Do (or can) agents connected to PSU via an Event Hub have access to the Secret variables in PSU?
I’ve never messed with the Event Hub feature but we have a use-case for them now and I’m curious how the Secret variables would work if I tell a job to run on an agent rather than the PSU server itself.
Product: PowerShell Universal
Version: 5.3.1
Event Hubs agents don’t run jobs directly. You send PowerShell commands to them to either run a specific command or a script that exists on the agent machine.
You could pass the secrets down over the channel but it’d be a manual process. The agents don’t have access to anything within the PSU server.
Hmm. Well, that won’t work. But it gives me an idea of maybe making a script accessible from our Azure DevOps repo that contains no references to any Secret variables and has no static data in it, and we can then pass the parameters to the agent from the PSU server to use when it runs the remote script. That way the script doesn’t need to be housed on the client end so we can still take advantage of Git versioning and control the values of the variables to keep things private and per-client.
Do I at least have that ability if I use Event Hubs and agents?
I have had success simply declaring a parameter in the passed script for those secret values and sending them within -ArgumentList of Send-PSUEvent when the event is sent. You could proceed in this manner from anywhere you have the module installed which I quite like.
Maybe. That still wouldn’t solve the issue of not wanting the script to be housed on the agent (client) side at all (as that would allow for the script to be modified outside of our control and could result in other problems/concerns).
The goal is to keep the script under our control and versioned via Git, and just have it run remotely with certain parameters/variables that make the execution unique for whichever client (company) it’s being run for.
So, if I can make the .ps1 file publicly accessible (which, if it’s been sanitized or genericized, should not be a problem), and then send the parameters/variable values through the Event Hub connection, and have the agent set to execute something like:
$ReceivedValue1 = <whatever the PSU Event Hub sent>
$ReceivedValue2 = <whatever the PSU Event Hub sent>
Invoke-WebRequest -URI https://dev.azure.com/blah/script.ps1
(the script would have references to those variables)
We are struggling with this very thing. We will be deploying to a few hundred servers and we are trying to figure out how to protect the scripts as well as the service will have to run with elevated privileges. Im even considering keeping them on a NAS share so that even admins who get on the box wont have access. But the agents.json file must still exist so that still gives an avenue of modification. If you come up with a solution i’d love to hear it!
Assuming that my methodology above would work, I’ll likely go with that and make the URI a parameter as well so that the script in the public Git repo won’t be statically defined either.
I’ll definitely share my end result, though.
It doesn’t have to be – You can use the eventhub listener script to allow downloading a script you send, then unblock it, run it, then delete the temp file every time the script runs. I can provide our implementation of this if you’d like! The script is only present on the agent right before it runs, then gets discarded until the next run of the script.
We have a script configured that runs the below block, with some other various things around it specific to our needs. The ArgumentList of ThreadJob contains both a global variable and a secret variable and both are evaluated as they are sent to the agent.
Start-ThreadJob -ThrottleLimit 3 {
param($url, $tkn, $cid)
Send-PSUEvent -ComputerName $url -AppToken $tkn -Hub EH_MDM -ConnectionId $cid -Data @{
Contents = Get-Content "Path\To\Script\Relative\To\Repository.ps1" -Raw
Parameters = @{
MatchQuota = 4
AppToken = $tkn
SiteRoot = $url
}
}
} -ArgumentList $SiteURL, $Secret:SecretVariable, $EventHubConnection.ConnectionId
Then on the agent we have a script configured very similarly to this one in the documentation:
Hope this helps!
Interesting. That could work and would avoid having to make the script public. Thanks. I’ll see if I can make that work for our needs.