I'm trying to build a Powershell function that will create a Windows Scheduled Task on my onPrem server as part of my Azure release pipeline, which will need to run with the "Run whether user is logged on or not", so I am passing it an AD Service account UserID & Password.
This works totally fine if I use a plain text password from a variable, but I would like to import the password from my Azure KeyVault. I'll call it "PasswordFromKeyVault".
I have added a new Variable Group, linked to the Keyvault and it retrieves the value correctly.
Here is the Powershell script I am using in this step:
$TaskName = "HelloNewTaskWorld"
$Trigger= New-ScheduledTaskTrigger -At 10:02am -Daily
$Action= New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "C:\PowershellScripts\Somescript.ps1"
$principal = New-ScheduledTaskPrincipal -UserId $(PlainTextUserIdVariable) -LogonType ServiceAccount
$description = "Testing AzureDevOps ability to deploy a fully configured scheduled task"
#As expected, outputs xxx to the console
Write-Host $(PasswordFromKeyVault)
Register-ScheduledTask -TaskName $TaskName -Description $description -Trigger $Trigger -Action $Action -Principal $principal –Force
Set-ScheduledTask -TaskName $TaskName -User $principal.UserID -Password $(PasswordFromKeyVault)
But when it runs, I receive the error message "The user name or password is incorrect":
2022-04-11T16:18:23.0724016Z Set-ScheduledTask : The user name or password is incorrect.
2022-04-11T16:18:23.0724884Z At C:\vstsagent\XW14Agent1\_work\_temp\90f67b9e-e6f7-4f71-9be9-fe24498f535e.ps1:16 char:1
2022-04-11T16:18:23.0725477Z + Set-ScheduledTask -TaskName $TaskName -User $principal.UserID -Passwo ...
2022-04-11T16:18:23.0726111Z + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2022-04-11T16:18:23.0726638Z + CategoryInfo : AuthenticationError: (PS_ScheduledTask:Root/Microsoft/...S_ScheduledTask) [Set-Scheduled
2022-04-11T16:18:23.0727110Z Task], CimException
2022-04-11T16:18:23.0727497Z + FullyQualifiedErrorId : HRESULT 0x8007052e,Set-ScheduledTask
I assume this is because the Azure Keyvault value is encrypted, and cannot be decrypted (which is exactly what I want), but does anyone know how I can create a credential using an already encrypted password?
The error: The user name or password is incorrect
,can be resolved by checking and placing the password retrieved in double quotes to get the actual vaule .
i.e; like
"$(PasswordFromKeyVault)"
Please make sure to set an access policy or policies in Azure Key
Vault for the Azure DevOps project application principal /service
account with List/Get permissions on Secrets and make sure the
name of the KeyVault and azureSubscription are both correct.
You can refer to this blog.
Configure the Environment Variables , see stack overflow Reference
Secret variables are usually encrypted .So to pass a secret to a
script, we can make use of the those Environment section of the
scripting task’s input variables. If environment variables in
pipeline are something like:
Name :password | value :$(mypassword)
Now, try with calling your variable with $env: password in your
script.
Set-up PS Credentials
$Username = "$env:USERDOMAIN\local-admin"
NOTE: Key Vault name and Secret name should be retrieved via “normal” variables using inherited environment variable.
for example.$Secret = (Get-AzKeyVaultSecret -VaultName "myKeyVaultName" -Name "kvTestSecret").SecretValueText Write-Host "PowerShell Get-AzKeyVaultSecret: $Secret"References:
[string]$AdminPassword = Get-AzKeyVaultSecret -VaultName "***" -Name "***" -AsPlainText
//or$ AdminPassword=$env: password
[securestring]$SecureAdminPassword = $AdminPassword | convertto-securestring -AsPlainText -Force
//or $Password = ConvertTo-SecureString "PasswordHere" -AsPlainText -Force
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $Username, $SecurAdminPassword
//or $cred = New-Object System.Management.Automation.PSCredential($Username,$SecurAdminPassword)
//Then you can Set-up Scheduled Task parameters
Check this.
References: