I've had a number of conversations with various Puppet folks about this and it remains a bit of a sticky issue, namely *how do we safely handle powershell scripts where we need to pass credentials or other sensitive information to Powershell?*
The scenario here is that we have a situation where we need to give Powershell some credentials to perform some sort of work on the system. Due to restrictions we have to pass these credentials via Puppet in some fashion, e.g. we can't or don't have access to a key manager that Powershell can talk to directly, meaning that Puppet is the only route of providing the secrets to the node. (I do understand there are other issues here as well, such as getting secrets securely passed in the catalog, but I'm setting that aside for now.) Recent incarnations of the Powershell provider all write a temp file to disk that contains the powershell code to be invoked. This means that if I have the credentials placed directly in the script (which generally seems the route I have to take) that I'll have written them to disk. Additionally, the exec module itself has logging that will log the command out to both the event log and the Puppet report, which will expose credentials. None of these outcomes are very good. The approach I've tried to take is going the route of signed powershell scripts so we can invoke them with command line parameters rather than using stdin, which is the route the current Powershell provider takes. This seems at the moment to side-step some of the above mentioned problems depending on how you communicate those command line parameters to the provider. However, I'd like to align with the longer-term strategy, if possible, of how Powershell scripts are invoked within the Puppet supported provider. So...what's the best way of handling this? -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-dev/5bd0c1ad-d53a-4135-872c-62cfe4463cf5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
