keeper-sdk-dotnet icon indicating copy to clipboard operation
keeper-sdk-dotnet copied to clipboard
verified publisher icon Keeper-Security

New module release?

Open rvdwegen opened this issue 1 year ago • 10 comments

Hi,

I can see some work being done in the code to allow you to set a custom location for the config.json. I'm currently trying to get the module working unnatended in an azure function app and I suspect that that is the last little detail I need to get that working.

Is there a release coming soon that includes these changes?

Thanks!

rvdwegen avatar Dec 03 '24 07:12 rvdwegen

The upcoming version on the .Net SDK 1.1.x contains a lot of changes. Some of them are breaking. We would like to keep in beta state for a while.

.Net SDK supports custom config.json file location from the very beginning. Or you mean PowerCommander? the powershell scripts.

The following repo contains a sample code that works in the Azure environment. Unfortunately Keeper does not support it anymore and any documentation on how to set it up was deleted. https://github.com/Keeper-Security/keeper-sdk-examples/tree/main/AzureAdminAutoApprove

sk-keeper avatar Dec 04 '24 18:12 sk-keeper

Specifically PowerCommander, yes.

rvdwegen avatar Dec 05 '24 06:12 rvdwegen

Connect-Keeper command supports -Config parameter since 0.9.14 release.

sk-keeper avatar Dec 06 '24 01:12 sk-keeper

So that unfortunately was not the magic bullet. I'm now running into a "Non-interactive session detected" message. All I need here is to get PowerCommander working unattended, non-interactive, in either Azure Runbooks or a (powershell based!) Azure Function app.

I've been at this through various tickets for nearly two months now and frankly I'm tired. Surely this cannot be allowed to be this difficult.

First we ran into the issue that the PowerShell module could apparently not generate a config.json. So we used Commander.exe to generate one. Then we ran into compatibility issues with having the Az module and PowerCommander run side by side. Now I'm running into that stupid "Non-interactive session detected" which I suspect is really just hiding a different issue because surely you should be able to use a powershell module non-interactively!

I recommended Keeper to my MSP because I was a happy personal user of the product. I saw it had a PowerShell module, so I stupidly assumed integrating it into our processes would be a breeze. I would not make that recommendation a second time at this point.

Your support was only able to tell me something to the effect of "azure runbooks/function apps are not officially supported". So let me rephrase the question to you @sk-keeper in a more direct way.

Can I currently, or will it be possible in any sort of near future (2 months?) to use PowerCommander to authenticate to and manage our Keeper vault without human interaction in either an Azure runbook or powershell based Azure function app?

rvdwegen avatar Dec 06 '24 10:12 rvdwegen

The Kepper login process is inherently interactive. The login may be interrupted up to 3 times by the backend.

  1. Email verification (optional)

  2. 2FA (optional)

  3. Password verification (required)

  4. Email verification is done once per configuration (config.json)

  5. 2FA is configurable: every login, once in 30 days, or once

  6. Every login session requires master password (non-SSO accounts)

There is a Persistent Login flow. Generally it uses one time passwords. It requires configuration file to be persistent and writable.

Persistent Login does not work in Azure runbook environment. It does not provide persistent storage as far as I know.

In order to use PowerCommander in Azure runbook environment the master password needs to stored and privided to Connect-Keeper function.

As far as I know Azure have environment variable concept. Keeper configuration file and master password can be stored into Azure runbook environment variables and retrieved when runbook starts.

To use PowerCommander in Azure runbook:

  1. Create "azure.json" file locally using PowerCommander. The file name does not matter. Make sure 2FA is not asked anymore.
> $password = Read-Host -AsSecureString
> ConnectKeeper -Config 'azure.json' -Password $password

You should be able to login non-interactively.

  1. Store the content of azure.json file into one environmental variable for your Azure runbook and "master password" to another.

  2. In your runbook script. a. Read config file content from environment variable into Powershell and store it to some file. The file has to use UTF-8 encoding and have no BOM. b. Read master password and store it to SecureString

    $masterPassword = ConvertTo-SecureString -String $passwordFromEnvironment -AsPlainText c Connect to Keeper Connect-Keeper -Config <PATH TO CONFIG FILE> -Password $masterPassword

If everything is done correctly then you should be able to connect to Keeper unattended.

If login still fails then most likely the step 3.a is to blame. Make sure the file is stored in UTF-8 no BOM.

Regards,

sk-keeper avatar Dec 07 '24 18:12 sk-keeper

I'm still getting the same "Non-interactive session detected" message.

So, I'm using a Win11 VM with Commander.exe to generate the JSON. image

As far as I can tell that works. If I then try to use the module on that VM it auto logs in as expected.

I then take the content of the JSON by using: Get-Content -Path "C:\Users\keepertest123\Documents\.keeper\config.json" | ConvertFrom-Json -Depth 20 | ConvertTo-Json -Depth 20 -Compress | Set-Clipboard And write it to Keyvault.

In the Azure runbook I do the following:

try {
    Connect-AzAccount -Identity

    $keeperPassword = (Get-AzKeyVaultSecret -VaultName "mykeyvault" -Name "KeeperPassword" -AsPlainText -ErrorAction Stop)
    $keeperData = (Get-AzKeyVaultSecret -VaultName "mykeyvault" -Name "KeeperConfig" -AsPlainText -ErrorAction Stop)

    # Get the full path to the .keeper folder
    $docs = (Get-ItemProperty 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders').Personal
    $keeperPath = Join-Path -Path $docs -ChildPath ".keeper"

    # Create the directory if it doesn't exist
    if (-not (Test-Path -Path $keeperPath)) {
        New-Item -ItemType Directory -Path $keeperPath -Force
    }
    
    $keeperData | Out-File -Encoding utf8 -Force -FilePath (Join-Path -Path $keeperPath -ChildPath "config.json")

    Import-Module PowerCommander

    $keeperPasswordSecure = (ConvertTo-SecureString -String $keeperPassword -AsPlainText -Force)

    Get-Content (Join-Path -Path $keeperPath -ChildPath "config.json")

    Connect-Keeper -config (Join-Path -Path $keeperPath -ChildPath "config.json") -password $keeperPasswordSecure

} catch {
    Write-Warning "Error on line $($_.InvocationInfo.ScriptLineNumber)"
    Write-Warning $_
    Write-Warning $($_.Exception.Message)
}

There's some whitespace/commented junk in the runbook so line 29 is the Connect-Keeper line. image That second line in the above screenshot is the Get-Content (Join-Path -Path $keeperPath -ChildPath "config.json") to confirm the file exists/has data in it.

rvdwegen avatar Dec 10 '24 07:12 rvdwegen

Ok I tried a few different options for encoding the file and looks like I got it to work! I think the module could use some feedback on this point. I assume that right now if it can't read the config file properly it defaults to an interative flow? Maybe you could make it so that when the file is explicitly passed through using the cmdlet parameter that failing to properly read the file causes the process to halt with an error stating as such?

rvdwegen avatar Dec 10 '24 09:12 rvdwegen

I have also been running into this issue and I m just trying to get this to work on a single server and nothing related to Azure, and have tried several things on this thread such as different encoding (UTF8, Ascii), different commands to attempt to resolve. It appears that its reading the config file just fine. I just get the Non-Interactive session detected. Keeper Commander has no issue at all.

image

flamingwasp avatar Dec 16 '24 18:12 flamingwasp

@flamingwasp Do you use "Persistent Login" or master password is added to the configtest.json file?

Non-interactive ... error means the backend requested some input. In your case it could be a master password.

sk-keeper avatar Dec 16 '24 19:12 sk-keeper

If you are still looking for a solution to PowerCommand in Azure, I've had PowerCommander working in Azure runbooks since we started using Keeper about a year ago, but it was not straight forward.

I followed this guide (multi server) to create my config file.

I stored the config json content in an automation account variable (masked). In the runbook I output the json content to the standard file Windows location ($Home\Documents\.Keeper). The user account (master password - no MFA) is also stored in the automation account credentials. Then it's just a case loading PowerCommander and connecting.

    $KeeperConfigJson = Get-AutomationVariable -Name 'Keeper_Config_Json'
    $KeeperConfigPath = New-Item -Path "$HOME\Documents\.Keeper" -Force -ItemType Directory
    $KeeperConfigJson | Out-File -Path $KeeperConfigPath\config.json -Encoding utf8
    $KeeperCredential = Get-AutomationPSCredential -Name 'KeeperAutomation'
    Import-Module PowerCommander
    Connect-Keeper -Username $KeeperCredential.UserName -Password $KeeperCredential.Password

Boab-F avatar Apr 28 '25 14:04 Boab-F