API auth issues with environments?

Good afternoon,

I have a dashboard that invokes a PSU script under the integrated environment this dashboard uses the GrantAppToken switch and I also have Connect-PSUServer -ComputerName $Hostname -AppToken $PSUAppToken set at the top of my dashboard. I had it configured this way so I could see which user was invoking what script/job via the admin ui.

Ever since upgrading from 2.12 to v3 this functionality is no longer working for me.

I also noticed that when I run that script manually under the integrated (default) environment it doesn’t seem to have permissions to the api? Such as secret scope and basic things such as Get-PSUScript.

Running the same script under a different env (pwsh)

Any help would be greatly appreciated.

Product: PowerShell Universal
Version: 3.2.8
1 Like

Update time :

I was running into a few separate issues here but I believe it was just some misconfiguration on my end.

I was using the Invoke-PSUScript with the -integrated switch from a dashboard and this was showing that system was invoking the job via the admin ui. I was thinking there was an issue with the GrantAppToken.


The other issue I was running into was when I was calling that script (using the integrated environment) I was using some cmdlets such as Get-PSUScript without calling the Connect-PSUServer prior.

I was under the impression there was no need to call the Connect-PSUServer while using the integrated environment.

Update to the update:

So I also found out that you cant use Get-PSUVariable without calling Connect-PSUServer first. I was doing this due to me calling invoke-psuscript with -credential. That switch takes in a variable type and not a PSCredentail object type.


documentation here - universal-docs/Invoke-PSUScript.txt at master · ironmansoftware/universal-docs · GitHub

I want to make sure I’m understanding this right.

The main goal is to run a script from a dashboard but ensure that the script is listed as being run by a particular user.

Connect-PSUServer doesn’t work any more
Integrated works but lists the job being run as system (this I have seen and we can fix this).

You should not need to call Connect-PSUServer when using the -Integrated switch on any cmdlet. It uses the gRPC channel (or directly in process) to run the commands rather than using the management API at all.

I would double check the app token being granted in a PWSH terminal to make sure it’s as expected to rule that out. I would also try using Invoke-PSUScript -AppToken instead of Connect-PSUServer to see if there is any difference there.

I’d love it if we could just make Invoke-PSUScript -Integrated work properly since it’s the easiest to implement and debug. I’ll open an issue for that.

Thanks for the reply @adam

Do you think that is why I’m seeing loads of grpc errors? Not really sure where its coming from at the moment.

I have various scripts that call other child scripts and to make it easier for other techs I have a dashboard that allows some form input and fires off said scripts and returns the output.

Here is a sample of a function that is in my parent driver script that calls a child script

function Invoke-ChildScript {
    param (
        [Parameter(HelpMessage = "something")]

    #region Check legal hold status  
    $ScriptParams = [ordered]@{
        Name        = 'admin\child.ps1'
        UserAccount = $UserAccount

    try {
        Invoke-PSUScript @ScriptParams | Tee-Object -Variable CurrentJob | Wait-PSUJob 
    catch {
        $ReturnData = @{ 
            error = $PSItem.Exception.Message 
            line  = $PSItem.Exception.Line
        throw $ReturnData

    $ReturnData = Get-Results -Job $CurrentJob # returns job output once finished executing
    return $ReturnData

The gRPC errors could definitely be a signal that something is not working correctly here. Can you actually open a case for this one? I want to take a closer look.


1 Like

Opened the case. Thanks Adam.

1 Like