Azure 自动化 DSC - 在 DSC 配置中使用 PSCredential
Azure Automation DSC - Using PSCredential in DSC Configuration
我正在尝试将 pscredentials 传递给旨在通过 Azure Automation DSC 进行部署的 dsc 配置,但我似乎无法使用两种记录的方法使其正常工作。
1) 第一种方法表示可以将 PSCredential 添加到与用于 dsc 的自动化帐户关联的凭据存储中。我能找到的所有文档都参考了 Azure 经典门户,并指示您 select 凭据 'type.' 但是,经典门户中不再提供 Azure 自动化管理,新门户也没有有一个新凭据的 'type' 下拉菜单,类型是 'Microsoft.Azure.Commands.Automation.Model.CredentialInfo' - 它不包含 pscredential 类型具有的 getnetworkcredential() 方法(需要从内部获取纯文本密码dsc 配置以设置新用户 [用户 dsc 资源])。我是不是在这里遗漏了什么,或者 Azure 是否处于一种奇怪的状态,因为自动化功能从经典门户切换到新门户。我还尝试使用 Get-AutomationPSCredential 读取我添加到新门户的凭据,以查看它是否隐式进行类型转换,但这也不起作用(没有找到该名称下的任何对象)。
2) 文档还指出添加 param() 块,并将 pscredentials 指定为参数将在编译期间动态填充那些完全相同的参数,因此可以在通过门户编译时填写这些值...虽然这不会发生,并且编译作业无法识别 'param,' 抛出终止异常并停止。
代码看起来像这样:
$configdata = @{
AllNodes = @(
@{
NodeName = "samplenode"
PSDSCAllowPlainTextCredential = $true
}
)
}
configuration testconfig {
Import-DSCResource -ModuleName PSDesiredStateConfiguration
param (
[pscredential]$cred
)
Node $AllNodes.NodeName {
User testuser {
"blah blah blah"
}
}
}
任何帮助将不胜感激,谢谢!
转到 Azure 自动化凭据并创建一个凭据对象。上传 DSC 配置:
Import-AzureRmAutomationDscConfiguration -SourcePath 'somepath' `
-ResourceGroupName $ResourceGroupName -AutomationAccountName $AutomationAccountName -Published -Force
准备配置数据和参数:
$ConfigurationData = @{
AllNodes = @(
@{
NodeName = $nodeName
PSDscAllowPlainTextPassword = $true
}
)
}
$Parameters = @{
"nodeName" = $nodeName
"cred" = 'Azure Automation Credentials Name'
}
并编译它:
Start-AzureRmAutomationDscCompilationJob -ResourceGroupName $ResourceGroupName -AutomationAccountName $AutomationAccountName `
-ConfigurationName 'anything' -Parameters $Parameters -ConfigurationData $ConfigurationData
我最终向 MS 提出了一个案例,因为 github 上的文档要么具有误导性,要么完全错误,他们提供了非常详细的回复和有用的指导......见下文:
For the command line, these are the best articles if you haven’t already seen them:
https://msdn.microsoft.com/en-us/powershell/dsc/configData
https://msdn.microsoft.com/en-us/powershell/dsc/configdatacredentials
https://docs.microsoft.com/en-us/azure/automation/automation-dsc-compile#credential-assets
The correct PowerShell command to use when retrieving credential assets is: Get-AutomationPSCredential I suspect this is where some
additional explanation might be helpful.
One crucial difference is: • Get-AutomationPSCredential returns a
value of type [PSCredential] • Get-AzureAutomationCredential returns a
value of type [CredentialInfo] • Get-AzureRMAutomationCredential
returns a value of type [CredentialInfo] • [CredentialInfo] cannot be
used in place of [PSCredential]
Another difference is: • Get-AutomationPSCredential retrieves the
credential at compile time, and not run time. • The credential is
compiled into the mof • Hence the requirement for
PSDscAllowPlainTextPassword = $true • The mof compiler is not aware
that Azure Automation encrypts the mof
Another major difference is: • Get-AzureAutomationCredential and
Get-AzureRMAutomationCredential execute at run time. • Hence, the
script must login to Azure before they can be used. • There is really
no reason to use these cmdlets in a DSC Configuration. • I did try it
once just to see if it would work and it does (but only after a
successful Azure login)
Having said this, I did notice Get-AzureRMAutomationCredential used in
a Microsoft article that you referenced.
