Remove unused credentials from VEEAM server automatically

[edirschedl]

Hello,

I'm looking for a possibility to delete all unused credentials saved within VEEAM server automatically because of security reasons.
I know this article to do this with help of the GUI: https://www.veeam.com/kb3224#:~:text=Qu ... pliance%22
But is there any Powershell approach to do this?

Thank you!

[oleg.feoktistov]

Hi Emanuel,

Every once in a while I perform cleaning activity in my lab using this script:

Code: Select all

$creds = Get-VBRCredentials
foreach ($cred in $creds) {
  try {
  Remove-VBRCredentials -Credential $cred -ErrorAction SilentlyContinue
  Write-Host "Credentials $($cred.Name) were deleted successfully" -ForegroundColor Green
  }

  catch [System.OperationCanceledException], [Veeam.Backup.Powershell.Cmdlets.RemoveVBRCredentials] {
    Write-Host "Credentials $($cred.Name) are being used and cannot be deleted" -ForegroundColor Red
  
  }
}

It catches errors of precise types, which are thrown if credentials are being used in any VBR entity.
If such error is thrown, the script writes custom message to the console and continues checking next records. If no error is thrown, it deletes a credential and logs success.

Just to note - this cleaner script removes records based solely on the criteria of whether the error is thrown or not (it might be that these errors are thrown due to other reasons). A more extensive and complex way with advanced logging would be to query every entity in your VBR infrastructure and check whether a particular credential is being used there before even sending the removal command. I can script an example if you want, but if you just need a basic cleaning of unused creds, the code above should do the job.

Hope it helps,
Oleg

[edirschedl]

Hi Oleg,

sadly the script has deleted some of my productive credentials for dedupe appliances (StoreOnce and DataDomains were both affected). For other credential types I haven't see any issues so far. I don't know why it was possible to delete this credentials, also on my test server there was all OK. So finally I can't recommend to run this script without any further checks or similiar.

[oleg.feoktistov]

Hi Emanuel,

Sorry to hear that your production credentials have been deleted by the script. Apologies, I must have missed the case with creds for DataDomain and StoreOnce as they are rare guests in my infrastructure. I did rely, however, on the way it should work both through UI and Powershell - if credentials are used for any backup infrastructure entity, VBR throws exception the script above is written to catch. With StoreOnce and DataDomain no error is thrown via Powershell, and they can be deleted successfully. That's definitely a bug, so I reported it to QA. And though I don't see any Powershell or .NET workaround for these types, I do recommend using credentials description as an exception criteria and control records related to DataDomain and StoreOnce manually for now (in the UI it works as intended).

Thanks for your feedback,
Oleg

[edirschedl]

Hey Oleg,

thank's for redirecting this bug! Yeah I saw that it's asking in the GUI, also for the Data Domain and StoreOnce systems. Your suggestion is fine for me for the moment.

Regards,
Emanuel