My scenario:
Here is how I attempted to implement a solution:
I created a dedicated account that will provide RunAs credentials for a constrained PSSession.
I logged-in interactively as the service account and ran this command:
ConvertTo-SecureString "MySecretKey....." -AsPlainText -Force | Export-Clixml C:\PSScripts\panosAccessToken
This created a token encrypted for my service account. 3. Inside the script that I am delegating, which will run in the context of the service account, I decrypt the key like so:
${#names[@]}The Issue: When users connect to the session and attempt to run the function, the get the following error message:
$accessToken = Import-Clixml C:\PSScripts\token
It appears that my function is not allowed to access the file system, despite the fact that the service account has the appropriate rights. What am I missing?
[localhost]: PS> Get-PANOSBlockedTraffic
Import-Clixml : Cannot find drive. A drive with the name 'C' does not exist.
At line:4 char:20
+ $accessToken = Import-Clixml C:\PSScripts\token
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:String) [Import-Clixml], DriveNotFoundException
+ FullyQualifiedErrorId : DriveNotFound,Microsoft.PowerShell.Commands.ImportClixmlCommand
答案 0 :(得分:0)
Your constrained endpoint is using aws which only allows access to a few selected cmdlets, and almost nothing else.
The RestrictedRemoteServer provider is not among the things allowed, so you aren't able to read from the filesystem.
You can allow just that provider:
FileSystemBy adding New-PSSessionConfigurationFile -Path c:\PSScripts\panos.pssc `
-Description 'PANOS Delegation EndPoint' `
-ExecutionPolicy Restricted `
-SessionType RestrictedRemoteServer `
-LanguageMode FullLanguage `
-VisibleProviders FileSystem `
-FunctionDefinitions @{Name="Get-PANOSBlockedTraffic";ScriptBlock=$getBlockedTraffic; Options="AllScope"}
you can specify which providers are available to the session. Of course this allows all filesystem access now.