I am working on a Fixlet to run a PowerShell script using a custom service account. The below action script is working as expected. However, I have an additional requirement as outlined below.
Requirements:
I need to use parameters for both the username and password so that values can be passed dynamically via the REST API from different tools during job execution.
I need clarification on one of the following:
Whether it is possible to use an action parameter for the password in the override section so that the same parameter can be used when passing values through the REST API, or
If I am using password=required, what is the correct way to pass the password value when triggering the action via the REST API.
I need guidance on the supported and correct approach to meet this requirement.
// Force x86 mode regardless of x86/x64
action uses wow64 redirection false
// PowerShell 2.0 check
//continue if {exists value "PowerShellVersion" whose (it as string = "2.0") of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" of registry}
// Resolve PowerShell path
parameter "PowerShellexe" = "{value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of native registry}"
// Ask for the service account password at action time
action parameter query "svcUser" with description "Service account (DOMAIN\username or local username)"
//action parameter query "svcPassword" with description "Service account password"
// Run the script AS that account
override wait
hidden=true
runas=localuser
user={parameter "svcUser" of action}
password=required
wait powershell.exe -ExecutionPolicy Bypass -File "{(pathname of client folder of current site) & "__Download\PatchPrecheck.ps1"}"
I haven't ever tried to send a secret over to the task via RestAPI like you are trying to do, but there are some forum posts regarding this topic that you might want to review to see if they help you. Create Action | BigFix Developer
There is an example on the BigFix WiKi for Server Automation that you might want to look at as well. Notes for developers - BigFix Wiki Wiki
<?xml version="1.0" encoding="UTF-8"?>
<BES xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="BES.xsd">
<SourcedFixletAction>
<SourceFixlet>
<SiteName>name_of_site</SiteName>
<FixletID>ID_of_fixlet</FixletID>
</SourceFixlet>
<Target>
<!-- Target by ComputerID is required for secure parameters -->
<ComputerID>123456</ComputerID>
<ComputerID>789012</ComputerID>
</Target>
<Parameter Name="regular_parameter_name">regular_value</Parameter>
<!-- Secure parameter comes after regular parameters -->
<SecureParameter Name="secure_parameter_name">secure_value</SecureParameter>
</SourcedFixletAction>
</BES>
It's not exactly what your trying to do but if you end up not wanting to pass the credential to RestAPI we have done some things with KeePass databases using the powershell module Posh keepass to copy the database down and we use both a key file and an encrypted/decrypted master password on the database so that you would have to have both parts in order to use the database contents. Then we use poshkeepass to look up the credentials from the keepass that it needs, run the action that it needs using those credentials and then deletes the database after it's finished. I'm not sure if that would be an option for you but i thought i'd mention it.
It's very close though...there is a specific parameter name to use, that matches what the Console generates with 'password=generate', and we need to pass that as a SecureParameter...let me find a note on this.