How to login with different user credential while creating GCE instance using powershell startup script

Question

I am trying following--> Creating GCE instance via gcloud cmds

• As a metadata I am providing ps1 scripts which is creating User and adding to required domain
• Once user created I need to use that user credential and run few commands as administator

This all needs to be done via Metadata scripts (Startup script powershell script)

I know we can directly run basic cmds without admninistrator user directly in metatdata script.

How to use script via metadata

Tried below

• Created job which having code to create user and loging with administrative access

• Use Start-process with runas passing credential as PS object

  Running a command as Administrator using PowerShell?

but not able to connect using those credentials

Any help appreciated!!

Answer 1

Here is what I did to achieved this :

We can use GCP system preparation and startup script to achieve our goal.

1. In main terraform create Unix VM

   • Use remote exec resource to run below Unix script mentioned in step 2 on that VM.

2. Prepared Unix script which is doing all below steps.

   a. write code to setup following using gcloud

   • Use gcloud cmds to create DNS
   • Setup service account for VM
   • Enable managed AD API
   • Create Microsoft AD
   • Setup password to AD domain using gcloud

   b. System preparation script. (We are preparing this ps1 PowerShell script in above .sh script by using cat cmd)

   • Setup ps1 script to make local user as administator ([adsi]"WinNT).

     eg. $adminPassword = "Type Password here"  
         $adminUser = [ADSI] "WinNT://$computerName/Administrator"  
         $adminUser.SetPassword($adminPassword) 
     

   • Disable consent prompt behavior via windows registry

        REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0 -Force
     

   • Install ADFS and other nessesary tools.

   c. Startup script (PowerShell script)

   • Pass credentials in this script which we created in 2.a (Setup password to AD domain using gcloud) to add win VM to domain created earlier.

   • Enable CredSSP

   • login to window VM using above cred, you can refer PowerShell cmds mentioned below

     New-PSSession -ComputerName localhost -Credential \$credential_set -Authentication Credssp 
     
     Use Invoke-Command -Session \$remotesession -ScriptBlock{ }
     

   • You can write code to achieved your task as you are logged in to win VM as administrator.

   d. Once above two script done.

   • Write gcloud cmd to create win VM and pass above
     • 2.b System preparation script and
     • 2.c Startup script as metadata

Ref link:--

https://cloud.google.com/managed-microsoft-ad/docs/deploy-adfs

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.3

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.3

https://learn.microsoft.com/en-us/powershell/module/microsoft.wsman.management/enable-wsmancredssp?view=powershell-7.3

https://cloud.google.com/compute/docs/instances/startup-scripts/windows

Note: You need to install all necessary tools to setup domain configuration in win VM. like ADFS tool etc.