Credentials are a ubiquitous object in PowerShell. Let’s dive right in and learn how we can use the PowerShell Get-Credential cmdlet and also learn how to create PSCredential objects without getting prompted.
PSCredential objects are a creative way to store and pass credentials to various services securely. Many built-in and third-party cmdlets require PSCredential objects on many different commands.
Using Get-Credential
Typically, to create a PSCredential object, you’d use the Get-Credential
cmdlet. The Get-Credential
cmdlet is the most common way that PowerShell receives input to create the PSCredential object like the username and password.
The Get-Credential
cmdlet works fine and all but it’s interactive. There’s no way to seamless pass values to it. Every time it’s run, it will either prompt for the username and password at the console or pop up a dialog box asking for the username and password.
Create a Credential without a Prompt
What if you’re working on an automated script that runs in a scheduled task or part of some more significant automation framework? In this case, there’s no one manning the console to type in a username and password. It’s now time to create a PSCredential object from scratch!
To build a PSCredential object with no interaction first requires encrypting the password. The PSCredential object needs a plain-text username and an encrypted string for the password.
To encrypt a password, you will convert a string to a secure string. You do that by using the ConvertTo-SecureString
cmdlet. Pass a plain-text password to this cmdlet, and because it is plain text, we have to use the PlainText
and Force
parameters as well. PowerShell makes it inadvertently clear that you are passing a plain-text password here for sure.
$password = ConvertTo-SecureString 'MySecretPassword' -AsPlainText -Force
Once you have a secure string created, it’s now time to build the PSCredential object. To do this, use the New-Object
cmdlet defining an object type of System.Management.Automation.PSCredential. The PSCredential class has a constructor that accepts the username and a secure string that we can use by enclosing both in a set of parentheses.
$credential = New-Object System.Management.Automation.PSCredential ('root', $password)
We now have a PSCredential object saved to do whatever we wish. At this point, we can pass the $credential
variable to many different commands with a Credential
parameter, and it’ll work great. To check to see it was created with the expected username and password, we can reference the UserName
property which should display the username you used earlier.
PS> $credential.UserName
root
The password is encrypted, but if you read the password on the same computer and logged in user, you can use the GetNetworkCredential()
method to see the password in plain text. Simply append GetNetworkCredential()
to the end of the credential object but notice that you won’t immediately see the password.
PS> $credential.GetNetworkCredential()
UserName Domain
-------- ------
root
To see the password, you’ll need to use the Password
property on the object that GetNetworkCredential()
returns.
PS51> $credential.GetNetworkCredential().Password
MySecretPassword
The password that’s returned should be the same password that you provided early to the PSCredential constructor.
Summary
You can see that creating a PSCredential object without using the Get-Credential
cmdlet isn’t too bad at all. In fact, the only task preventing this from being a PowerShell one-liner is just creating the secure string!