How to provision a machine with sensitive data

1. In Cloud Assembly, create a cloud account. Add a cloud zone to the cloud account and add a flavor mapping and image mapping to the cloud zone.
2. In your browser or HTTP client application, verify that all general prerequisites and prerequisites for the Cloud Assembly Infrastructure as a Service (IaaS) service have been satisfied. See Prerequisites for API Use Case Examples.
3. Create a project with the cloud zone that you created using the Cloud Assembly UI. Include a sensitive custom property for the Active Directory (AD) password. In this way, when users related to the project provision resources with the project, they have the same AD password.

   The following example shows the AD password enclosed with the ((sensitive: prefix and the )) suffix to mark it as sensitive.

   curl -X POST \
     "$url/iaas/api/projects?apiVersion=$api_version"
     -H 'Content-Type: application/json' 
     -H "Authorization: Bearer $access_token" 
     -d '{    
         "name" : "example-project", 
         "customProperties": {
              "activeDirectoryPassword":((sensitive:My-password123!))"
         }
     }' | jq "."

   A snippet of the response lists the project ID.

   ...
     "name": "example-project",
     "description": "This is an example project",
     "id": "5944aacb-91de-4541-bb9e-ef2a5403f81b",
     "organizationId": "8327d53f-91ea-420a-8613-ba8f3149db95",
   ...

4. Provision a virtual machine with sensitive data.

   The following example includes the custom property costCenterPassword and a password for remote access, with values that are both marked as sensitive using the ((sensitive: prefix and the )) suffix. The request body also includes the ID of the project with the encrypted AD password.

   curl -X POST \
     "$url/iaas/api/machines?apiVersion=$api_version"
     -H 'Content-Type: application/json' 
     -H "Authorization: Bearer $access_token" 
     -d '{    
         "name" : "example-vm", 
         "image" : "ubuntu", 
         "flavor" : "small", 
         "projectId" : "5944aacb-91de-4541-bb9e-ef2a5403f81b", 
         "customProperties": {
              "costCenterPassword":"((sensitive:Pass4costCtr$$$))"
         "remoteAccess": {
              "authentication":"usernamePassword",
              "username":"example-user",
              "password":"((sensitive:example-sensitive-pass!123))"
       }
     }' | jq "."

   Note: The password for remote access is marked sensitive as an example. If left unmarked, the remote access password is encrypted because it is sensitive by default.
5. After successfully provisioning the machine, issue a GET /iaas/api/machines request to obtain information about the machine.
   In a snippet of the response, values for the custom property costCenterPassword and remote access password are encrypted and appear in their encrypted form with the ((secret:v1: prefix as in the following example.

   ..."customProperties": {
       ...
       "costCenterPassword": "((secret:v1:AAHeSZhRynh8+NSdswAdsfdsgSDffhbfh))",
       ...
   },
   ...
   "bootConfig": {
      "content": "#cloud-config\nusers:\n- default\n- name: example-user\n ...\n passwd: ((secret:v1:AAFPdqFQBiJbGKdklseiHSN28ckjSghjngj))\n..."
   }
   ...

   vRealize Automation Cloud converts the remote access information in the request into a cloud config script in the response. The encrypted password appears as a content value in the bootConfig .

Verify that the remote access password works

Even though the password is encrypted in the vRealize Automation Cloud database, you can use the user name and plain text password from the request to log in to the machine because the password is decrypted before it is sent to the cloud.

$ ssh [email protected]

When prompted for the password, copy and paste the plain text password from the request or example-sensitive-pass!123. A successful login verifies that the machine was provisioned with the remote access password provided in the request.