0

I'm trying to build a Powershell function that will create a Windows Scheduled Task on my onPrem server as part of my Azure release pipeline, which will need to run with the "Run whether user is logged on or not", so I am passing it an AD Service account UserID & Password.

This works totally fine if I use a plain text password from a variable, but I would like to import the password from my Azure KeyVault. I'll call it "PasswordFromKeyVault".

I have added a new Variable Group, linked to the Keyvault and it retrieves the value correctly.

Here is the Powershell script I am using in this step:

$TaskName = "HelloNewTaskWorld"
$Trigger= New-ScheduledTaskTrigger -At 10:02am -Daily

$Action= New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "C:\PowershellScripts\Somescript.ps1"

$principal = New-ScheduledTaskPrincipal -UserId $(PlainTextUserIdVariable) -LogonType ServiceAccount
$description = "Testing AzureDevOps ability to deploy a fully configured scheduled task"

#As expected, outputs xxx to the console
Write-Host $(PasswordFromKeyVault)


Register-ScheduledTask -TaskName $TaskName -Description $description -Trigger $Trigger -Action $Action -Principal $principal –Force
Set-ScheduledTask -TaskName $TaskName -User $principal.UserID -Password $(PasswordFromKeyVault)

But when it runs, I receive the error message "The user name or password is incorrect":

2022-04-11T16:18:23.0724016Z Set-ScheduledTask : The user name or password is incorrect.
2022-04-11T16:18:23.0724884Z At C:\vstsagent\XW14Agent1\_work\_temp\90f67b9e-e6f7-4f71-9be9-fe24498f535e.ps1:16 char:1
2022-04-11T16:18:23.0725477Z + Set-ScheduledTask -TaskName $TaskName -User $principal.UserID -Passwo ...
2022-04-11T16:18:23.0726111Z + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2022-04-11T16:18:23.0726638Z     + CategoryInfo          : AuthenticationError: (PS_ScheduledTask:Root/Microsoft/...S_ScheduledTask) [Set-Scheduled 
2022-04-11T16:18:23.0727110Z    Task], CimException
2022-04-11T16:18:23.0727497Z     + FullyQualifiedErrorId : HRESULT 0x8007052e,Set-ScheduledTask

I assume this is because the Azure Keyvault value is encrypted, and cannot be decrypted (which is exactly what I want), but does anyone know how I can create a credential using an already encrypted password?

Improve this question
1
  • I think you have to send the password as secure string. $Password = "ABCDEF@1234" $passwordFromKeyVault = ConvertTo-SecureString -AsPlainText $Password -Force Commented Apr 12, 2022 at 5:37

1 Answer 1

Reset to default
1

Edit - 17/04/2022

The error: The user name or password is incorrect ,can be resolved by checking and placing the password retrieved in double quotes to get the actual vaule . i.e; like

"$(PasswordFromKeyVault)"

14/04/2022

  1. Please make sure to set an access policy or policies in Azure Key Vault for the Azure DevOps project application principal /service account with List/Get permissions on Secrets and make sure the name of the KeyVault and azureSubscription are both correct. You can refer to this blog.

  2. Configure the Environment Variables , see stack overflow Reference

    Secret variables are usually encrypted .So to pass a secret to a script, we can make use of the those Environment section of the
    scripting task’s input variables. If environment variables in
    pipeline are something like:

    Name :password | value :$(mypassword)

    Now, try with calling your variable with $env: password in your script.

Set-up PS Credentials

$Username = "$env:USERDOMAIN\local-admin"

NOTE: Key Vault name and Secret name should be retrieved via “normal” variables using inherited environment variable.
for example.

$Secret = (Get-AzKeyVaultSecret -VaultName "myKeyVaultName" -Name "kvTestSecret").SecretValueText
 Write-Host  "PowerShell Get-AzKeyVaultSecret: $Secret"

References:

[string]$AdminPassword = Get-AzKeyVaultSecret -VaultName "***" -Name "***" -AsPlainText
//or$ AdminPassword=$env: password
[securestring]$SecureAdminPassword = $AdminPassword | convertto-securestring -AsPlainText -Force
//or $Password = ConvertTo-SecureString "PasswordHere" -AsPlainText -Force

$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $Username, $SecurAdminPassword
//or $cred = New-Object System.Management.Automation.PSCredential($Username,$SecurAdminPassword)

//Then you can Set-up Scheduled Task parameters

Check this.

References:

  1. Dynamicallly get KeyVault secret in Azure DevOps Powershell script - Stack Overflow
  2. Azure Key Vault task - Azure Pipelines | Microsoft Docs
  3. about Quoting Rules - PowerShell | Microsoft Docs
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.