Hi Community,
I am new to orchestrator and started to create some workflows. Everything is working fine!
I have username and password as input, the password is secure string - I want to use it with embedded PowerCLI.
This is working fine, but the password is (as all other inputs are) displayed in the log.
2020-06-26 10:23:00.000 +02:00INFO__item_stack:/item1
2020-06-26 10:23:04.000 +02:00INFOInputs were {"user":"domain\\user","target":"hostname.fqdn.de","password":"P@ssw0rd"}
2020-06-26 10:23:05.000 +02:00INFO__item_stack:/item13
This is not optimal, how can I stop this behaviour? Or replace the password with ****?
Hi,
In scripting code, the values of type SecureString are pretty much the same as the values of type string. When you call something like System.log("Input was " + mySecureStringValue);, the server code sees an attempt to log a plain string value, it does not have enough context to detect that mySecureStringValue in the above call is actually a workflow input of type SecureString.
Note that Orchestrator tries to avoid dumping sensitive values in the logs when possible. For example, if an error is thrown in your workflow, the server will dump the workflow inputs in the log, but at this time it will know that the data going to the log are the workflow input, and will be able to check the type of each input field and 'hide' the SecureString values.
Are you running an out of the box workflow? Which one? If not, can you paste the code of the custom workflow?
Hi,
It is a XaaS or a extensibility workflow?
Regards
In powerCLI use the --cred instead of password and pass the secure string in this should not log to the system.log.
Hi,
In scripting code, the values of type SecureString are pretty much the same as the values of type string. When you call something like System.log("Input was " + mySecureStringValue);, the server code sees an attempt to log a plain string value, it does not have enough context to detect that mySecureStringValue in the above call is actually a workflow input of type SecureString.
Note that Orchestrator tries to avoid dumping sensitive values in the logs when possible. For example, if an error is thrown in your workflow, the server will dump the workflow inputs in the log, but at this time it will know that the data going to the log are the workflow input, and will be able to check the type of each input field and 'hide' the SecureString values.
This was actually helping me to find my fault...
I didn't recognize that if you select "PowerCLI" as scripting language it automatically adds this code:
Write-Host "Inputs were $inputsString"
Wow - this was kind of obvious... Thank you all for your help...