Here's a doozy, hopefully someone has run into this before.
I created two scripts so that users can create their own snapshots. Script 1 is run locally and does not require PowerCLI. It's simple powershell that grabs a list of VMs, an email address for confirmation, and then runs an invoke-command to run a remote script against a server that has PowerCLI.
The second script pulls in the variables from the first, connects to the vCenters then loops through the VM names, checking for existing snapshots, creates a new snapshot then emails a confirmation. In order to not give everyone snapshot rights, I'm using a service account for the second script to connect to the vCenters and do all the work. Here's where I'm having issues...
I used the New-VICredentialStoreItem cmdlet to create a password xml file (see https://jackiechen.org/2011/11/02/powershell-using-credential-file-for-connect-viserver/). I then use these two commands to connect to the vCenters:
#Reads in encrypted credential files then connects to both vCenters
$pricreds = Get-VICredentialStoreItem -file “C:\Scripts\srvacct2a-pri.xml”
$seccreds = Get-VICredentialStoreItem -file “C:\Scripts\srvacct2a-sec.xml”
Connect-VIServer -Server primary.vcenter -User $pricreds.User -Password $pricreds.Password | Out-Null
Connect-VIServer -Server secondary.vcenter -User $seccreds.User -Password $seccreds.Password | Out-Null
Instead of connecting, I get a pop-up stating the remote server is asking for credentials. If I hard-code the user/password into the script it works fine. If I paste the above lines into a local powershell window on the server, it works fine. Any ideas?
The items in a VICredentialsStore can only be decrypted by the same account and on the same computer where they were created.
Is that the case?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
The items in a VICredentialsStore can only be decrypted by the same account and on the same computer where they were created.
Is that the case?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Hey Luc, was hoping you were out there somewhere! I thought that was the case, but now that I think through it, the script itself runs in the context of the user that runs it, and the credential file was created by the service account. I'll have to use another method. Thanks for the quick reply!
In case anyone finds this in the future, I created an encrypted password file using parts 1 and 2 of this blog series:
Secure Password with PowerShell: Encrypting Credentials - Part 1 - PDQ.com
It's not the greatest solution but it's better than clear text and better than having to give users snapshot rights. Thanks again Luc!
Another method I often use, is to create a one-off Scheduled Task that runs under the System account.
And I have already created a VICredentialStore under the System account (again with a one-off Scheduled Task) before doing that.
The added security, besides the credentials, is that a user needs specific permissions to run a task under the System account.
Perhaps I should do a blog post about the concept :smileygrin:
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference