This will be one of the shorter posts but it is a sweet one! Password rotation with Veeam is something that is starting to come up more often. Rather than point folks to Veeam's PS and API guide, I thought it would be nicer to point folks to an actual script. Below is a script used recently for a customer to rotate their VBR admin password daily through CyberArk,.
This script will get the Veeam admin password from CyberArk and then set the VBR credentials. Certainly doing this daily might be overkill, but you get the point. Could have this run every 90 or 180 days. Whatever meets your security standards.
add-type @”
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
}
}
“@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
[System.Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
# CyberArk API Endpoint and Credentials
$CyberArkURL = "enter CyberArk URL"
#$CyberArkUsername = "YourCyberArkUsername"
#$CyberArkPassword = "YourCyberArkPassword"
# List of Veeam Server Information
$VeeamServers = @("VBR1_ip", "VBR2_ip")
$VeeamCredentialName = "service_account"
try {
# Authenticate with CyberArk (if necessary)
# $CyberArkCredential = New-Object System.Management.Automation.PSCredential ($CyberArkUsername, ($CyberArkPassword | ConvertTo-SecureString -AsPlainText -Force))
# Make a GET request to CyberArk to retrieve the password
$CertStorePath = "Cert:\LocalMachine\My"
$Certificate = Get-ChildItem -Path $certStorePath | Where-Object {$_.Thumbprint -eq "thumbprint"}
$result = Invoke-RestMethod -Method "Get" -Uri $CyberArkURL -Certificate $Certificate
if ($result -ne $null) {
# Extract the password from the response
$VBRpass = $result.Content
# Loop through the list of Veeam servers
foreach ($VeeamServer in $VeeamServers) {
# Connect to Veeam Backup Server
Connect-VBRServer -Server $VeeamServer
# Set the retrieved password for the Veeam credential
Get-VBRCredentials -Name $VeeamCredentialName | Set-VBRCredentials -Password $VBRpass
# Disconnect from the Veeam Backup Server when done
Disconnect-VBRServer -Confirm:$false
}
}
else {
Write-Host "CyberArk did not return a valid password."
}
}
catch {
Write-Host "An error occurred: $_"
}
Comments