Securing Credentials properly in DSC using Azure Automation

1
votes

How would you go on to secure your DSC configuration that's using credentials properly in Azure Automation?

E.g.: 

configuration MyServer {
  param(
    [Parameter(Mandatory=$true)][PSCredential]$MyCredential
  );
  # Some configuration using credentials 
}

Normally I'd set up a public key and a proper certificate installed on each node and pass along CertificateFile and Thumbprint to ConfigurationData when compiling the configuration documents.

In Azure Automation I can't find any good solution.

The documentation says Azure automation encrypts the entire MOF by it's own : https://azure.microsoft.com/en-us/documentation/articles/automation-certificates/ and the article specifies to use PSAllowPlainTextCredentials.

When you then register a node to it's pull server and pull it's configuration, you can read out the password in plain text as long as you have local admin / or read access to temp, after being pulled down/updated. This is not good in a security perspective.

What I'd like, ideally would be to upload such a public key/certificate to the Azure Automation credentials and use it as a part of ConfigurationData when starting the compilation job.

However today, "CertificateFile" expects a path and not a AutomationCertificate so I cannot see a way to start the compilationjob with any public key present in Azure Automation. I can't see any ways of referring to my assets certificate when running the job.

Any ideas if this is possible in the current state of Azure automation and the way they work with DSC/pull to secure it properly using either an asset store din Azure Automation or Azure Key vault?

3
powershellazuredsc
What version of the Azure DSC Extension were you using? Have you tried at least 2.20, specifying Wmfversion = ‘5.1PP’ and see if this still happens? – TravisEz13

3 Answers

1
votes

You should create a Azure Automation Credential and reference it in the configuration like so:

# Compile mof
$ConfigurationData = @{ 
    AllNodes = @(
        @{
            NodeName = $nodeName
            PSDscAllowPlainTextPassword = $true
        }
    )
}

$Parameters = @{
    "nodeName" = $nodeName
    "credential" = $credName ##### Notice this is only the name on Azure Automation Credential Asset, Azure Automation will securely pull those and use in the compilation
}

Start-AzureRmAutomationDscCompilationJob -ResourceGroupName $ResourceGroupName -AutomationAccountName $AutomationAccountName `
    -ConfigurationName $configurationName -Parameters $Parameters -ConfigurationData $ConfigurationData

You should not worry about the PSDscAllowPlainTextPassword since Azure Automation does encrypt everything at rest for you, it's just that DSC doesn't know that (so you have to supply that to the DSC engine).

And in DSC you should have something like: 

Configuration name
    {   
        Param (
        [Parameter(Mandatory)][ValidateNotNullOrEmpty()][String]$nodeName,
        [Parameter(Mandatory)][ValidateNotNullOrEmpty()][pscredential]$credential
        )

        Import-DscResource -Module modules

        Node $nodeName {DOSTUFF}
}
0
votes

The correct way to pass a credential to a DSC file from Azure Automation is to use an Azure Automation Credential.

Then inside your DSC file you use the command Get-AutomationPSCredential

Example:

Configuration BaseDSC
{

    Import-DscResource -ModuleName xActiveDirectory
    Import-DscResource -ModuleName PSDesiredStateConfiguration
    Import-DscResource -ModuleName XNetworking

    $Credential = Get-AutomationPSCredential -Name "CredentialName"

    Node $AllNodes.Nodename
    { ...

The credential is stored encrypted in Azure Automation, and is put into the encrypted MOF file in Azure Automation when you run the compilation job.

Additionally, the password can be updated in Azure Automation and then updated in the MOFs by just recompiling.

The password is not able to be retrieved in clear text from Azure.

-1
votes

Use secure credential and create user to Windows server and add to Administrator group using dsc:

**Solution ( PowerShell DSC) **

Firstly : Create credential in Automation account form azure portal or using any azure module Home>Resource group> ...> automation account > credentials

Configuration user_windows_user
{
    param
    (     
    [Parameter()][string]$username,
    [Parameter()]$azurePasswordCred  **#name (string)of the credentials**
  )

   $passwordCred = Get-AutomationPSCredential -Name $azurePasswordCred
   Node "localhost"
   {
         User UserAdd
        {
            Ensure = "Present"  # To ensure the user account does not exist, set Ensure to "Absent"
            UserName = $username
            FullName = "$username-fullname"
            PasswordChangeRequired = $false
            PasswordNeverExpires = $false
            Password = $passwordCred # This needs to be a credential object

        }
        Group AddtoAdministrators
        {
           GroupName = "Administrators"
           Ensure = "Present"
           MembersToInclude = @($username)
        }

   }
} # end of Configuration 

#
$cd = @{
    AllNodes = @(
        @{
            NodeName = 'localhost'
            PSDscAllowPlainTextPassword = $true
        }
    )
}
  • Upload the Dsc file in azure automation>configuration
  • compile the configuration (provide input -username , credential name (string)
  • add configuration to node and wait for the configuration deployment