Start a new topic

Royal TS and Passwordstate integration - Credential on demand

I have been using the passwordstate integration that was shared on here for a while now but it has been decided that bulk calling the passwords is now a "security risk" without the auditing on and I have switched off the -preventauditing flag which was blocking it.


Now it creates a massive trail of password accesses even for credentials I dont need because the dynamic folder grabs everything.


Is it possible to have a "on demand" method where I put the name of the credential in the "specify a crediential by name" option and that gets passed through to passwordstate using the Get-PasswordStatePassword -Name $credential.


it would just make it much cleaner from a security and auditing point of view if it only ever asks for the credentials I want to use, I know what the names are in the password state database, I can put that into the field in Royal TS but it just fails if the whole dynamic folder isnt populated, it doesnt try and query on demand as it were.


Hi Matthew,


you can use the Dynamic Credential script and Dynamic Credential objects to get the username/password on demand:

https://docs.royalapps.com/r2021/scripting/rjson/dynamic-credentials.html


Regards,

Stefan

I can see that but I cant see a way to actually use a dynamic credential, the script that was published for password state seems to have a default entry in dynamic credential and I cant see any way of "using" a dynamic credential in any of my objects, dynmanic credential doesnt seem to exist as an option?

Also thats still going to create a huge list of entries as it will query the password state server via the API to get an entire list of the credentials everytime which again defeats what I am trying to achieve.


Ideal solution is that I specify the credential name in the Object (ssh, RDP, web page) and ONLY when I got to use that credential does it query it from the server.

Hi Matthew,


our sample scripts are mostly contributed by other users as we are not familiar with all the products out there. The scripts these users provided worked for their use case but may not work for yours. Since these scripts are all open source, you can tweak them to your needs and optionally create a pull request and share your solution with other users.


If the list is too long and want to have a custom filter or assign specific credentials to the objects (based on some conventions), you may need to adapt the script to your need.


Regards,
Stefan

Thanks Stefan, what I am trying to get to before I start learning the "how" with your scripting language is if its even possible.


The aim is that when I open a connection it at that point queries the remote password manager and only gets the password for the credential name specified?


I dont want to start down this road of investigating it and trying to make a script only to find that the mechanics of Royal TS do not allow that.

Hi Matthew,


as far as I understand your scenario/use case, it should be possible to do what you want if you have a way to assign a dynamic credential (by ID or name) to a connection object in the script. It all boils down if you can get all the information you need to make the connection and credential at the time the dynamic folder script runs. This depends on your configuration / data set.


Regards,
Stefan

Hi Stefan,


I am just really struggling with the syntax and how to even consume a dynamic credential, I know how to set the system to use a named credential on a connection and that I can use the token "$CredentialName$" to represent that in a script (powershell or JSON etc).


What I am very unclear on is the actual HOW to make a dynamic credential so that when I double click on the SSH or RDP or whatever session it goes to that dynamic credential and then queries the remote system.


I assume I need to somehow have a list of dynamic credentials that I then name in the already existing connection but I am just very unclear on exactly how to get to that point, the documentation for someone starting out with this is very unclear.

Not 100% sure where you need clarification. Just to ensure we are on the same page and clarify on a high level what needs to be done to make this work:

* The dynamic folder script creates all the objects (connection objects and dynamic credential objects). The json output of the scripts is parsed and Royal TS creates the objects.

* The connection objects refer to the dynamic credential objects you create by the dynamic folder script (as mentioned before based on some information/convention).

* The connection objects can use the replacement tokens $EffectiveUsername$ and $EffectivePassword$ as usual.

* The dynamic credential script will be executed upon connect when the credentials are needed and provide the json output for the username and password as documented.


Does this make sense?

Thanks Stefan, so I need to recreate my objects in the dynamic folder as well, I cant just use my existing objects and refer to a dynamic credential is what I think your saying from the above.


So I created connection object A inside the dynamic folder with all the details I need for that connection and I attach a dynamic credential object to this object and then when I use connection object A it will invoke the dynamic credential script/object and get the details.


Now my problem really comes because your objects are json and the script to get the passwords is powershell, I am starting to think this whole thing might be a little beyond what I am currently capable of doing.

The problem I have with the current password state integration is that it queries the ENTIRE password list when royal TS starts up, I have well in excess of 900 existing objects in my existing royal TS file, what I was doing was making each one "lookup" based on a credential name that was listed in the dynamic folder.


getting 900 different passwords from the file everytime royal TS starts up is obviously generating a huge amount of logged access requests for passwords in the management tool as it has recently been forced to full auditing (cant get the list anonmously any more).


I dont think I can make it do what I need to from what you have said above so its back to copying and pasting passwords :)

You can actually use dynamic credentials from a dynamic folder on "non-dynamic" connections (which you create manually). This is a supported scenario/use case. Most dynamic folder scripts take care of everything. Not sure about the PasswordState script.


I can understand that this might be overwhelming for users without scripting experience. Dynamic folders is clearly a more "advanced" feature. Once you know how it works, it can be very flexible.


I've seen you already contacted the original author of the script. I think that's the best way going forward and hopefully he can help. You may also post an issue in the github repo if you have an account there in case someone else picks it up:

https://github.com/royalapplications/toolbox/issues

Okay, I made some progress and have managed to get it to do a query based on the $DynamicCredential.EffectiveID$ token, I can see my request being processed in the auditing field.


What I am struggling with now is how to get the returned values back into the same dynamic credential to update it so that the connection can use the information.


Everything I have tried so far I have not been able to get the username and password back into the dynamic credential so that my connection can use it

Login or Signup to post a comment