I'm a software developer with limited systems knowledge, and I'm working on a solution to schedule ETL pipelines on Windows Server 2025. For now, I'm using the Cronicle-edge service in a container on Linux to execute .cmd files via SSH on a Windows Server VM that runs OpenSSH. I'll be setting up SSH keys for authentication, but I'm facing a challenge. I need to provide a user/password to access SQL Server, but I've been instructed not to disclose the password to the user who sets the schedules in Cronicle. I'm struggling to find a secure way to handle this—users could potentially see the password through environment variables or command outputs. I'm looking for advice on best practices for managing credentials in this scenario.
3 Answers
Have you considered using a CI/CD tool like GitHub Actions? You could set up a GitHub runner on the Windows server and execute PowerShell from there. This approach allows you to store the passwords as secrets in GitHub, keeping them safe and out of plain sight.
If possible, it’s best to avoid giving out the SQL password entirely. The ideal way to handle this is to run your ETL jobs under a service account with the necessary DB permissions. That way, the system handles the authentication and you don't have to expose any sensitive credentials to users who trigger the jobs. Just remember to keep any secrets stored securely with DPAPI or in the Windows Credential Manager.
There are quite a few approaches you can take without ever exposing plaintext passwords. For instance, on Windows, you can use a connection string that employs Windows Authentication, which eliminates the need for stored passwords altogether. You can also think about utilizing a Group Managed Service Account (gMSA) for any scheduled tasks. If you do need to store a password, make sure to use the SecretManagement module on PowerShell to do it securely.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures