Advance with Assist shares quick solutions to common challenges encountered by the InterWorks Assist on-demand team.

Question: I need to script tabcmd commands but can’t leave passwords in plaintext inside scripts! How can I script tabcmd commands securely?

The Challenge

Tabcmd requires a username and a password passed to it in order to log into a Tableau Server site. While this is fine for running interactively, it presents security problems when it’s time to make the leap to scripting with tabcmd. It’s poor form to leave plaintext passwords laying around in scripts, so we’ll use some built-in utilities in Microsoft PowerShell to encrypt a password and store it in the filesystem. We’ll then retrieve it and decrypt it in the PowerShell script that contains the tabcmd commands we want to run. This solution is cross-platform and runs just fine on Linux, too (after installing PowerShell on Linux and with some light editing to remove the .exe extension)!

The Solution

1. Download the attached zip file and extract it.
2. Edit the tabcmd-playbook.ps1 file in your favorite text editor. I prefer Visual Studio Code, but anything works!
3. Adjust the values for $serverURL, $siteID, and $tabcmdPath to match your environment.
4. Add whatever tabcmd commands you wish. Save the file.
5. The encryption is user-specific. Make sure you’re logged in as the user that will be executing the tabcmd-playbook.ps1 file.
6. Depending on your system settings, you may need to run the PowerShell cmdlets Unblock-File and/or Set-ExecutionPolicy to allow downloaded scripts to run.
7. Open PowerShell and run the encrypt-password.ps1 script. It will prompt for a username and password. These will be stored in the same directory the script is in. The username is stored in plaintext, and the password is stored encrypted. This step only needs to be repeated when the user’s password changes.
8. Execute tabcmd-playbook.ps1 and confirm your tabcmd commands run as expected.
9. Schedule (or whatever!) the tabcmd-playbook.ps1 script, making sure the Run-As user is the same user you were logged in as when you encrypted the password.

Here’s an example of what it looks like: