1

While I use the method mentioned in this thread PowerShell's Invoke-RestMethod equivalent of curl -u (Basic Authentication) I could get connected to REST API without a 401 error.

However currently I am giving my password in Plain Text.

I want a way to use a Hash of my password and then use it in the script.

The script then should be able to decrypt it too. But I don't want others who have access to the script, be able to decrypt it.

So I don't want to expose the decryption algorithm as well to any.

Proposed method I am thinking of: Combine existing HASH algorithms in a mixed random way (by feeding the HASH of one algorithm to another) which only I know and then have a custom Powershell function/cmdlet/whatever in the script which knows to decrypt.

Is there a simpler and better way?

Before I try the proposed method I would like to hear from others on any better ways.

Entire script is as below.

$User = "domain\userName"
$uri = "https://TeamProjectCollectionURI/TeamProjectName/_apis/build/builds"
$securePassword = ConvertTo-SecureString 'PasswordWhichContains$asWell' -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($User, $securePassword)
$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $username,$credential)))
$response = Invoke-RestMethod -Method Get -Uri $uri -Credential $credential -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo)} -ContentType application/json
$response
ldz
  • 2,217
  • 16
  • 21
Baskar Lingam Ramachandran
  • 617
  • 9
  • 25

2 Answers2

0

You can pass a username and password (masked as a secret variable) through PowerShell into a PSCredential object and use the -Credential switch when invoking the REST method:

$securePassword = $Password | ConvertTo-SecureString -AsPlainText -Force   $credential = New-Object System.Management.Automation.PSCredential($User, $securePassword)       
$releaseresponse = Invoke-RestMethod -Method Get -Credential $credential -ContentType application/json -Uri $Uri

More detail info please refer this blog: VSTS/TFS REST API: The basics and working with builds and releases

PatrickLu-MSFT
  • 49,478
  • 5
  • 35
  • 62
  • Dear Patrick, Thanks for your comment. $Password is a variable and the actual password needs to be given in the script itself right? I don't want to expose my password in the script. – Baskar Lingam Ramachandran Sep 23 '16 at 14:43
  • 1
    I tried it.. It works.. I tried to store the encrypted string in the script and use it.. But facing issue with it.. However when I store it in a file and then read it in the script it works.. This link is the reference http://www.adminarsenal.com/admin-arsenal-blog/secure-password-with-powershell-encrypting-credentials-part-1/ I am trying to use a secure approach with -securekey option as explained part-2 of the above mentioned blog.. – Baskar Lingam Ramachandran Sep 28 '16 at 09:44
  • 1
    Sometimes I will get "401 Unauthorized" exception, so I changed the script into `Invoke-RestMethod -Method Get -UseDefaultCredentials -ContentType application/json -Uri $Uri`. It works for me. – Mystic Lin Feb 14 '18 at 02:22
0

You can convert your password to encrypted string and use the encrypted string in your PowerShell script.

Convert to encrypted string:

$securePassword = ConvertTo-SecureString "Yourpassword" -AsPlainText -Force

$encryptedPwd = ConvertFrom-SecureString -SecureString $securePassword

Write-Host $encryptedPwd

Record the generated encrypted string and use it in your script.

$securePassword = ConvertTo-SecureString -String "Encrypted String"
Eddie Chen - MSFT
  • 29,708
  • 2
  • 46
  • 60