Credentials are a ubiquitous object in PowerShell. Let's dive right in and learn how we can use the PowerShell Get-Credential cmdlet and also learn how to create PSCredential objects without getting prompted.
PSCredential objects are a creative way to store and pass credentials to various services securely. Many built-in and third-party cmdlets require PSCredential objects on many different commands.
Typically, to create a PSCredential object, you'd use the
Get-Credential cmdlet. The
Get-Credential cmdlet is the most common way that PowerShell receives input to create the PSCredential object like the username and password.
Get-Credential cmdlet works fine and all but it's interactive. There's no way to seamless pass values to it. Every time it's run, it will either prompt for the username and password at the console or pop up a dialog box asking for the username and password.
Create a Credential without a Prompt
What if you're working on an automated script that runs in a scheduled task or part of some more significant automation framework? In this case, there's no one manning the console to type in a username and password. It's now time to create a PSCredential object from scratch!
To build a PSCredential object with no interaction first requires encrypting the password. The PSCredential object needs a plain-text username and an encrypted string for the password.
To encrypt a password, you will convert a string to a secure string. You do that by using the
ConvertTo-SecureString cmdlet. Pass a plain-text password to this cmdlet, and because it is plain text, we have to use the
Force parameters as well. PowerShell makes it inadvertently clear that you are passing a plain-text password here for sure.
$password = ConvertTo-SecureString 'MySecretPassword' -AsPlainText -Force
Once you have a secure string created, it's now time to build the PSCredential object. To do this, use the
New-Object cmdlet defining an object type of System.Management.Automation.PSCredential. The PSCredential class has a constructor that accepts the username and a secure string which we can use by enclosing both in a set of parentheses.
$credential = New-Object System.Management.Automation.PSCredential ('root', $password)
We now have a PSCredential object saved to do whatever we wish. At this point, we can pass the
$credential variable to many different commands with a
Credential parameter, and it'll work great. To check to see it was created with the expected username and password, we can reference the
UserName property which should display the username you used earlier.
The password is encrypted, but if you read the password on the same computer and logged in user, you can use the
GetNetworkCredential() method to see the password in plain text. Simply append
GetNetworkCredential() to the end of the credential object but notice that you won't immediately see the password.
PS51> $credential.GetNetworkCredential() UserName Domain -------- ------ root
To see the password, you'll need to use the
Password property on the object that
PS51> $credential.GetNetworkCredential().Password MySecretPassword
The password that's returned should be the same password that you provided early to the PSCredential constructor.
You can see that creating a PSCredential object without using the
Get-Credential cmdlet isn't too bad at all. In fact, the only task preventing this from being a PowerShell one-liner is just creating the secure string!
Join the Jar Tippers on Patreon
It takes a lot of time to write detailed blog posts like this one. In a single-income family, this blog is one way I depend on to keep the lights on. I'd be eternally grateful if you could become a Patreon patron today!Become a Patron!