Universal Automation is the script scheduler and job runner for PowerShell. It allows you to integrate with your existing scripts and git repo to schedule your scripts, run them ad-hoc and audit the output from them. In this blog post, we will look at how to run scripts using alternate credentials.
Configuring a Secret Manager
Credentials require the storage of sensitive data. To accommodate this, Universal Automation employs integration with third-party secret storage technologies rather than storing the secrets itself. Configuring a secret manager requires providing a get and set ScriptBlock to retrieve and optionally set secrets into the secret store of choice.
In this example, we will be using the PSSecretStore module. It’s a simple wrapper around the .NET SecretStore library for creating simple to use and portable secret stores.
SecretStore uses symmetric encryption via a specified key file or password. First, we will create a key-file used to encrypt and decrypt our secrets.
To set secrets in PSSecretStore, we need to use the Set-SSecret cmdlet and specify the -Name, -Value, -KeyPath and -StorePath.
To retrieve secrets using PSSecretStore, we use the Get-SSSecret cmdlet. It requires the -Name, -StorePath and either the -KeyPath or -Password parameters to be specified.
In UA, we now need to integrate with PSSecretManager. We can define a new Secret Manager by using the New-UASecretManager cmdlet. We need to define a name, get scriptblock and an optional set scriptblock. The get script block will receive a single parameter ‘Name’ that will contain the name of the secret to return. The set script block will receive two parameters. The first will be the name of the secret and the second, the value.
Now that we have created our secret manager, we can use it to specify credentials for our jobs. You can now set credentials into your secret store by using the Set-UAVariable cmdlet with the -Secret parameter specified. Unlike other variables in UA, the value will not be stored in the git repo.
Running a script as another user
The run an ad-hoc script as another user, we will need to specify the -Credential parameter of Invoke-UAScript. The credential parameter accepts a Credential object generated by Get-UACredential. Universal Automation doesn’t use typical PSCredential objects nor does it allow you to specify credentials on the command line. You must use a Secret Manager. To create a new credential object, first, we need to get the UAVariable to use for the password. Then, we will use Get-UACredential to specify the username and variable.
The Get-UAVariable cmdlet will never return the value of the secret variable. This holds true for calling the /variable REST API endpoint. The secret value is only ever retrieved when running scripts.
Now that we have a credential, we can pass it to Invoke-UAScript.
As you can see, the script ran as the specified user.
Scheduling a script to run as another user
Just as with Invoke-UAScript, New-UASchedule allows you to specify a UACredential to run the scheduled job as. Follow the same steps for creating a credential above and pass the UACredential object to the -Credential parameter of New-UASchedule.
In this post, we looked at how to run and schedule scripts as another user account using the secret manager in Univeral Automation. If you aren’t playing with UA yet, you can install it from the PowerShell Gallery. The full example script can be found here.