We have created an automated process to stand up a new SQL Server using TFS and powershell. As part of a new server build, we deploy a database and a set of jobs for dba use. As part of the install we need to create a credential for a sql agent proxy for some of our jobs. However, we don't want to store in passwords in code.
Is there a solution to storing passwords (or generating a password) where we aren't storing it in plain text or in line in the code?
Our servers are on-prim, not in Azure. We have access to Keepass, but that is being deprecated for Thycotic.
Best Answer
You can leverage PowerShell and the Thycotic REST API to fetch your credentials from Secret Server programmatically. Use "Windows Authentication" to avoid having to store credentials in the PowerShell scripts, or enter them during runtime.
If your deployments run under a build agent service account context, then you need to ensure that service account has access in Secret Server to the credentials you want to access.
Leveraging the API as a step in your release prior to deploying the SQL credential, you can fetch the credential and pass it to the PowerShell script that deploys the credential.