Using VMware PowerCLI - Issue with powershell operation storing passwords as clear-text
Since the OO flows for some things (Like reading Datastore information) are pretty slow.
I decided to try using PowerCLI.
It works pretty fast, and there are a lot of things you can do with powershell and PowerCLI.
The down-sides: PowerCLI needs to be installed on the RAS servers and Studios where you are developing. (Not hard, we made a SW Policy for this in SA and pushed it this way). Any sensitive information (Passwords etc…) has to be stored on the RAS end in encrypted format. This is because if you pass a password (even obfuscated) to the Powershell script operation, it resolves it to the clear-text and stores it in the Event-log. Meaning anyone running the flow could read the password.
Does anyone have any ideas how we can prevent passwords or the script-source from being recorded.
For example, the following runs just fine. However the password is stored in the event log on central.
You run this ONCE for that specific IP/Login/password combo. This stores a credential locally somewhere on your RAS instance for the Local System Account (assuming RAS is running as the Local System Account which it does by default) The stored cred is specific to the vCenter/Login/Password triple combo. Pretty sure you could run this multiple time for multiple vCenter Logins creating multiple vCenterIP/Login/Password cached combos. However, a scale issue immediately comes to mind if you're attempting to a OO that is using AD for authenciation into vCenter that is also AD auth'ed. In this, you're out of luck. For one to serveral static logins that OO always uses, this could work.
Each time your RAS hits that vCenter Server, it will always use that same vCenter Login/Password when using the right switches on the commands.
Later say you update the password to the <vCenter Login> and need OO to get the same information. You run this:
Remove-VICredentialStoreItem -Host [vCenter Server IP/hostname] -Confirm:$false
The -Confirm:$false is very important !! as PowerShell by default wants to prompt you to confirm your deleting this store credential information. The $false stops that confirmation and just does it. Then you run the flow setting up a new login/password combo for that vCenter Host/IP again.
Now your PowerShell scripts simply reference the VMware vCenter Server hostname credential you cached without needing a password:
Re: Using VMware PowerCLI - Issue with powershell operation storing passwords as clear-text
We had the same issue so I ended up writing our own Remote Command Execution object which takes the username/password as tokens and converts them in memory while running the command.
So instead of using the Powershell object we use the RCE object and point "powershell <load vim> <script> <arguments>". The arguments might look like "-esxUsername %%u0" and on the OO object the input "username0" inherits from the System Account you want to use. You can put as many %%ux tokens as you want.
Let me know if you want a copy of the object (tested on HPOO 7.51, 9.x); .NET version only.