Credential retrieval

[zamothh]

Summary

This PR implements direct credential retrieval when using the command Get-PASAccountPassword :

I want to reduce code in my scripts to directly have a PsCredential Object I want increase security by avoiding credentials to get stored in memory

Test Plan

PS C:\> $PASAccount | Get-PASAccountPassword   -AsPsCredential

UserName                          Password
--------                          --------
Administrator System.Security.SecureString

PS C:\> $PASAccount | Get-PASAccountPassword   -AsPsCredential -UserName "LocalServer\administrator"

UserName                        Password
--------                        --------
LocalServer\administrator       System.Security.SecureString

[zamothh]

I'm not sure why I have a failing test ... if someone can explain me ....

[pspete]

Hi @zamothh

Does the ToSecureString() method meet your need?

(Get-PASAccount -id 330_5 | Get-PASAccountPassword).ToSecureString()

[zamothh]

Hi,

The securestring() object is not a PsCredential object. Ideally, what I have done with other product up do now is :

$Cred = Get-PASAccount -search "computername" | Get-PASAccountPassword -asPsCredential -username "myserver\administrator" New-PSSession -ComputerName "myserver" -Credential $Cred or Invoke-restmethod -URI $URI -credential $cred

Directly having a credential object is very beneficial in coding automation

Le jeu. 24 juin 2021 à 14:52, Pete Maan @.***> a écrit :

Hi @zamothh https://github.com/zamothh

Does the ToSecureString() meet your need?

(Get-PASAccount -id 330_5 | Get-PASAccountPassword).ToSecureString()

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/pspete/psPAS/pull/366#issuecomment-867611610, or unsubscribe https://github.com/notifications/unsubscribe-auth/AT5NQYUNA2LCNKTM37JZPTDTUMTAHANCNFSM47H2A6GQ .

[zamothh]

Hi again ...

There is something else that I directly saw, and that is API related, rather than from PsPas. When doing the authentication, the only return data is the API token... But I guess each token has a lifespan, which is something I would like to have as metadata.

This would allow the user to be able to see that the token has expired before submitting the request.

Thanks for reading my mails :) Thomas

Le jeu. 24 juin 2021 à 15:03, ZaMotH @.***> a écrit :

Hi,

The securestring() object is not a PsCredential object. Ideally, what I have done with other product up do now is :

$Cred = Get-PASAccount -search "computername" | Get-PASAccountPassword -asPsCredential -username "myserver\administrator" New-PSSession -ComputerName "myserver" -Credential $Cred or Invoke-restmethod -URI $URI -credential $cred

Directly having a credential object is very beneficial in coding automation

btw I work with Richard Eisenberger & Charley Jacob for Cisco ... I know that one of them told me he knew you ... not sure which one.

Thomas @.***

Le jeu. 24 juin 2021 à 14:52, Pete Maan @.***> a écrit :

Hi @zamothh https://github.com/zamothh

Does the ToSecureString() meet your need?

(Get-PASAccount -id 330_5 | Get-PASAccountPassword).ToSecureString()

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/pspete/psPAS/pull/366#issuecomment-867611610, or unsubscribe https://github.com/notifications/unsubscribe-auth/AT5NQYUNA2LCNKTM37JZPTDTUMTAHANCNFSM47H2A6GQ .

[pspete]

I'm not sure why I have a failing test ... if someone can explain me ....

The help files have not been updated with the description of the added parameters. One of the modules tests ensures that each parameter is detailed in the help for the command.

[pspete]

The securestring() object is not a PsCredential object.

Sure, but can be used to create a credential:

$Credential=New-Object -TypeName System.Management.Automation.PSCredential `
 -ArgumentList "UserName", (Get-PASAccount -id 330_5 | Get-PASAccountPassword).ToSecureString()

[pspete]

@zamothh - it may also be an option to just add a ToCredential() method to psPAS.CyberArk.Vault.Credential.Type.ps1xml which accepts username as a parameter i.e.

(Get-PASAccountPassword).ToCredential("SomeUser")

Thoughts?

[NathanielMaier]

@zamothh - it may also be an option to just add a ToCredential() method to psPAS.CyberArk.Vault.Credential.Type.ps1xml which accepts username as a parameter i.e.

(Get-PASAccountPassword).ToCredential("SomeUser")

Thoughts?

Most account objects have a username property already - anyway this ToCredential() function could default to that value if not overridden?

[zamothh]

Should Work !

I am starting to look at this, and also at where and how to update the documentation

Thomas

Le jeu. 24 juin 2021 à 14:52, Pete Maan @.***> a écrit :

Hi @zamothh https://github.com/zamothh

Does the ToSecureString() meet your need?

(Get-PASAccount -id 330_5 | Get-PASAccountPassword).ToSecureString()

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/pspete/psPAS/pull/366#issuecomment-867611610, or unsubscribe https://github.com/notifications/unsubscribe-auth/AT5NQYUNA2LCNKTM37JZPTDTUMTAHANCNFSM47H2A6GQ .

[zamothh]

I'm used to bitbucket, and I new to git hub ... not the same interface.

• I kept the Username filed as part of the Get-PASAccountPassword, and decided to expose it
• I think I modified all xml files, but not sure
• I did my best to update the inline help file
• Added some examples in the root readme file, to that we have some examples
• Added the script method

I see that there is still some errors, I will try to look into that if I understand what needs to get done

[zamothh]

Hey, sorry for those multiple last moment push. I won't modify the code anymore until you have a chance to review it. It looks much better than my initial commit. Thomas

[pspete]

Thanks for the contribution @zamothh 👍🏼

[zamothh]

I'm helping myself first, in this particular case. This is not the first powershell module I'm working on, and I am using PlatyPs myself on one of my projects.

Is there any timeline for merging dev to master ?

Le lun. 28 juin 2021 à 00:19, Pete Maan @.***> a écrit :

Thanks for the contribution @zamothh https://github.com/zamothh 👍🏼

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/pspete/psPAS/pull/366#issuecomment-869231463, or unsubscribe https://github.com/notifications/unsubscribe-auth/AT5NQYVSWPV2M25R7WW3YITTU6PVZANCNFSM47H2A6GQ .

[pspete]

Is there any timeline for merging dev to master ?

Done via #368