domrein
Contributor
Contributor

Orchestrator hide password from input in log

Jump to solution

Hi Community,

I am new to orchestrator and started to create some workflows. Everything is working fine!

I have username and password as input, the password is secure string - I want to use it with embedded PowerCLI.

This is working fine, but the password is (as all other inputs are) displayed in the log.

2020-06-26 10:23:00.000 +02:00INFO__item_stack:/item1

2020-06-26 10:23:04.000 +02:00INFOInputs were {"user":"domain\\user","target":"hostname.fqdn.de","password":"P@ssw0rd"}

2020-06-26 10:23:05.000 +02:00INFO__item_stack:/item13

This is not optimal, how can I stop this behaviour? Or replace the password with ****?

0 Kudos
1 Solution

Accepted Solutions
iiliev
VMware Employee
VMware Employee

Hi,

In scripting code, the values of type SecureString are pretty much the same as the values of type string. When you call something like System.log("Input was " + mySecureStringValue);, the server code sees an attempt to log a plain string value, it does not have enough context to detect that mySecureStringValue in the above call is actually a workflow input of type SecureString.

Note that Orchestrator tries to avoid dumping sensitive values in the logs when possible. For example, if an error is thrown in your workflow, the server will dump the workflow inputs in the log, but at this time it will know that the data going to the log are the workflow input, and will be able to check the type of each input field and 'hide' the SecureString values.

View solution in original post

0 Kudos
5 Replies
NateApex
Contributor
Contributor

Are you running an out of the box workflow? Which one? If not, can you paste the code of the custom workflow?

0 Kudos
lnairn
VMware Employee
VMware Employee

Hi,

It is a XaaS or a extensibility workflow?

Regards

0 Kudos
siglert
Enthusiast
Enthusiast

In powerCLI use the --cred instead of password and pass the secure string in this should not log to the system.log.

0 Kudos
iiliev
VMware Employee
VMware Employee

Hi,

In scripting code, the values of type SecureString are pretty much the same as the values of type string. When you call something like System.log("Input was " + mySecureStringValue);, the server code sees an attempt to log a plain string value, it does not have enough context to detect that mySecureStringValue in the above call is actually a workflow input of type SecureString.

Note that Orchestrator tries to avoid dumping sensitive values in the logs when possible. For example, if an error is thrown in your workflow, the server will dump the workflow inputs in the log, but at this time it will know that the data going to the log are the workflow input, and will be able to check the type of each input field and 'hide' the SecureString values.

0 Kudos
domrein
Contributor
Contributor

This was actually helping me to find my fault...

I didn't recognize that if you select "PowerCLI" as scripting language it automatically adds this code:

Write-Host  "Inputs were $inputsString"

Wow - this was kind of obvious... Thank you all for your help...

0 Kudos