Hi all. I am currently evaluating PSU for our company, and I’m wondering how you would handle this situation:
We have multiple AD forests that we need to work with from within PSU. Since there isn’t an AD module for Linux, I need to connect to a server in each environment and run the commands from there. When I run the commands from said server, I need to use credentials so I have the correct delegated permissions for certain actions. It is my understanding that Event Hubs are PSU’s way of running code on other machines. I have tried this, and while I can run the code on other machines, I don’t have the credentials I need. If I try using $SECRET, I don’t get anything in return, and that makes sense since it is a different scope. I’d use PSRemoting, but that won’t work because of WSMan not really being a thing on Linux, and some of our servers aren’t new enough to support PSRemoting over SSH.
With that being said, is there any way to pass the credentials to the other machine? Also, what is the best way to pass the resulting objects back to PSU? I have done this in Azure Automation using the Get-AutomationPSCredential command. You can have a script run on a hybrid worker and it will pull the credential from the automation account. Does something like this exist in PSU and I’m just blind?
The Event Hub agents don’t currently (as in, they will eventually from what I’ve been told by @adam) have access to the variables in PSU, so the solution is to either store the credentials needed directly in the script you want to execute on the remote agent (which is a bad idea for security reasons) or to reference the variables in part of an arguments list that is passed on to the remote agent so that it’s already been evaluated on the PSU side prior to transmitting the data/command to the agent so that the agent now has the value it needs without needing to access the variable directly. You can look at Event Hubs - do agents have access to Secret variables? - #9 by parzog to get an example of how to do this.
Alright, I have messed with that a bit and have gotten strings to work, but if I try and pass a [PSCredential], it says “Error occurred during a cryptographic operation”. I think the reason the code you posted worked is because they were working with a secret string instead of a secret credential, not sure.
Here is the client code I have been using to test with:
Either way, I appreciate your help getting me to this point Now to figure out authenticated event hubs. Does the token have to be stored in appsettings.json, or is there a way to pass it when sending an event? I see in the cmdlet docs that there is an unused -AppToken parameter.
There’s no token in appsettings.json for Event Hub agent connectivity that I’m aware of. The user/account app token you want the agent to authenticate to PSU with is generated on PSU, and you put that into the agent.json file in the install path with the Event Hub agent on the remote server. You could also store the token in an environment variable that gets referenced in the agent’s config, so the token isn’t directly in the config file, too, but I haven’t used that method. Is that what you’re referring to?
Yes, I was referring to agent.json on the remote machine. I guess storing the token on the remote machine isn’t super ideal, but I guess I’ll have to do that if that is what it takes. Do you know how the environment variable method works?
I have an idea bouncing around in my head that might make agents easier to use. I’ll post a feature once I think about it a little more. Adam might have some of the same ideas anyways, lol.
I agree, but with the current design there’s no alternatives that I’m aware of.
The variables method is only briefly mentioned at Agent | PowerShell Universal with little detail, but it looks like just defining those and giving them values is all that’s needed.
@adam has already stated that the way agents work is going to drastically change in the future, so you may have some of the same ideas he has in mind.
I just realized I was looking at the wrong page… The Event Hubs page has information on the old event hub client and no information on authentication, and there is a separate page for configuring agents with authentication. I thought I had seen it somewhere!
Yeah. I don’t know why there are 2 separate docs for largely the same things, but the one I linked in the previous comment is the most recent and correct (I think).
You’d likely need to have some sort of shared key between the agent and server to be able to encrypt and decrypt to password because it’s a secure string.
You can use the Key parameter of ConvertTo-SecureString to make that well known. It’s probably why you are seeing that error, because the keys don’t match on either side.
ConvertTo-SecureString -Key $Key
Also note, that if you use an HTTPS connection between the agent and server, the HTTP requests will be encrypted.
Now to figure out authenticated event hubs. Does the token have to be stored in appsettings.json, or is there a way to pass it when sending an event? I see in the cmdlet docs that there is an unused -AppToken parameter.