Feature Request - Powershell/API/Ansible support for onboarding Linux SSH Providers

Hi bryan_ricciardo,

Thank you for the detailed feature request and for sharing the use case.

The building blocks for what you describe already exist in the Devolutions PowerShell module and the DVLS REST API. Here is how to wire them together today, plus the one small workaround you will need.

A quick note before the snippets: the PowerShell examples below are provided as a starting point to illustrate the intended flow. They have not been executed end-to-end as written in your specific environment, so please treat them as a reference rather than a guaranteed turnkey script — minor adjustments (parameter values, folder IDs, credential prompts, error handling) may be needed when you adapt them to your fleet. If anything behaves unexpectedly or you would like help validating the workflow against a real DVLS instance, our support team will be happy to assist — do not hesitate to reach out.

1. Create a standalone PAM credential

$cred = New-DSPamAccount `
-CredentialType Standalone `
-Name 'linux-bootstrap' `
-FolderID $folderID `
-Username 'svc_bootstrap' `
-Password (Read-Host -AsSecureString) `
-Description 'Bootstrap account used by the Linux SSH provider'

Checkout policy and permissions can then be set with the standard PAM cmdlets (Get-DSPamCheckoutPolicy, Get-DSPamAccountSecurity).

2. Create a Linux SSH PAM provider

New-DSPamProvider `
-CredentialType LocalUser `
-Name 'linux-fleet-east' `
-Host 'host.example.com' `
-Port 22 `
-Username 'svc_bootstrap' `
-Password (Read-Host -AsSecureString)

Heartbeat mode, SSH key rotation type/bit count, timeout, and gateway are all exposed on the underlying provider connection (PamProviderConnection). They can be set on creation via the dynamic parameters or adjusted afterwards through Update-DSPamProvider.

3. Link the provider to the standalone credential (current workaround)

New-DSPamProvider does not expose -LinkedCredentialID for the LocalUser type, and it does not return the created provider object. Until that lands, fetch the provider back, mutate it, and push it through Update-DSPamProvider -InputObject:

$provider = Get-DSPamProvider | Where-Object label -eq 'linux-fleet-east'
$provider.ProviderLinkedCredentialID = $cred.ID
Update-DSPamProvider -InputObject $provider

Or do create + link via the REST API:

POST /api/pam/providers # create / update provider, body includes CredentialConnectionID
POST /api/pam/credentials # create credential
GET /api/pam/providers/summary # filter by linked credential
POST /api/pam/providers/{id}/quick-scan # account discovery

The PamProvider DTO carries CredentialConnectionID so the REST round-trip can do both create + link in a single call if you prefer to skip PowerShell entirely (useful for Ansible uri tasks).

4. Create managed SSH accounts under the provider

New-DSPamAccount `
-CredentialType LocalUser `
-Name 'linux-root-host01' `
-ProviderID $provider.ID `
-FolderID $folderID `
-Username 'root' `
-Password (Read-Host -AsSecureString)

Rotation and heartbeat are driven by Account Lifecycle Policies — Get-DSAccountLifecyclePolicyCommand lists them, and the policy ID can be attached to the account. Checkout / check-in cycles use Invoke-DSPamCheckout / Invoke-DSPamCheckin, and Reset-DSPamPassword triggers an on-demand rotation.

Ansible / CI/CD shape

For Ansible the easiest pattern is to wrap the three steps above in PowerShell (win_shell / shell with pwsh) per host or per host-group, idempotent on the provider name. If you need a pure-HTTP path, the REST routes listed above cover the same surface.

Our support team is also available should you need any assistance. Feel free to let us know if this helps.

For reference, the full Devolutions PowerShell cmdlet catalog (including the DS PAM commands used above) is documented here:
https://docs.devolutions.net/powershell/powershell-commands/

Regards,

Simon Leroux