For a PC build process, we used a PowerShell script, which installed Nuget and Choco, and pulled packages from an on-prem Nexus repo. It asked for the user's username and password, and installed Nuget and Choco first, before working through a list of packages via Choco.
This was all well and good until we migrated to a cloud repo; J-Frog. Being on the cloud, this requires not a password but a token. I can't expect a user to type the long token, and it'll be insecure to store the token on the NAS with the script (or in GitHub where the code is kept).
Now I've hit a catch 22, I can't install the HashiCorp Vault app, Choco, or Nuget as they are all on the repo, and I can't get the token until I access Vault.
Could someone with a more analytical mind help untangle this mess for me?
This entire process must be automated apart from the user navigating the NAS to start the script and entering their credentials. And it starts on a barebones Windows box (currently 10, but will be 11 soon).
There are a few options to use Vault in your scenario:
Install from vaultproject.io
Installing is really just download and run. Vault is a single executable that has servers as a client or a server. You can download the binary, unzip it and run it.
The problem is that Windows lack native tools to validate the signature of a binary and unzip it. Powershell might be able to do that.
Call the HTTP API
Again,
curl.exe(not Powershellcurlalias) could be already installed, even on Windows 10 if it's not too old. If that's the case, then you can call the API through HTTP.Parsing the tokens out of the response using the few tools already installed might set you up for long nights.
Deploy Vault
Deploy Vault to all the computers in your fleet. Put it in the path and use it in your script.
It is a command line tool, you'll need to ask for their password and send it to Vault, unless you have a Vault Enterprise license and use SAML authentication. There is a Kerberos plug-in but it is old and not widely used. I wouldn't recommend it.