• State Suggested Answer
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 63 subscribers
  • Views 1316 views
  • Users 0 members are here
Options
Related

retrieve ARS Workflow Parameter saved in SecureString - as plain text using PowerShell

klojewski
over 3 years ago

Hi,

I'm writing a powershell script that connects via api to a vendor tool.

I want to save the password in the workflow as syntax type SecureString, so that the password's hidden in the workflow properties.

Per documentation the SecureString syntax used for storing workflow parameters:

the workflow definition stores the parameter value in encrypted form using an encryption key provided by the Active Roles service

I see that for some services, I can connect using a password stored this way, I guess if the API accepts a securestring it works. For instance if I get the parameter and then convert it with "ConvertTo-SecureString –string $StoredPW –AsPlainText -Force", then I can use the stored parameter for some APIs.

But now I'm working with an api that seems it really wants the clear text password.

I've tried just sending the parameter value, and it fails. I've tried converting it with the command above (works with other apis) and it fails.

Is there a command I can run in PowerShell to decrypt an ActiveRoles SecureString parameter in a workflow, to plain text?

Thanks,

  • 0 over 2 years ago

    Hi,

    I know this question is a bit older but it may be helpful to someone else in the future, this works for me when I need to pass the password in clear text.

    This first piece only needs to be run whenever you generate the password file, or need to change the password.  Also, when using ConvertTo-SecureString this way, the secure password can only be decrypted using the same computer and user account. Therefore I generate the one time secure password file by way of a workflow* running the script, leaving the Run As option defaulting to the account running the Active Roles service, so that my regular scripts can decrypt it.

    ## GENERATING AND STORING A SECURED PASSWORD FOR FUTURE USE IN A FILE
    $clearTextPassword = 'yourPassword'
    ConvertTo-SecureString -String $clearTextPassword -AsPlainText -Force | ConvertFrom-SecureString | Set-Content C:\yourFolder\StoredPW

    Example of use in regular scripts.

    ## RETRIEVING A STORED SECURED PASSWORD AND CONVERTING TO CLEARTEXT
    $securedPassword = Get-Content "C:\yourFolder\StoredPW" | ConvertTo-SecureString
    $retrievedClearTestPassword = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($securedPassword))

    ## THIS CAN NOW BE USED IN AN SQL CONNECTION CONNECTION STRING
    $SqlConnection = New-Object System.Data.SqlClient.SqlConnection
    $SqlConnection.ConnectionString = "Data Source=YOUR_SQL_SERVER; Initial Catalog=YOUR_DATABASENAME; User Id=YOUR_SQL_LOGIN; Password=$retrievedClearTestPassword"

    I hope that helps someone.

    Thanks

    *ok so the workflow isn't a perfect solution, I did paramatise the workflow but the password is then stored as clear text in the Run History. For now I just alter the script and clear the password afterwards.