0

I'm using a powershell script for automatically add new vm's in a scale set to my domain via Custom Script Extension. In the script I wrote the password blank (in testing environment only), because it has to be without any prompt. But this isn't very secure so I want to use another way.

At my local computer I can write my password encrypted in a script, but in a Scale Set it isn't possible, otherwise we had the same problem with the prompt.

Another idea is to write the password with powershell in a .txt file (encrypted) and store this file in Azure, so the new vm has to connect to Azure to get this file. But then we have the same issue with the authorization.

I hope you understand my problem, do you have any suggestions?

Best regards

Eiffelsturm
  • 55
  • 2
  • 11

2 Answers2

0

Well, you can pass in the password as a parameter to the script using custom script extension? or you can use protected storage account, either way works, in my mind.

https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows#further-examples
https://github.com/Azure/azure-quickstart-templates/blob/master/201-vm-custom-script-windows/azuredeploy.json

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
  • If I want to use a protected storage account, I had to use any authentication to the storage account. The I had the same problem – Eiffelsturm Nov 07 '18 at 12:16
0

You could store the password in KeyVault and retrieve it in Powershell using Get-AzureKeyVaultSecret. I prefer to pass KV secrets in my ARM template parameter files.

Ken W - Zero Networks
  • 3,533
  • 1
  • 13
  • 18
  • Thanks for your answer. Your idea with Azure KeyVault is interesting, but to get these Vaults you have to login to azure, and that would cause the same problem with the password. Or am I wrong? – Eiffelsturm Oct 30 '18 at 10:58