Details
Description
Basic Info
Module Version: dsc and dsc-lite
Puppet Version: 5.5.x and up
OS Name/Version: Windows
The DSC and DSC-lite modules both evaluate an ERB script containing powershell and in the process interpolate credentials needed to manage resources such as the dsc_user. However, when running with puppet agent -td, the powershell script with interpolated credentials is output to the console and captured in the report. For example, given the manifest:
dsc_user { 'jane-doe': |
dsc_username => 'jane-doe', |
dsc_description => 'Jane Doe user', |
dsc_ensure => present, |
dsc_password => {
|
'user' => 'jane-doe', |
'password' => Sensitive('jane-password') |
},
|
dsc_passwordneverexpires => false, |
dsc_disabled => true, |
}
|
results in:
C:\> puppet apply --debug manifest.pp
|
...
|
password = [PSCustomObject]@{'user' = 'jane-doe'; 'password' = 'jane-password'} | new-pscredential
|
We should not expose credentials, which I think realistically means we shouldn't emit the powershell script to stdout/console.
Attachments
Issue Links
- relates to
-
PUP-9637 Redacting Sensitive Data
-
- Closed
-