VMware Cloud Community
AlbertWT
Virtuoso
Virtuoso
‎06-10-2023 02:58 AM

Configuring VMware PowerCLI to run with gMSA (Secure group managed service accounts)

Would it be possible to configure the VMware PowerCLi to be executed by Windows Scheduled task under gMSA (Secure group managed service accounts) account?

The goal here is to avoid hard-coding passwords in the script, but still allow the script to run against multiple vCenter servers.

/* Please feel free to provide any comments or input you may have. */
Reply
0 Kudos
3 Replies
LucD
Leadership
Leadership
‎06-10-2023 03:36 AM

Haven't tried GMSA, because I found it to be too complex and limited to Windows platforms.

I preferred using a Vault with the help of the SecretManagement and SecretStore modules.
That solution is platform-independent and achieves the same effect, no hard-coded passwords.
Plus it allows you to use several of the known Security Vaults on the marker.

Have a look at SecretManagement and SecretStore are Generally Available and Overview of the SecretManagement and SecretStore modules for more info.




Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
AlbertWT
Virtuoso
Virtuoso
‎06-10-2023 03:47 AM

Thank you for the quick reply @LucD,
May I know how does the code look like when utilizing the SecretManagement and SecretStore module ?

Any example would be greatly appreciated.
/* Please feel free to provide any comments or input you may have. */
Reply
0 Kudos
LucD
Leadership
Leadership
‎06-10-2023 05:28 AM

It all depends a bit on which Vault you decide to use.

The simplest is to use the default Vault, which doesn't require any other product.
Needless to say, this is also the least secure method.
The Master password is something you could store in a well-guarded file and access it with Export-CliXml and Import-CliXml.
Needless to say, this is the weak point of using the default Vault.

You first have to define and set up the Vault.

 

Register-SecretVault -Name MySecrets -ModuleName Microsoft.PowerShell.SecretStore -DefaultVault

$vaultPswd = 'VMware1!'
$storeConfiguration = @{
    Authentication = 'Password'
    PasswordTimeout = 3600 
    Interaction = 'None'
    Password = ConvertTo-SecureString -String $vaultPswd -AsPlainText -Force
    Confirm = $false
}
Set-SecretStoreConfiguration @storeConfiguration

 

To store something in the Vault you can add a Secret.

 

# Unlock the Vault with the Master password
Unlock-SecretStore -Password (ConvertTo-SecureString -String $vaultPswd -AsPlainText -Force)

# Store a secret
$user = 'administrator@vsphere.local'
$pswd = 'VMware1!'
$cred = New-Object -TypeName PSCredential -ArgumentList $user,(ConvertTo-SecureString -String $pswd -AsPlainText -Force)
Set-Secret -Name 'vCenter' -Secret $cred -Metadata @{Info='My vCenter secret'}

 

Now to access the Vault and retrieve those stored credentials, you can do

 

$cred = Get-Secret -Name vCenter
Connect-VICenter -Server MyVCSA -Credential $cred

 


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

Reply
0 Kudos