9
Moof
6y

Security is a joke. And people don't seem to get it. Especially Data mungers.

I've spent about half an hour trying to work out how to securely connect to power BI using PowerShell in a renewable manner for unattended access later on.

Every single example I've found seems to involve you storing $user and $password variables inside your script. If I'm lucky, they're going to pass them through ConvertTo-SecureString. And nobody talks about securely storing AD auth tokens, or using the Windows Credential Manager.

I know it's possible, but it's going to take me ages to work out how from all sorts of disparate sources...

Comments
  • 0
    Environmen vars?
  • 1
    @Hakash why use environment variables that you will load from a plain text environment file? Why not use the secure credentials store that comes built-in with Windows?
  • 0
    Dont tou need credentials to acces that?
  • 1
    Yes. Those of the logged-in user, or the credentials granted when you run the job through the windows scheduler.
  • 2
    In Linux terms, by granting the setuid bit, or running cron as a particular user, you have access to the credentials store.
  • 1
  • 0
    @Hakash that’s a good start. But I was thinking of something closer to this: https://gallery.technet.microsoft.com/...
  • 0
    Well, I don't know PS all that well, but for getting creds and using them to access some api, that seems overly complicated, or at least verbose.

    But again, I don't know all the pit falls.
  • 0
    Hold on till I get home, I have a script that uses windows credential manager for just this purpose.

    As long as you keep the powershell script open that is... You don't want to have the script close and reopen later and still be able to Auth?
  • 0
    @seraphimsystems i want to run it daily on a timer.
  • 0
    @Hakash it’s verbose, and more complicated, but much more secure than having a plain text password around...
  • 0
    @Moof https://interworks.com/blog/...

    Uses local device encryption to use and cannot be decrypted on another machine
  • 1
    reminder that TPMs are fucking flawed:
  • 1
    @Parzi is that a reason to just use username and password variables in a plain text file?
  • 0
    @Moof no but it is a reason to not use the TPM specifically.
  • 2
    welcome to level 3 of security enlightenment
Add Comment