VMware Cloud Community
ARuvVD11
Enthusiast
Enthusiast

How to not embed plaintext credentials into actions/workflows in 8.x

Tried a half dozen ways to protect service/user creds in scripts, but it seems the working directory is the RO  /run/vco-polyglot/function for whatever vra node is running it, and not the powershell host...  Hardly optimal. Whats the proper way to do this?

Reply
0 Kudos
8 Replies
xian_
Expert
Expert

Can you add a SecureString input to the action?

Reply
0 Kudos
ARuvVD11
Enthusiast
Enthusiast

Add, yes. Prefill, no, at least with actions.... which unfortunately is all I can use since I'm trying to call this from a vRA custom content form. Not sure why it wont link to workflows, maybe I messed that up too?

Reply
0 Kudos
xian_
Expert
Expert

-

Reply
0 Kudos
eoinbyrne
Expert
Expert

I normally use this approach & it's not terrible

1. Store credentials in a ConfigurationElement - Password can be a SecureString there if you want it to be

2. Use an action such as the below to locate the ConfigurationElement in the presentation action for the form. Once you have the configuration element you can get the value using

element.getAttributeWithKey("Password").value;

eoinbyrne_0-1623918940392.png

In your presentation action you can call any other action using

System.getModule("com.<my>.<package>.<name>").<actionName>(p1, p2, p3.....);

e.g., for my action above its

var credentialsConf = System.getModule("com.triangle.util").getConfigurationElement("Library/StoredCredentials", "SomeRESTAPI", false);

 

-HTH

 

Reply
0 Kudos
xian_
Expert
Expert

This is not possible with a powershell action.

Reply
0 Kudos
eoinbyrne
Expert
Expert

OP stated that he's using a custom form? So, an approach might be to add an input for the credentials and use a JS action like mine to resolve them. At this point then they would be present in the input set to the Powershell action?

Sorry, I don't have a Powershell enabled instance to play with this to confirm but it sounds workable...? The issue might be creds passing OTW in the clear and perhaps in log files so probably not a production/public solution

The only other alternative would be an external system (database, file store, REST API) and write your action to resolve from there (which technically you could do for the vRO ConfigurationElement even but then you're back to where to get credentials from.... unless the workflow context has a pre-authorised token buried in it? @iiliev Is this a possibility?)

There must be a way to do this though - the additional runtimes are just shiny islands with limited use otherwise

Tags (1)
Reply
0 Kudos
ARuvVD11
Enthusiast
Enthusiast

I am trying to keep a service account private not just from end users, but also from any accidental exposure through a source code repository, which I am attempting to use to query different services to populate dropdowns for compute resources/services the end-users have rights to.

It seems one of the issues I attributed to the failure of everything I've tried so far, was in fact an issue with vRO and latest PowervRA module. I'll retry some of these ideas today with simpler code and see what happens.

 

Reply
0 Kudos
xian_
Expert
Expert

I'd replace PowervRA with vRA plugin 

Then you can code in plain old Javascript and store your credentials in config elements, as @eoinbyrne suggested

Reply
0 Kudos