PowerShell AzureRM命令-避免Save-AzureRMProfile中的过期 [英] PowerShell AzureRM commands -- avoiding expiry in Save-AzureRMProfile

问题描述

我已经使用 AzureRM Commandlet自动化了Azure部署.这些命令行开关需要登录，因此我尝试使用 Save-AzureRMProfile / Select-AzureRMProfile 提供保存的配置文件.

I have automated an Azure deployment using AzureRM commandlets. Those commandlets need a login, so I tried to provide a saved profile using Save-AzureRMProfile/Select-AzureRMProfile.

但是一段时间后，配置文件似乎已过期，我需要再次登录.我想按计划自动运行脚本，因此手动重新登录不是解决方案.

However after some time profile seems to expire and I need to login again. I want to run my script automatically on a schedule, so manual re-login is not a solution.

如何避免个人资料过期?

How can I avoid the profile expiry?

推荐答案

简单的答案是您无法避免过期，令牌已过期，需要重新进行身份验证.(如果保留这些凭据，将令人担忧)-但是

The simple answer is that you can't avoid the expiry, your token expires and needs to be reauthenticated. (it would be worrying if those credentials could be persisted) - However

Add-AzureRmAccount 确实具有伪参数.因此，您可以将凭据保存到文件中，而是每次都使用实时凭据自动登录.

Add-AzureRmAccount does take a pscredential parameter. So you can save your credentials to a file and instead automatically log in with live credentials every time.

您只能使用标准的pscredential保存机制，这给您带来的问题是pscredential不可传输，要解决此问题，您可以创建自己的密钥以传递给pscredential.

You can just use the standard pscredential save mechanisms, the problem in this for you is that a pscredential isn't transportable, to get around this you can create your own key to pass to pscredential.

$key = New-Object byte[](32)
$rng = [System.Security.Cryptography.RNGCryptoServiceProvider]::Create()
$rng.GetBytes($key)

然后可以使用此密钥创建可传输的安全字符串.显然，此密钥是您此时的身份验证，因此需要安全地存储它.

You can then use this key to create a transportable secure string. Obviously this key is your authentication at this point, so it needs to be stored securely.

$cred = Get-Credential
$SecureStringWithKey = $cred.Password | ConvertFrom-SecureString -Key $key

您可以使用base64对密钥进行编码，并将其添加为环境变量等

You can encode the key with base64 and add it as an environment variable etc

$base64key = [Convert]::ToBase64String($key)  

在另一端，解码字符串

$key  = [System.Convert]::FromBase64String($base64key)

并通过SecureString将其推回，并重建凭证对象.

and push it back through SecureString, and rebuild a credential object.

$secureStringPassword = $AuthObject.SecureStringWithKey | ConvertTo-SecureString -Key $key 
$cred = new-object -typename System.Management.Automation.PSCredential `
             -argumentlist $Username, $secureStringPassword

然后您可以使用

Add-AzureRmAccount -Credential $cred

我个人的所有方法是创建一个保存了所有详细信息的psobject(它们的密钥，tenantid和pscredential)以创建json字符串，然后使用证书对其进行加密.这样，我可以将加密的json文件存储在Blob中，然后在我所使用的任何系统上下载，解密和登录.

My personal approach to all of this was to create a psobject with all of those details saved, (they key, the tenantid, and the pscredential) to create a json string, and then encrypt that with a certificate. That way I can store the encrypted json file on a blob, and download, decrypt and sign in on any system I'm sat at.

这篇关于PowerShell AzureRM命令-避免Save-AzureRMProfile中的过期的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！