从ARM模板安全地将凭据传递给DSC扩展

Question

根据protectedSettings，从ARM模板传递凭据到DSC扩展的最新方法是将整个凭据放置在https://learn.microsoft.com/en-gb/azure/virtual-machines/windows/extensions-dsc-template部分的configurationArguments中，如下所示：

"properties": {
    "publisher": "Microsoft.Powershell",
    "type": "DSC",
    "typeHandlerVersion": "2.24",
    "autoUpgradeMinorVersion": true,
    "settings": {
        "wmfVersion": "latest",
        "configuration": {
            "url": "[concat(parameters('_artifactsLocation'), '/', variables('artifactsProjectFolder'), '/', variables('dscArchiveFolder'), '/', variables('dscSitecoreInstallArchiveFileName'))]",
            "script": "[variables('dscSitecoreInstallScriptName')]",
            "function": "SitecoreInstall"
        },
        "configurationArguments": {
            "nodeName": "[parameters('CMCD VMName')]",
            "sitecorePackageUrl": "[concat(parameters('sitecorePackageLocation'), '/',  parameters('sitecoreRelease'), '/', parameters('sitecorePackageFilename'))]",
            "sitecorePackageUrlSasToken": "[parameters('sitecorePackageLocationSasToken')]",
            "sitecoreLicense": "[concat(parameters('sitecorePackageLocation'), '/', parameters('sitecoreLicenseFilename'))]",
            "domainName": "[parameters('domainName')]",
            "joinOU": "[parameters('domainOrgUnit')]"
        },
        "configurationData": {
            "url": "[concat(parameters('_artifactsLocation'), '/', variables('artifactsProjectFolder'), '/', variables('dscArchiveFolder'), '/', variables('dscSitecoreInstallConfigurationName'))]"
        }
    },
    "protectedSettings": {
        "configurationUrlSasToken": "[parameters('_artifactsLocationSasToken')]",
        "configurationDataUrlSasToken": "[parameters('_artifactsLocationSasToken')]",
        "configurationArguments": {
            "domainJoinCredential": {
                "userName": "[parameters('domainJoinUsername')]",
                "password": "[parameters('domainJoinPassword')]"
            }
        }
    }
}

Azure应该为我处理protectedSettings的加密/解密。这似乎确实有效，因为我可以看到，protectedSettings是在VM上的设置文件中加密的，但是操作最终失败了：

VM has reported a failure when processing extension 'dsc-sitecore-de
v-install'. Error message: "The DSC Extension received an incorrect input: Comp
ilation errors occurred while processing configuration 'SitecoreInstall'. Pleas
e review the errors reported in error stream and modify your configuration code
 appropriately. System.InvalidOperationException error processing property 'Cre
dential' OF TYPE 'xComputer': Converting and storing encrypted passwords as pla
in text is not recommended. For more information on securing credentials in MOF
 file, please refer to MSDN blog: http://go.microsoft.com/fwlink/?LinkId=393729
At C:\Packages\Plugins\Microsoft.Powershell.DSC\2.24.0.0\DSCWork\dsc-sitecore-d
ev-install.0\dsc-sitecore-dev-install.ps1:103 char:3
+   xComputer Converting and storing encrypted passwords as plain text is not r
ecommended. For more information on securing credentials in MOF file, please re
fer to MSDN blog: http://go.microsoft.com/fwlink/?LinkId=393729 Cannot find pat
h 'HKLM:\SOFTWARE\Microsoft\PowerShell\3\DSC' because it does not exist. Cannot
 find path 'HKLM:\SOFTWARE\Microsoft\PowerShell\3\DSC' because it does not exis
t.

Another common error is to specify parameters of type PSCredential without an e
xplicit type. Please be sure to use a typed parameter in DSC Configuration, for
 example:

    configuration Example {
        param([PSCredential] $UserAccount)
        ...
    }.
Please correct the input and retry executing the extension.".

使其工作的唯一方法是将PsDscAllowPlainTextPassword = $true添加到我的configurationData中，但我认为我使用protectedSettings部分是为了避免使用纯文本密码.

我是做错了什么，还是仅仅是我的理解错了？

Answer 1

您仍然需要使用PsDSCAllowPlainTextPassword = $true的事实是记录在案。

以下是引用的部分：

但是，目前您必须告诉PowerShell PowerShell，在节点配置MOF生成期间可以以纯文本形式输出凭据，因为PowerShell DSC不知道Azure自动化将在通过编译作业生成整个MOF文件后对其进行加密。

基于以上所述，这似乎是一个操作顺序问题。生成MOF并对其进行加密。

Answer 2

这样做的适当方式：

"settings": {
    "configuration": {
        "url": "xxx",
        "script": "xxx",
        "function": "xx"
    },
    "configurationArguments": {
        "param1": xxx,
        "param2": xxx
        etc...
    }
},
"protectedSettings": {
    "configurationArguments": {
        "NameOfTheCredentialsParameter": {
            "userName": "USERNAME",
            "password": "PASSWORD!1"
        }
    }
}

这样你就不需要PsDSCAllowPlainTextPassword = $true了

然后，您可以接收配置中的参数。

Configuration MyConf
param (
    [PSCredential] $NameOfTheCredentialsParameter
)

在你的资源中使用它

Registry DoNotOpenServerManagerAtLogon {
    Ensure = "Present"
    Key = "HKEY_CURRENT_USER\SOFTWARE\Microsoft\ServerManager"
    ValueName = "DoNotOpenServerManagerAtLogon"
    ValueData = 1
    ValueType = REG_DWORD"
    PsDscRunAsCredential = $NameOfTheCredentialsParameter
}