How to get Credentials into a Configuration

[tysonjhayes]

I've been toying with this for a bit but I'm kind of confused on how I'm supposed to get credentials into my configuration using these tools.

My gut instinct is telling me to use Resolve-DscConfigurationProperty but I'm unclear on how to have the node referencing the credentials.

Something like
$script:ConfigurationData['Credentials']['Account'] strikes me as something that would work but again, not really sure.

Also is there a way to pass in passwords separately or do I have to pass in a credential object because MSFT_Credential is being used in the mof file?

[dlwyatt]

You're on the right track. When you use the Add-DscEncryptedPassword command to set up your encrypted credentials in source control, Get-DscConfigurationData will put those all into a hashtable at $ConfigurationData['Credentials']. In combination with that, you might also have a property that you can resolve with Resolve-DscConfigurationProperty to determine which account to use from the Credentials table. Something like this:

$accountName = Resolve-DscConfigurationProperty -Node $Node -PropertyName 'TheAccount'
$psCredential = $ConfigurationData['Credentials'][$accountName]

someResource someName
{
    Credential = $psCredential
}

[tysonjhayes]

OK after playing around with it I was never able to get your way to work.

Exploring the code I found that the issue with calling it the way you described is that the scripts set it as an Object[] not a hashtable as you can see from the code below.

[1:09:18 PM] [0048] » $script:ConfigurationData['Credentials']

Name                           Value
----                           -----
testaccount                    System.Management.Automation.PSCredential
testaccount2               System.Management.Automation.PSCredential


[1:09:24 PM] [0049] » $script:ConfigurationData['Credentials']['testaccount']
[1:09:29 PM] [0050] » $script:ConfigurationData['Credentials'] | gm


   TypeName: System.Collections.Hashtable

[1:09:34 PM] [0051] » ($script:ConfigurationData['Credentials']).getType()

IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     True     Object[]                                 System.Array

If I were to go into Get-CredentialConfigurationData.ps1 and change

$script:ConfigurationData.Credentials = Get-ChildItem -Path $credentialsPath |
            Get-DscEncryptedPassword -StoreName { $_.Name -replace '\.encrypted' -replace '\.psd1' }

to

foreach ($item in (Get-ChildItem -Path $credentialsPath))
{
    $name = ( $item.Name -replace '\.encrypted' -replace '\.psd1' )
    $value = (Get-DscEncryptedPassword -StoreName ( $item.Name -replace '\.encrypted' -replace '\.psd1' ) -Path $item.DirectoryName)
    $script:ConfigurationData.Credentials.Add($name, $value[$name])
}

I can actually get the objects back like you are suggestion I should be able to:

[1:22:36 PM] [0111] » $script:ConfigurationDAta['Credentials']

Name                           Value
----                           -----
testaccount2                   System.Management.Automation.PSCredential
testaccount                    System.Management.Automation.PSCredential


[1:22:42 PM] [0112] » $script:ConfigurationDAta['Credentials']['testaccount2']

UserName                         Password
--------                         --------
testaccount2 System.Security.SecureString

[1:22:49 PM] [0113] » ($script:ConfigurationDAta['Credentials']).gettype()

IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     True     Hashtable                                System.Object

If it matters I'm on the development branch with WMF 4.0