To mark data as sensitive, you add sensitive values with a prefix and suffix. The following example shows how to provision a new machine with sensitive values such as custom properties and a remote access password. This machine is also provisioned with a project that includes an encrypted custom property, so that the custom property is added to the machine.

  1. In Cloud Assembly, create a cloud account. Add a cloud zone to the cloud account and add a flavor mapping and image mapping to the cloud zone.
  2. In your browser or HTTP client application, verify that all general prerequisites have been satisfied. See Prerequisites for working with the Cloud Assembly APIs.
  3. Create a project with the cloud zone that you created using the Cloud Assembly UI. Include a sensitive custom property for the Active Directory (AD) password. In this way, when users related to the project provision resources with the project, they have the same AD password.

    The following example shows the AD password enclosed with the ((sensitive: prefix and the )) suffix to mark it as sensitive.

    curl -X POST \
      "$url/iaas/api/projects?apiVersion=$api_version"
      -H 'Content-Type: application/json' 
      -H "Authorization: Bearer $access_token" 
      -d '{    
          "name" : "example-project", 
          "customProperties": {
               "activeDirectoryPassword":((sensitive:My-password123!))"
          }
      }' | jq "."

    A snippet of the response lists the project ID.

    ...
      "name": "example-project",
      "description": "This is an example project",
      "id": "5944aacb-91de-4541-bb9e-ef2a5403f81b",
      "organizationId": "8327d53f-91ea-420a-8613-ba8f3149db95",
    ...
  4. Provision a virtual machine with sensitive data.

    The following example includes the custom property costCenterPassword and a password for remote access, with values that are both marked as sensitive using the ((sensitive: prefix and the )) suffix. The request body also includes the ID of the project with the encrypted AD password.

    curl -X POST \
      "$url/iaas/api/machines?apiVersion=$api_version"
      -H 'Content-Type: application/json' 
      -H "Authorization: Bearer $access_token" 
      -d '{    
          "name" : "example-vm", 
          "image" : "ubuntu", 
          "flavor" : "small", 
          "projectId" : "5944aacb-91de-4541-bb9e-ef2a5403f81b", 
          "customProperties": {
               "costCenterPassword":"((sensitive:Pass4costCtr$$$))"
          "remoteAccess": {
               "authentication":"usernamePassword",
               "username":"example-user",
               "password":"((sensitive:example-sensitive-pass!123))"
        }
      }' | jq "."
    Note: The password for remote access is marked sensitive as an example. If left unmarked, the remote access password is encrypted because it is sensitive by default.
  5. After successfully provisioning the machine, issue a GET /iaas/api/machines request to obtain information about the machine.
    In a snippet of the response, values for the custom property costCenterPassword and remote access password are encrypted and appear in their encrypted form with the ((secret:v1: prefix as in the following example.
    ..."customProperties": {
        ...
        "costCenterPassword": "((secret:v1:AAHeSZhRynh8+NSdswAdsfdsgSDffhbfh))",
        ...
    },
    ...
    "bootConfig": {
       "content": "#cloud-config\nusers:\n- default\n- name: example-user\n ...\n passwd: ((secret:v1:AAFPdqFQBiJbGKdklseiHSN28ckjSghjngj))\n..."
    }
    ...

    vRealize Automation converts the remote access information in the request into a cloud config script in the response. The encrypted password appears as a content value in the bootConfig .

Verify that the remote access password works

Even though the password is encrypted in the vRealize Automation database, you can use the user name and plain text password from the request to log in to the machine because the password is decrypted before it is sent to the cloud.

Note: You can choose to verify that your remote access password works only if the cloud provider allows remote access. For example, Azure might allow remote access while GCP or AWS might not.
To test your password, use the IP address of the newly provisioned machine such as 192.168.12.1234 and the user name such as example-user. Log in to the remote machine with:
$ ssh [email protected]

When prompted for the password, copy and paste the plain text password from the request or example-sensitive-pass!123. A successful login verifies that the machine was provisioned with the remote access password provided in the request.