https://github.com/Microsoft/azure-docs/blob/master/articles/automation/automation-dsc-compile.md#credential-assets
This articles is incorrect and the configuration will not work as-is
for two reasons • Credential expects a value of type [PSCredential] (a
value of type [CredentialInfo] will not work) • The DSC Configuration
in the article does not login into Azure and so
Get-AzureRMAutomationCredential will fail
I can understand that three different PowerShell commands for
retrieving an Automation Credential Asset might be confusing. Allow me
to add one further bit of clarification:
• Get-AzureAutomationCredential uses the Azure Service Management API
(ASM) • Get-AzureRMAutomationCredential uses the Azure Resource
Management API (ARM) • ASM corresponds with the old Azure portal, ARM
corresponds with the new Azure portal (Ibiza) • ASM came before ARM
and continues to be supported for backward compatibility. • The
Get-AutomationPSCredential was created for Automation Runbooks • It
works in Azure Automation DSC (but it does not work in Windows
PowerShell DSC) • All of the Orchestrator.AssetManagement.Cmdlets also
in in Azure Automation DSC • You can find them in the Azure portal by
editing a runbook and expanding cmdlets in the left pane • The
following article also describes these cmdlets albeit in the context
of a runbook.
https://azure.microsoft.com/en-us/blog/getting-started-with-azure-automation-automation-assets-2/
The important thing to remember is that
Orchestrator.AssetManagement.Cmdlets are • intended for use
exclusively within the Automation environment (e.g., a Runbook or DSC
configuration) • cannot be used anywhere else and will not work in an
interactive PowerShell session. • and in a DSC configuration they are
evaluated at compile time and not at runtime • DSC configurations are
compiled into static definitions (MOF), not executable code • the only
exception is the Script resource, which does execute PowerShell at
runtime https://msdn.microsoft.com/en-us/PowerShell/DSC/scriptResource
我正在尝试将 pscredentials 传递给旨在通过 Azure Automation DSC 进行部署的 dsc 配置,但我似乎无法使用两种记录的方法使其正常工作。
1) 第一种方法表示可以将 PSCredential 添加到与用于 dsc 的自动化帐户关联的凭据存储中。我能找到的所有文档都参考了 Azure 经典门户,并指示您 select 凭据 'type.' 但是,经典门户中不再提供 Azure 自动化管理,新门户也没有有一个新凭据的 'type' 下拉菜单,类型是 'Microsoft.Azure.Commands.Automation.Model.CredentialInfo' - 它不包含 pscredential 类型具有的 getnetworkcredential() 方法(需要从内部获取纯文本密码dsc 配置以设置新用户 [用户 dsc 资源])。我是不是在这里遗漏了什么,或者 Azure 是否处于一种奇怪的状态,因为自动化功能从经典门户切换到新门户。我还尝试使用 Get-AutomationPSCredential 读取我添加到新门户的凭据,以查看它是否隐式进行类型转换,但这也不起作用(没有找到该名称下的任何对象)。
2) 文档还指出添加 param() 块,并将 pscredentials 指定为参数将在编译期间动态填充那些完全相同的参数,因此可以在通过门户编译时填写这些值...虽然这不会发生,并且编译作业无法识别 'param,' 抛出终止异常并停止。
代码看起来像这样:
$configdata = @{
AllNodes = @(
@{
NodeName = "samplenode"
PSDSCAllowPlainTextCredential = $true
}
)
}
configuration testconfig {
Import-DSCResource -ModuleName PSDesiredStateConfiguration
param (
[pscredential]$cred
)
Node $AllNodes.NodeName {
User testuser {
"blah blah blah"
}
}
}
任何帮助将不胜感激,谢谢!
