0

Via deployment manager template, I need to create a windows vm and have a user account created with password that end-user specifies as an input.

So far, I have following in my template:

  resources:
  - name: {{ properties["instance_name"] }}
    type: compute.v1.instance
    properties:
      ...
      metadata:
        items:
        - key: windows-startup-script-cmd
          value: |
              net user {{ properties["user_name"] }} {{ properties["user_pwd"] }}  /add

This works but disadvantage of this approach is that password leaks out in deployment detail (I see plain text password in "config", "expanded config" sections) and maybe elsewhere.

Is there another way to achieve adding the user in GDM template?

Thanks.

premysl
  • 3
  • 1
  • 3
  • For example azure resource manager template (ARM) has securestring parameter type. The securestring does not appear in console (password is masked). I didn't find equivalent definition for GDM schema? Can I specify that provided input property is sensitive? – premysl Oct 22 '19 at 08:30
  • Hi @premysl, Have you checked [Cloud Key Management Service](https://cloud.google.com/kms/)? This can have direct use use with other Cloud resources and applications, including Cloud Deployment Manager. Take a look at the [documentation](https://cloud.google.com/deployment-manager/docs/configuration/supported-gcp-types#gc-wrapper) and let me know how it goes. Also, I found an [example](https://github.com/GoogleCloudPlatform/deploymentmanager-samples/tree/master/examples/v2/cloudkms) that may come in handy. The idea is here is to wrapping and preventing your password from showing in plain text. – sllopis Oct 22 '19 at 09:55
  • Moreover, I think this [Official GitHub repo](https://github.com/GoogleCloudPlatform/deploymentmanager-samples/tree/master/google/resource-snippets/cloudkms-v1) may give you a broader view of how to incorporate Cloud KMS into Cloud Deployment Manager. – sllopis Oct 22 '19 at 09:59
  • the problem here is you're running commands as a startup script. The plain text will appear in the metadata of your instance. Even if you encrypt your GDM template, when the values are unencrypted and passed to the compute engine API, the plain text will appear – Patrick W Nov 01 '19 at 18:22
  • Essentially, because windows users are not created or managed by GCP, it is difficult to incoporate the creation into GDM directly – Patrick W Nov 01 '19 at 18:23

0 Answers0