Powershell job with alternate credentials from Oct

2019-06-22 07:27发布

问题:

I've got an Octopus Tentacle running a deploy script. The tentacle is running as the LocalSystem account.

Inside the script, I'm able to do pretty much everything I need, aside from some archive bit. The archive needs to be done under different domain credentials because it's on a network share.

The frustrating this is that the code below works locally, but when run off the tentacles, it fails with the error

----------------------------------------------------[ Backup Nupkg ]---------------------------------------------------- Storing a backup version of GeoSphere.1.2.1.1722.nupkg for the Development environment
Error 09:24:32 [localhost] There is an error launching the
background process. Error Error 09:24:32 reported: Access is
denied. Error 09:24:32 At
C:\Octopus\Deployments\Development\GeoSphere\1.2.1.1722\deploy.ps1:121
Error 09:24:32 char:1 Error 09:24:32
+ Receive-Job $job Error 09:24:32
+ ~~~~~~~~~~~~~~~~ Error 09:24:32
+ CategoryInfo : OpenError: (localhost:String) [], PSRemotingTran Error 09:24:32 sportException Error 09:24:32
+ FullyQualifiedErrorId : -2147467259,PSSessionStateBroken Info 09:24:32 HasMoreData : False StatusMessage : Location :
localhost Command : Import-Module $args[3]
Backup-Nupkg $args[0] $args[1] $args[2]
JobStateInfo : Failed Finished : System.Threading.ManualResetEvent InstanceId :
0c031592-4c2a-4f8b-b014-a5ba79be09f7 Id : 1 Name :
Job1 ChildJobs : {Job2} PSBeginTime : 13/11/2014 9:24:30 AM
PSEndTime : 13/11/2014 9:24:31 AM PSJobTypeName : BackgroundJob
Output : {} Error : {} Progress : {} Verbose
: {} Debug : {} Warning : {} State : Failed
Fatal 09:24:32 PowerShell script returned a non-zero exit code: 1
Tentacle version 2.5.11.614

Here's the code

$pwd = convertto-securestring "[PASSWORD]" -asplaintext -force
$cred=new-object -typename System.Management.Automation.PSCredential -argumentlist "[DOMAIN\USER]",$pwd
$packageName = "GeoSphere.$Version.nupkg"
$backupPath = $($es.backupPath)
$artifactsPath = $($es.artifactsPath)
$job = Start-Job -ScriptBlock {
    Import-Module $args[3]
    Backup-Nupkg $args[0] $args[1] $args[2]
} -ArgumentList @($packageName,$backupPath,$artifactsPath,"$currentDir\modules\ApplicationUtilities") -Credential $cred

Wait-Job $Job
Receive-Job $job

Here's the ApplicationUtilities Module

function Backup-Nupkg{
    param(
        [parameter(Mandatory=$true,position=0)] [string] $packageName,
        [parameter(Mandatory=$true,position=1)] [string] $backupPath,
        [parameter(Mandatory=$true,position=2)] [string] $artifactsPath
    )

    if(!(Test-Path $($backupPath))) {
        md $($backupPath)
    } else {
        Remove-Item "$($backupPath)\*" -recurse -Force
    }

    Copy-Item $artifactsPath\$packageName $backupPath
}

Export-ModuleMember Backup-Nupkg

What is the magic trick to getting this to run off of the Tentacle as it does locally?

回答1:

I tried the same thing without any luck, it seems like it's not possible to start jobs as a different user. In this similar question, Leblanc ended up using WinRM and Invoke-Command instead:

run script block as a specific user with Powershell

(I don't think this is anything Octopus specific - the issue seems to be more of a problem with SYSTEM being able to start processes as a different user, or with Start-Job under SYSTEM, or perhaps both)