Secrets Manager

PowerShell Example via WinRPC

Additional Prerequisites

This example uses the IIS Management utility appcmd and expects it on PATH. The executable is located in C:\Windows\System32\inetsrv on any IIS-enabled server.

Using Admin Credentials

To update the 'Log On As' property on a Windows Scheduled Task, you will need a credential with the appropriate permissions, such as an Administrator account.

When attaching a PAM script to a record, you have the option to add a Resource Credential that is passed to the Gateway as part of the BASE64-encoded JSON data. The above credential will need to be attached as a Resource Credential.

As many Resource Credentials can be attached to a PAM script, knowing the UID of the Resource Credential you have attached helps ensure your script uses the correct one to update the Service's 'Log On As' property.

Updating the IIS App Pool

Native ISS Management RPC commands are no longer available in modern versions of Windows Server and last appeared in Windows Server 2008. However, the IIS management utility, appcmd, coupled with Invoke-WmiMethod can achieve the same outcome.

$IISAppPoolName = '<App Pool Name>'
# Be sure to use single quotes around the app pool name, user, and password to avoid issues with special characters and spaces
$Command = "appcmd set apppool '$IISAppPoolName' /processModel.userName:'$($Params.user)' /processModel.password:'$($Params.newPassword)'"

Write-Debug "Updating IIS App Pool: $IISAppPoolName"
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "powershell.exe -Command `"$Command`"" -ComputerName '<Target Machine>' -Credential $AdminCredential

Full Example

[CmdletBinding()]
param (
    [Parameter(ValueFromPipeline=$true)]
    [string]
    $B64Input
)

$ErrorActionPreference = "Stop"
$DebugPreference = 'Continue'

function ConvertFrom-B64 {
    param (
        [string] $B64String
    )

    try {
        $Json = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($B64String))
        $Output = $Json | ConvertFrom-Json
    }
    catch {
        Write-Error "Failed to convert Base64 string: $B64String"
    }
    return $Output
}

# The JSON data is passed to the Gateway as a Base64 encoded string.
$Params = ConvertFrom-B64 -B64String $B64Input
Write-Debug "Running Post-Rotation Script on: $($Params.userRecordUid)" 

# Convert the attached Resource Records from Base64 encoded JSON string and find the 
# Admin Record we need to update the Service's `Log On As` property by filtering by the 
# Admin Record's UID.
$ResourceCredentials = ConvertFrom-B64 -B64 $Params.records
$AdminRecord = $ResourceCredentials | Where-Object { $_.uid -eq 'ybZ49jWPtiFtnjsCwIgmUg' }

# Each record type will have a different JSON structure. In this instance, we are using 
# a PAM Directory record type, so we need to build the username from the `login` and 
# `domainName` properties.
try {
    $SecurePassword = ConvertTo-SecureString $AdminRecord.password -AsPlainText -Force
    $AdminCredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "$($AdminRecord.login)@$($AdminRecord.domainName)", $SecurePassword
    Write-Debug "New PSCredential created for: $($AdminRecord.login)" 
}
catch {
    Write-Error "Failed to create PSCredential for: $($AdminRecord.login)"
}

$IISAppPoolName = '<App Pool Name>'
# Be sure to use single quotes around the app pool name, user, and password to avoid issues with special characters and spaces
$Command = "appcmd set apppool '$IISAppPoolName' /processModel.userName:'$($Params.user)' /processModel.password:'$($Params.newPassword)'"

Write-Debug "Updating IIS App Pool: $IISAppPoolName"
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "powershell.exe -Command `"$Command`"" -ComputerName '<Target Machine>' -Credential $AdminCredential
PreviousPowerShell Example via WinRMNextRotate Credential via REST API

Last updated