Powershell / RestAPI

Hello,

You can use the Python SDK can retrieve passwords from your Devolutions Password Server instance.

It can be downloaded from github. Please visit https://github.com/Devolutions/dps-sdk-python

Best regards,

Hi Érica,

I know that their is a Python SDK.
But we like to use Powershell. (all scripts are written in Powershell)

We know how to use a RestAPI for example.

Or do you have more information about the APIv3 that on your roadmap?



Kind regards,

Hans Vos

Hello,

I am sorry to say that we do not have any information available about API v3. Per our Road Map, DPS version 2019.3 should be available at then end of 2019 or beginning of 2020.

Best regards,

i would second on the Powershell topic.

Me too, keep the topic hot!

A Powershell module that supports Powershell Core would be an excellent solution. Especially, if that module would work on all supported platforms (Windows/Linux/Mac).

Meelis

I would also like to see a powershell module for Password Server.

I would also find powershell support useful.

Hello,

Quick update here, we lately released the DPS CLI, it's available here: https://server.devolutions.net/home/download
This integrates very well with Powershell.
You can access the online help for it here: https://helpserver.devolutions.net/supportresources_knowledgebase_commandlineinterface.htm

I hope this helps!


Best regards,

Thanks. That is an interesting addition, unfortunately it does not allow access to what I am looking for. I am trying to access aws creds and Private Key and this only returns a username/domain/password.

Hello!

Sorry for not answering earlier, I kinda lost track of it...
You can submit a feature request in DPS Forum : https://forum.devolutions.net/forum34-devolutions-password-server--feature-request.aspx

Sorry again for the delay.


Best regards,

Do you have any example powershell code that uses the CLI that you can share?

Hello,

You will have to download the DPS CLI installer from the following page under the Companion Tools section and install it.
https://server.devolutions.net/home/download

Then, once you have launch the DPSCli.exe from PowerShell, please follow the instructions on this online help page.
https://kb.devolutions.net/dps_command_line_interface.html

Best regards,

Then, once you have launch the DPSCli.exe from PowerShell, please follow the instructions on this online help page.
https://kb.devolutions.net/dps_command_line_interface.html

According to this help page, this CLI tool is interactive. How can I script it?

Mor questions:

• How can I search for session/credential in database with this tool?
• What types of objects can I change?
• Can I create sessions/credentials in database with this tool?

Meelis

Hello,

To script with this command, you can use the command in PowerShell like the following.

PS c:\>dpscli config --server http://localhost/dps
PS c:\>dpscli login --login MyUsername MyPassword

All the parameters available can be listed with this command.

PS c:\>dpscli help

Sadly, it is not possible to fetch entries with the CLI yet. You need to know the current vault location ID and the entry ID to get or set the information.

You can only update credential entries for now if I'm right. Let me check that and will get back to you about it.

You cannot create entries but can update credential entries with this tool using the SET command.

PS c:\>dpscli set 4574725f-0d24-4cbc-a116-a5270179e251 --username NewUsername --password NewPassword --domain NewDomain

Best regards,

To script with this command, you can use the command in PowerShell like the following.

PS c:\>dpscli config --server http://localhost/dps
PS c:\>dpscli login --login MyUsername MyPassword

How long that login will persist? Is it still logged on when script ends?

what are the authentication options for logon? Do I need a separate account for CLI or can user logon with same credentials as in web interface?

Sadly, it is not possible to fetch entries with the CLI yet. You need to know the current vault location ID and the entry ID to get or set the information.

So it's not possible to change password without user providing that Entry ID? Or I need another database to save entry ID-s that I need to operate with?

Hello,

The login will persist according to the Inactivity Time parameter value in Administration - Password Server Settings - Advanced.
You could also use the logout command like the following to be sure that you are logged out of your DPS instance.

PS c:\>dpscli logout

The DPSCLI allows to connect with any user accounts created in DPS or an application key. For user accounts, be sure that the CLI is set to Allow in the Applications tab of user's properties.



