One of the things I like to do on this site is to share handy PowerShell scripts.
After all PowerShell allows for automation thus making life easier and who wouldn’t want an easy life?
Quite often PowerShell scripts need to pass credentials to remote systems/services; for example logging onto an ESXi host or a vCenter server to perform a task or two.
How do we handle those credentials? Preferably not in plain text…
Enter Credential Manager.
Overview
Credential Manager
Credential Manager is accessed via Windows control panel:
The advantages of using Credential Manager to store our PowerShell credentials are as follows:
Credentials stored in credential manager are:
- Associated with each Windows user account and not transferable between users
- Not generally transferable between computers (possible if using roaming profiles)
- Accessible from a full-windows environment that has Credential Manager built in (EG not in WinPE)
- Relatively easily accessible from PowerShell
To expand on points 1. and 2. above, remember when running a PowerShell script containing credentials, the credentials referenced must be available to the user account running the script. For example, when running a PowerShell script as a scheduled task running under the local administrator account, the credentials must be available to the local administrator account used.
PowerShell Module Installation
To access credentials stored in Credential Manager from PowerShell we need to install a PowerShell Module. The module is available here in the PowerShell Gallery.
Installation is simple enough:
Install-Module -Name CredentialManager
That’s it. Restart your PowerShell session to automatically load the module.
Saving Credentials
Instead of using Credential Manager GUI to add credentials, the New-StoredCredential command can be used as follows.
As a bonus, teaming New-StoredCredential with Get-Credential pops up the credential request window for easy entry:
New-StoredCredential -Target "TEST" -Persist "LocalMachine" -Credentials $(Get-Credential) | Out-Null
Enter credentials as normal and click OK.
Checking Credential Manager afterwards:
Retrieving Credentials
Again using PowerShell, credentials can be retrieved using Get-StoredCredential command as follows:
Get-StoredCredential -Target "TEST"
Using Credentials
So how do we use the credentials that we can recover from Credential Manager? For example, how can we use the recovered credentials to, say, logon to a VMware vCenter server?
In the following example, we will recover and use the following credential:
The two line script is as follows:
$Credentials = Get-StoredCredential -Target "vSphere-Admin"
Connect-VIServer -Server "vcenter.local" -Credential $CredentialsYep that works nicely:
Simple!
Deleting Credentials
Finally, credentials can be deleted using Remove-StoredCredential command as follows:
Remove-StoredCredential -Target "TEST"
Checking Credential Manager:
Yep, our test credential has been deleted.
PowerShell Core on Linux
As Linux does not have a equivalent Credential Manager, we need to get creative when handling credentials in PowerShell core on Linux.
As luck would have it, a work around is available. What’s more is that we documented and used the workaround in part three of the UPS Triggered Shut Down of ESXi from Raspberry Pi series HERE.
Conclusion and Wrap Up
A solution to implement and manage PowerShell credentials does exist. What’s more it’s simple to use.
No more storing credentials in plain text inside scripts.
-Chris