires = $false
Password = $passwordCred # This needs to be a credential object
}
Group AddtoAdministrators
{
GroupName = "Administrators"
Ensure = "Present"
MembersToInclude = @($username)
}
}
} # end of Configuration
#
$cd = @{
AllNodes = @(
@{
NodeName = 'localhost'
PSDscAllowPlainTextPassword = $true
}
)
}
- 在azure automation>configuration中上载Dsc文件
- 编译配置(提供输入-用户名、凭证名称(字符串)
- 将配置添加到节点并等待配置部署