Securely pass credentials to DSC Extension from ARM Template

问题

According to https://docs.microsoft.com/en-gb/azure/virtual-machines/windows/extensions-dsc-template, the latest method for passing credentials from an ARM template to a DSC extension is by placing the whole credential within the configurationArguments of the protectedSettings section, as shown below:

"properties": {
    "publisher": "Microsoft.Powershell",
    "type": "DSC",
    "typeHandlerVersion": "2.24",
    "autoUpgradeMinorVersion": true,
    "settings": {
        "wmfVersion": "latest",
        "configuration": {
            "url": "[concat(parameters('_artifactsLocation'), '/', variables('artifactsProjectFolder'), '/', variables('dscArchiveFolder'), '/', variables('dscSitecoreInstallArchiveFileName'))]",
            "script": "[variables('dscSitecoreInstallScriptName')]",
            "function": "SitecoreInstall"
        },
        "configurationArguments": {
            "nodeName": "[parameters('CMCD VMName')]",
            "sitecorePackageUrl": "[concat(parameters('sitecorePackageLocation'), '/',  parameters('sitecoreRelease'), '/', parameters('sitecorePackageFilename'))]",
            "sitecorePackageUrlSasToken": "[parameters('sitecorePackageLocationSasToken')]",
            "sitecoreLicense": "[concat(parameters('sitecorePackageLocation'), '/', parameters('sitecoreLicenseFilename'))]",
            "domainName": "[parameters('domainName')]",
            "joinOU": "[parameters('domainOrgUnit')]"
        },
        "configurationData": {
            "url": "[concat(parameters('_artifactsLocation'), '/', variables('artifactsProjectFolder'), '/', variables('dscArchiveFolder'), '/', variables('dscSitecoreInstallConfigurationName'))]"
        }
    },
    "protectedSettings": {
        "configurationUrlSasToken": "[parameters('_artifactsLocationSasToken')]",
        "configurationDataUrlSasToken": "[parameters('_artifactsLocationSasToken')]",
        "configurationArguments": {
            "domainJoinCredential": {
                "userName": "[parameters('domainJoinUsername')]",
                "password": "[parameters('domainJoinPassword')]"
            }
        }
    }
}

Azure DSC is supposed to handle the encrypting/decrypting of the protectedSettings for me. This does appear to work, as I can see that the protectedSettings are encrypted within the settings file on the VM, however the operation ultimately fails with:

VM has reported a failure when processing extension 'dsc-sitecore-de
v-install'. Error message: "The DSC Extension received an incorrect input: Comp
ilation errors occurred while processing configuration 'SitecoreInstall'. Pleas
e review the errors reported in error stream and modify your configuration code
 appropriately. System.InvalidOperationException error processing property 'Cre
dential' OF TYPE 'xComputer': Converting and storing encrypted passwords as pla
in text is not recommended. For more information on securing credentials in MOF
 file, please refer to MSDN blog: http://go.microsoft.com/fwlink/?LinkId=393729
At C:\Packages\Plugins\Microsoft.Powershell.DSC\2.24.0.0\DSCWork\dsc-sitecore-d
ev-install.0\dsc-sitecore-dev-install.ps1:103 char:3
+   xComputer Converting and storing encrypted passwords as plain text is not r
ecommended. For more information on securing credentials in MOF file, please re
fer to MSDN blog: http://go.microsoft.com/fwlink/?LinkId=393729 Cannot find pat
h 'HKLM:\SOFTWARE\Microsoft\PowerShell\3\DSC' because it does not exist. Cannot
 find path 'HKLM:\SOFTWARE\Microsoft\PowerShell\3\DSC' because it does not exis
t.

Another common error is to specify parameters of type PSCredential without an e
xplicit type. Please be sure to use a typed parameter in DSC Configuration, for
 example:

    configuration Example {
        param([PSCredential] $UserAccount)
        ...
    }.
Please correct the input and retry executing the extension.".

The only way that I can make it work is to add PsDscAllowPlainTextPassword = $true to my configurationData, but I thought I was using the protectedSettings section to avoid using plain text passwords...

Am I doing something wrong, or is it simply that my understanding is wrong?

回答1:

The fact that you still need to use the PsDSCAllowPlainTextPassword = $true is documented

Here is the quoted section:

However, currently you must tell PowerShell DSC it is okay for credentials to be outputted in plain text during node configuration MOF generation, because PowerShell DSC doesn’t know that Azure Automation will be encrypting the entire MOF file after its generation via a compilation job.

Based on the above, it seems that it is an order of operations issue. The MOF is generated and THEN encrypted.

回答2:

Proper way of doing this:

"settings": {
    "configuration": {
        "url": "xxx",
        "script": "xxx",
        "function": "xx"
    },
    "configurationArguments": {
        "param1": xxx,
        "param2": xxx
        etc...
    }
},
"protectedSettings": {
    "configurationArguments": {
        "NameOfTheCredentialsParameter": {
            "userName": "USERNAME",
            "password": "PASSWORD!1"
        }
    }
}

this way you don't need PsDSCAllowPlainTextPassword = $true

Then you can receive the parameters in your Configuration with

Configuration MyConf
param (
    [PSCredential] $NameOfTheCredentialsParameter
)

An use it in your resource

Registry DoNotOpenServerManagerAtLogon {
    Ensure = "Present"
    Key = "HKEY_CURRENT_USER\SOFTWARE\Microsoft\ServerManager"
    ValueName = "DoNotOpenServerManagerAtLogon"
    ValueData = 1
    ValueType = REG_DWORD"
    PsDscRunAsCredential = $NameOfTheCredentialsParameter
}

来源：https://stackoverflow.com/questions/43498772/securely-pass-credentials-to-dsc-extension-from-arm-template