Skip to content

dsc config test leaks secure parameters #1123

New issue
New issue
Closed
#1127
Closed
dsc config test leaks secure parameters#1123
#1127
Labels
Issue-BugSomething isn't workingNeed-Review
Milestone
3.2-Consider
@haodeon

Description

@haodeon
haodeon
opened on Sep 19, 2025

Prerequisites

  • Write a descriptive title.
  • Make sure you are able to repro it on the latest version
  • Search the existing issues.

Summary

When passing PsDscRunAsCredential or Credential to ActiveDirectoryDsc resources, I've found that config test leaks secureString / secureObject values.

  • get Only actualState is shown. Both Credential and PsDscRunAsCredential are null (expected, since they have no “current” state).

  • set If state changes, beforeState and afterState both show Credential / PsDscRunAsCredential as null.
    If no changes are needed, the output looks like config test and echoes the input credentials.

  • test Secure parameters for Credential / PsDscRunAsCredential are exposed in the beforeState section. The actualState doesn't display any properties.

Steps to reproduce

$schema: https://aka.ms/dsc/schemas/v3/bundled/config/document.json
metadata:
  Microsoft.DSC:
    securityContext: elevated
parameters:
  adCred:
    type: secureObject
resources:
- name: Active Directory permissions
  type: Microsoft.Windows/WindowsPowerShell
  properties:
    resources:
    - name: DomainLocal write altSecurityIdentities
      type: ActiveDirectoryDsc/ADGroup
      properties:
        Path: 'OU=Groups,DC=TEST,DC=LOCAL'
        Ensure: Present
        GroupName: 'AD_Write_altSecurityIdentities_test'
        GroupScope: DomainLocal
        Members:
          - 'test01$'
        PsDscRunAsCredential:
          Username: "[parameters('adCred').Username]"
          Password: "[parameters('adCred').Password]"
{
  "parameters": {
    "adCred": {
      "Username": "TEST\\administrator",
      "Password": "randompassword"
    }
  }
}

dsc config --parameters-file .\params.json test -f .\group.dsc.yaml

Expected behavior

For `PsDscRunAsCredential` in `beforeState` to be redacted in some way.

Note the `jsonInput` in debug logs also exposes secure values.

Actual behavior

metadata:
  Microsoft.DSC:
    version: 3.2.0
    operation: test
    executionType: actual
    startDatetime: 2025-09-19T15:50:59.261553100+12:00
    endDatetime: 2025-09-19T15:51:05.359550800+12:00
    duration: PT6.0979977S
    securityContext: elevated
results:
- metadata:
    Microsoft.DSC:
      duration: PT4.8248603S
  name: Active Directory permissions
  type: Microsoft.Windows/WindowsPowerShell
  result:
    desiredState:
      resources:
      - name: DomainLocal write altSecurityIdentities
        type: ActiveDirectoryDsc/ADGroup
        properties:
          Path: OU=Groups,DC=TEST,DC=LOCAL
          Ensure: Present
          GroupName: AD_Write_altSecurityIdentities_test
          GroupScope: DomainLocal
          Members:
          - test01$
          PsDscRunAsCredential:
            Username: TEST\administrator
            Password: randompassword
      metadata:
        Microsoft.DSC:
          context: configuration
    actualState:
      _inDesiredState: true
      result:
      - name: DomainLocal write altSecurityIdentities
        type: ActiveDirectoryDsc/ADGroup
        properties:
          InDesiredState: true
    inDesiredState: true
    differingProperties:
    - resources
    - metadata
messages: []
hadErrors: false

Error details



Environment data


Name                           Value                                                                                                                                                           ----                           -----                                                                                                                                                           PSVersion                      7.5.2                                                                                                                                                           PSEdition                      Core                                                                                                                                                            GitCommitId                    7.5.2                                                                                                                                                           OS                             Microsoft Windows 10.0.17763                                                                                                                                    Platform                       Win32NT                                                                                                                                                         PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}                                                                                                                                           PSRemotingProtocolVersion      2.3                                                                                                                                                             SerializationVersion           1.1.0.1                                                                                                                                                         WSManStackVersion              3.0


Version


3.2.0-preview.4


Visuals


No response
Metadata
Metadata
Assignees
No one assigned
    Labels
    Issue-BugSomething isn't workingNeed-Review
    Type
    No type
    Projects
    No projects
    Milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions