How to manage credentials in Guest Configuration / DSC v3?

[Cyr-Az]

Unless I entirely have missed some information, it looks like there is a change in how dsc v3 allows us to handle credentials...

The DSC v1 way of handling them was to encrypt the credentials inside the MOF using a certificate and configure LCM on target servers to use that same certificate to decrypt the (as documented here : https://learn.microsoft.com/en-us/powershell/dsc/managing-nodes/metaconfig?view=dsc-1.1#basic-settings ), but that doesn't seem possible in dsc v3 since there is no CertificateId property available in Guest Configuration's LCM settings ( https://learn.microsoft.com/en-us/rest/api/guestconfiguration/guest-configuration-assignments/create-or-update?tabs=HTTP#configurationsetting )

Azure Automation State Configuration / DSC v2 uses a special cmdlet ( Get-AutomationPSCredential ) to retrieve credentials from Azure Automation credentials before compiling and encrypting the mof, but that's not possible in dsc v3 because the mof is compiled on the authoring workstation.

So, what's the recommended way of managing credentials in dsc v3? I would very much like to see System Managed Identities used here as well, in conjunction with Key vaults; but I haven't seen anything pointing towards that capability. I've actually implemented a quick&dirty proof of concept of how to implement this at the resource level ( https://github.com/Cyr-Az/ActiveDirectoryDsc/commit/32ed2fe51d75a6e4f604faff7ec0e4c35d1e6574 ), but surely there is a better way of achieving this than modifying every single existing resource that needs credentials...

Thanks!

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 4b833aa1-931a-8b2e-dcd8-d2abda6e2401
• Version Independent ID: 2abb22c6-a677-0715-6875-b017f50c6ea3
• Content: Changes to behavior in PowerShell Desired State Configuration for machine configuration
• Content Source: articles/governance/machine-configuration/machine-configuration-custom.md
• Service: machine-configuration
• GitHub Login: @timwarner-msft
• Microsoft Alias: timwarner

[Naveenommi-MSFT]

@Cyr-Az Thank you for bringing this to our attention. I've delegated this to content author @timwarner-msft, who will review it and offer their insightful opinions.

[Naveenommi-MSFT]

@timwarner-msft Could you please review add comments on this, update as appropriate.

[timwarner-msft]

Hi @Cyr-Az. This is a response from my machine config/guest config program manager:

We don’t currently support the configuration of credentials. We flag this as a limitation in our documentation here: How to create custom machine configuration package artifacts | Microsoft Learn

Don't use secrets or confidential information in custom content packages.

We will be building out support for storing secrets within the next semester, as when we look at the migration journey from AADSC to machine config, this is considered a regression.

Thanks for asking the question! Kindest regards, Tim

[timwarner-msft]

please-close

[Cyr-Az]

Well that was easy to the miss/don't understand what it meant to its full extent, to say the least. At least I now have a clear answer, thanks :)