How To Handle Passwords in PowerShell Automation
|I have been writing automations using PowerShell for many years now. One common issue I notice with people’s code is the improper handling of passwords. In this blog, I share how to set up a Credential Manager on a SQLServer and use the same for handling passwords in automation.
To setup Credential Manager, we need to download and execute the following steps using scripts from my Github repo SQLMonitor.
1. Create tables
Credential-Manager/SCH-[dbo].[credential_manager].sql
This SQL script creates 2 required tables – dbo.credential_manager
& dbo.dbo.credential_manager_audit
.
2. Create procedures
- Credential-Manager/SCH-[dbo].[usp_add_credential].sql
- Credential-Manager/SCH-[dbo].[usp_delete_credential].sql
- Credential-Manager/SCH-[dbo].[usp_get_credential].sql
- Credential-Manager/SCH-[dbo].[usp_usp_update_credential].sql
The above 4 procedures are used to add, remove, update & fetch credentials with Credential Manager.
3. Adjust appropriate permissions
This script creates a certificate-based login/user and signs all the procedures created above. Then execute permission is provided on the above procedures so anyone having access to the Credential Manager server can utilize the Credential Manager through the procedures.
Below are some sample ways to use the above procedures-
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 |
use DBA go IF DB_NAME() = 'master' raiserror ('Kindly execute all queries in [DBA] database', 20, -1) with log; go -- Check all Logins select server_ip, server_name, [user_name], is_sql_user, is_rdp_user, password_hash, salt, created_date, created_by, updated_date, updated_by, delegate_login_01, delegate_login_02, remarks from dbo.credential_manager go /* Insert Credentials */ exec dbo.usp_add_credential @server_ip = '*', --@server_name = '<server_name>', @user_name = 'sa', @password_string = 'SomeStringPassword', --@passphrase_string = '421', --@is_sql_user = 1, --@is_rdp_user = 1, --@save_passphrase = 1, @remarks = 'sa Credential'; go /* Fetch Credentials */ declare @password varchar(256); exec dbo.usp_get_credential --@server_ip = '*', --@user_name = 'Lab\SQLServices', @password = @password output; select @password as [@password]; go /* Remove Credential */ exec dbo.usp_delete_credential @server_ip = '*', @user_name = 'Test', @password = 'SomeStringPassword' go /* Update Credential */ exec dbo.usp_update_credential @server_ip = '*', @user_name = 'Test', --@password = 'SomeStringPassword', @confirm_forgot_password = 1, @remarks = 'Testing update' go /* Get All Credential for Specific Server */ declare @server_ip char(15) = '*' select server_ip, server_name, [user_name], is_sql_user, is_rdp_user, password_hash, [password] = cast(DecryptByPassPhrase(cast(salt as varchar),password_hash ,1, isnull(@server_ip,server_ip)) as varchar), salt, salt_raw = cast(salt as varchar), created_date, created_by, updated_date, updated_by, delegate_login_01, delegate_login_02, remarks from dbo.credential_manager where @server_ip is null or server_ip = @server_ip go /* Get All Credentials */ select server_ip, server_name, [user_name], is_sql_user, is_rdp_user, password_hash, [password] = cast(DecryptByPassPhrase(cast(salt as varchar),password_hash ,1, server_ip) as varchar), salt, salt_raw = cast(salt as varchar), created_date, created_by, updated_date, updated_by, delegate_login_01, delegate_login_02, remarks from dbo.credential_manager cm where cm.server_ip = 'SomeServer' go |
I would recommend watching the below video which explains Credential Manager to a great deal.
I hope this will help anyone writing automation for SQLServer using PowerShell or needs a Password Vault.