从 ARM 模板安全地将凭据传递给 DSC 扩展

Question

根据https://docs.microsoft.com/en-gb/azure/virtual-machines/windows/extensions-dsc-template，将凭据从 ARM 模板传递到 DSC 扩展的最新方法是将整个凭据放在 protectedSettings 部分的 configurationArguments 中，如下图：

"properties": {
    "publisher": "Microsoft.Powershell",
    "type": "DSC",
    "typeHandlerVersion": "2.24",
    "autoUpgradeMinorVersion": true,
    "settings": {
        "wmfVersion": "latest",
        "configuration": {
            "url": "[concat(parameters('_artifactsLocation'), '/', variables('artifactsProjectFolder'), '/', variables('dscArchiveFolder'), '/', variables('dscSitecoreInstallArchiveFileName'))]",
            "script": "[variables('dscSitecoreInstallScriptName')]",
            "function": "SitecoreInstall"
        },
        "configurationArguments": {
            "nodeName": "[parameters('CMCD VMName')]",
            "sitecorePackageUrl": "[concat(parameters('sitecorePackageLocation'), '/',  parameters('sitecoreRelease'), '/', parameters('sitecorePackageFilename'))]",
            "sitecorePackageUrlSasToken": "[parameters('sitecorePackageLocationSasToken')]",
            "sitecoreLicense": "[concat(parameters('sitecorePackageLocation'), '/', parameters('sitecoreLicenseFilename'))]",
            "domainName": "[parameters('domainName')]",
            "joinOU": "[parameters('domainOrgUnit')]"
        },
        "configurationData": {
            "url": "[concat(parameters('_artifactsLocation'), '/', variables('artifactsProjectFolder'), '/', variables('dscArchiveFolder'), '/', variables('dscSitecoreInstallConfigurationName'))]"
        }
    },
    "protectedSettings": {
        "configurationUrlSasToken": "[parameters('_artifactsLocationSasToken')]",
        "configurationDataUrlSasToken": "[parameters('_artifactsLocationSasToken')]",
        "configurationArguments": {
            "domainJoinCredential": {
                "userName": "[parameters('domainJoinUsername')]",
                "password": "[parameters('domainJoinPassword')]"
            }
        }
    }
}

Azure DSC 应该为我处理 protectedSettings 的加密/解密。这似乎确实有效，因为我可以看到 protectedSettings 在 VM 上的设置文件中加密，但是操作最终失败：

VM has reported a failure when processing extension 'dsc-sitecore-de
v-install'. Error message: "The DSC Extension received an incorrect input: Comp
ilation errors occurred while processing configuration 'SitecoreInstall'. Pleas
e review the errors reported in error stream and modify your configuration code
 appropriately. System.InvalidOperationException error processing property 'Cre
dential' OF TYPE 'xComputer': Converting and storing encrypted passwords as pla
in text is not recommended. For more information on securing credentials in MOF
 file, please refer to MSDN blog: http://go.microsoft.com/fwlink/?LinkId=393729
At C:\Packages\Plugins\Microsoft.Powershell.DSC\2.24.0.0\DSCWork\dsc-sitecore-d
ev-install.0\dsc-sitecore-dev-install.ps1:103 char:3
+   xComputer Converting and storing encrypted passwords as plain text is not r
ecommended. For more information on securing credentials in MOF file, please re
fer to MSDN blog: http://go.microsoft.com/fwlink/?LinkId=393729 Cannot find pat
h 'HKLM:\SOFTWARE\Microsoft\PowerShell\3\DSC' because it does not exist. Cannot
 find path 'HKLM:\SOFTWARE\Microsoft\PowerShell\3\DSC' because it does not exis
t.

Another common error is to specify parameters of type PSCredential without an e
xplicit type. Please be sure to use a typed parameter in DSC Configuration, for
 example:

    configuration Example {
        param([PSCredential] $UserAccount)
        ...
    }.
Please correct the input and retry executing the extension.".

我可以让它工作的唯一方法是将PsDscAllowPlainTextPassword = $true 添加到我的配置数据中，但我认为我使用protectedSettings 部分来避免使用纯文本密码...

是我做错了什么，还是只是我的理解有误？

Answer 1

正确的做法：

"settings": {
    "configuration": {
        "url": "xxx",
        "script": "xxx",
        "function": "xx"
    },
    "configurationArguments": {
        "param1": xxx,
        "param2": xxx
        etc...
    }
},
"protectedSettings": {
    "configurationArguments": {
        "NameOfTheCredentialsParameter": {
            "userName": "USERNAME",
            "password": "PASSWORD!1"
        }
    }
}

这样你就不需要PsDSCAllowPlainTextPassword = $true

然后你可以在你的配置中接收参数

Configuration MyConf
param (
    [PSCredential] $NameOfTheCredentialsParameter
)

在你的资源中使用它

Registry DoNotOpenServerManagerAtLogon {
    Ensure = "Present"
    Key = "HKEY_CURRENT_USER\SOFTWARE\Microsoft\ServerManager"
    ValueName = "DoNotOpenServerManagerAtLogon"
    ValueData = 1
    ValueType = REG_DWORD"
    PsDscRunAsCredential = $NameOfTheCredentialsParameter
}

Answer 2

您仍然需要使用PsDSCAllowPlainTextPassword = $true 的事实是documented

这是引用的部分：

但是，目前您必须告诉 PowerShell DSC 在节点配置 MOF 生成期间以纯文本形式输出凭据是可以的，因为 PowerShell DSC 不知道 Azure 自动化将在生成整个 MOF 文件后通过编译作业。

根据上述情况，似乎是操作顺序问题。 MOF 已生成，然后加密。