转到 Azure 自动化凭据并创建一个凭据对象。上传 DSC 配置:
Import-AzureRmAutomationDscConfiguration -SourcePath 'somepath' `
-ResourceGroupName $ResourceGroupName -AutomationAccountName $AutomationAccountName -Published -Force
准备配置数据和参数:
$ConfigurationData = @{
AllNodes = @(
@{
NodeName = $nodeName
PSDscAllowPlainTextPassword = $true
}
)
}
$Parameters = @{
"nodeName" = $nodeName
"cred" = 'Azure Automation Credentials Name'
}
并编译它:
Start-AzureRmAutomationDscCompilationJob -ResourceGroupName $ResourceGroupName -AutomationAccountName $AutomationAccountName `
-ConfigurationName 'anything' -Parameters $Parameters -ConfigurationData $ConfigurationData
我最终向 MS 提出了一个案例,因为 github 上的文档要么具有误导性,要么完全错误,他们提供了非常详细的回复和有用的指导......见下文:
For the command line, these are the best articles if you haven’t already seen them: https://msdn.microsoft.com/en-us/powershell/dsc/configData https://msdn.microsoft.com/en-us/powershell/dsc/configdatacredentials https://docs.microsoft.com/en-us/azure/automation/automation-dsc-compile#credential-assets
The correct PowerShell command to use when retrieving credential assets is: Get-AutomationPSCredential I suspect this is where some additional explanation might be helpful.
One crucial difference is: • Get-AutomationPSCredential returns a value of type [PSCredential] • Get-AzureAutomationCredential returns a value of type [CredentialInfo] • Get-AzureRMAutomationCredential returns a value of type [CredentialInfo] • [CredentialInfo] cannot be used in place of [PSCredential]
Another difference is: • Get-AutomationPSCredential retrieves the credential at compile time, and not run time. • The credential is compiled into the mof • Hence the requirement for PSDscAllowPlainTextPassword = $true • The mof compiler is not aware that Azure Automation encrypts the mof
Another major difference is: • Get-AzureAutomationCredential and Get-AzureRMAutomationCredential execute at run time. • Hence, the script must login to Azure before they can be used. • There is really no reason to use these cmdlets in a DSC Configuration. • I did try it once just to see if it would work and it does (but only after a successful Azure login)
Having said this, I did notice Get-AzureRMAutomationCredential used in a Microsoft article that you referenced. https://github.com/Microsoft/azure-docs/blob/master/articles/automation/automation-dsc-compile.md#credential-assets
This articles is incorrect and the configuration will not work as-is for two reasons • Credential expects a value of type [PSCredential] (a value of type [CredentialInfo] will not work) • The DSC Configuration in the article does not login into Azure and so Get-AzureRMAutomationCredential will fail
I can understand that three different PowerShell commands for retrieving an Automation Credential Asset might be confusing. Allow me to add one further bit of clarification: • Get-AzureAutomationCredential uses the Azure Service Management API (ASM) • Get-AzureRMAutomationCredential uses the Azure Resource Management API (ARM) • ASM corresponds with the old Azure portal, ARM corresponds with the new Azure portal (Ibiza) • ASM came before ARM and continues to be supported for backward compatibility. • The Get-AutomationPSCredential was created for Automation Runbooks • It works in Azure Automation DSC (but it does not work in Windows PowerShell DSC) • All of the Orchestrator.AssetManagement.Cmdlets also in in Azure Automation DSC • You can find them in the Azure portal by editing a runbook and expanding cmdlets in the left pane • The following article also describes these cmdlets albeit in the context of a runbook. https://azure.microsoft.com/en-us/blog/getting-started-with-azure-automation-automation-assets-2/
The important thing to remember is that Orchestrator.AssetManagement.Cmdlets are • intended for use exclusively within the Automation environment (e.g., a Runbook or DSC configuration) • cannot be used anywhere else and will not work in an interactive PowerShell session. • and in a DSC configuration they are evaluated at compile time and not at runtime • DSC configurations are compiled into static definitions (MOF), not executable code • the only exception is the Script resource, which does execute PowerShell at runtime https://msdn.microsoft.com/en-us/PowerShell/DSC/scriptResource