It is only possible to interact with entries that you know their IDs. There is no method to fetch/update credentials based on the entry's name.

And as long as the entry contains the username, password and domain properties, the DPS CLI can interact with those entry types. PasswordList entries aren't supported.

I hope this helps to clarify the situation. Let me know if you need further information about it.

Best regards,

The login will persist according to the Inactivity Time parameter value in Administration - Password Server Settings - Advanced.

So does it mean that same shell that runs script can use CLI application without needing to logon? the next script for example? What about other applications on the same user session? Applications on another user session?

How is that logon information preserved on client side? Who/what can access that information?

The DPSCLI allows to connect with any user accounts created in DPS or an application key.

The link above mentions API SDK. Can I connect to that API? Is i documented somewhere?

It is only possible to interact with entries that you know their IDs. There is no method to fetch/update credentials based on the entry's name.

And as long as the entry contains the username, password and domain properties, the DPS CLI can interact with those entry types.

Does it mean that CLI can also retrieve/change username and password form Sessions?

I hope this helps to clarify the situation. Let me know if you need further information about it.

It makes the CLI tool much less useful. Is there any other way to get access to credentials without UI? Forcing users to obtain and save credetial ID-s makes it very error-prone...

Hello,

So does it mean that same shell that runs script can use CLI application without needing to logon? the next script for example? What about other applications on the same user session? Applications on another user session?

Once the script will be finished and closed, the session will be no longer valid and not able to connect to it unless a new login process is started.

How is that logon information preserved on client side? Who/what can access that information?

The logon information can be saved in the script itself or provided to the script as a parameter. The DPSCLI allows any user account created in DPS if they have the option enabled as stated in my previous answer or with an application key. Both choices are possible.

The link above mentions API SDK. Can I connect to that API? Is i documented somewhere?

About the API SDK, we have already mentioned that we are working on it as stated in the following thread.

Does it mean that CLI can also retrieve/change username and password form Sessions?

Yes the DPSCLI can interact with sessions to retrieve username and password, even if it comes from another credential entry. About the modification, it will modify only the credential of the session itself. No modification can be made if the credential of the session is bind to a credential entry. You must modify that credential entry directly using its ID.

It makes the CLI tool much less useful. Is there any other way to get access to credentials without UI? Forcing users to obtain and save credetial ID-s makes it very error-prone...

You can indeed use the RDM PowerShell module if you are using RDM connected to your DPS instance. The following PowerShell forum's section contains multiple PowerShell script samples.

Best regards,

> So does it mean that same shell that runs script can use CLI application without needing to logon? the next script for example? What about other applications on the same user session? Applications on another user session?

Once the script will be finished and closed, the session will be no longer valid and not able to connect to it unless a new login process is started.

As i understand, i can use CLI app interactively from command line. That means that session information is preserved between CLI tool runtimes, until logoff is performed (script running CLI tool must call CLI tool several times). Can that information be used by other processes in the same machine?

> How is that logon information preserved on client side? Who/what can access that information?

The logon information can be saved in the script itself or provided to the script as a parameter.

not the login information provided to script. How the session is preserved in machine running CLI tool?

> The link above mentions API SDK. Can I connect to that API? Is i documented somewhere?

About the API SDK, we have already mentioned that we are working on it as stated in the following thread.

Can the priority of that work be somehow increased? By now it seems that CLI tool is clearly not enough.

> It makes the CLI tool much less useful. Is there any other way to get access to credentials without UI? Forcing users to obtain and save credetial ID-s makes it very error-prone...

You can indeed use the RDM PowerShell module if you are using RDM connected to your DPS instance. The following PowerShell forum's section contains multiple PowerShell script samples.

RDM PowerShell module is not so good, if it would be used through remote session or in automation scripts. In some points it still depends on RDM GUI.

Does RDM PowerShell module support PowerShell 7?

we will continue this discussion in the ticket that is opened.