5

I have a simple Powershell script (that's being run in a step in Octopus deploy) that I'm trying to run as another user. We need it for future steps (each application on our platform runs as its own user account, and I need to be able to run an arbitrary script as that user during the deployment process).

The problem is that even the simplest script fails with completely unhelpful error messages, such as this:

$secpasswd = ConvertTo-SecureString $OctopusParameters["runAsPassword"] -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ($OctopusParameters["runAsUsername"] , $secpasswd)

$job = Start-Job -scriptblock {
    whoami
} -credential $credential 

$job | Receive-Job -Wait

Which fails with the message:

The background process reported an error with the following message: .

The Octopus tentacle is running as a domain account with admin privileges on the machine.

I've completely exhausted all avenues of investigation now, but we really need to get this working. I think if we can't run a deployment script as a certain user then we're completely screwed.

Richiban
  • 5,569
  • 3
  • 30
  • 42
  • Have you tried to debug it? Does it error out at the receive-job line or inside the background job? Of course it will be tricky debugging the background job itself but i think there is a wait-debugger cmdlet you can use – Sid Sep 26 '17 at 11:53
  • Could this approach help? https://octopus.com/docs/installation/installing-tentacles/running-tentacle-under-a-specific-user-account-for-use-in-powershell – Sid Sep 26 '17 at 11:55
  • Thanks for your advice Rohin -- I'm already running the tentacle under a specific user account. I want to run a single *step* as a *different* user account. – Richiban Sep 26 '17 at 13:08
  • I seriously do not understand why it fails. I am not running it from octopus but on ISE, It works perfectly for me. I know that the -Credential Parameter on the start-job should be enough to change the user context but since it isn't working for you, you could try to change the context from inside the scriptblock. Pass the PScredential object as an argument. – Sid Sep 26 '17 at 14:37
  • I have also seen that this script works just fine if I run it myself, but fails when I get Octopus to do so (regardless of what account I set the Tentacle to run as). I'm beginning to think that this is a bug or limitation of Octopus rather than a problem with the script or account setup. – Richiban Sep 26 '17 at 15:09
  • Can you please make sure that your PScredential object is proper? $Credential.getnetworkcredential().password and $credential.username shoudl give you back the username and password. – Sid Sep 26 '17 at 15:10
  • @RohinSidharth Correct, both those expressions print the correct values to the log. – Richiban Sep 26 '17 at 15:12
  • maybe take a look: https://stackoverflow.com/questions/26915264/powershell-job-with-alternate-credentials-from-octopus-deploy – Sid Sep 26 '17 at 15:16
  • If you don't create and pass the credentials; do you still get an error? – gvee Sep 28 '17 at 08:11
  • @gvee No, the script block works fine, but it runs as the user the Tentacle runs as. – Richiban Sep 28 '17 at 13:57

1 Answers1

0

Nearly three years later I have the same issue... I tried writing the code to a temporary file and using Start-Process, but couldn't get that to work either.

In the end, I wrote the code to file, and then ran it through the Windows task scheduler.

John Fouhy
  • 41,203
  • 19
  • 62
  • 77