I have a Powershell script that I wrote that does a nifty job of setting changes in a JSON config file.
It would be more convenient as a runbook for SREs. So, Jane has a need to change a production setting in several places and uses the runbook to accomplish this.
The runbook is a script that points to a specific server where a specific service is running and whose config needs to be updated.
My thinking was to deploy the script to a single tentacle server called ABC. ABC runs under a Windows domain service account. That account would execute the script, which uses Invoke-Command on the target server where the configuration sits.
ABC server becomes a kind of de facto tentacle for doing targeted script-based chores.
However, I’ve discovered this doesn’t work in practice because of permission issues. Powershell running on ABC that uses an invocation on server XYZ gets access denied. (I am assuming that the service account under which the tentacle is running has local rights to XYZ, etc.)
I could create a bunch of roles for specific tasks and dole them out to servers, but this would be a real headache. I just want an ABC server that can execute Powershell scripts that can touch other machines for things like configuration updates, service stops/restarts, etc.
Is anyone out there doing this type of thing or am I just barking up the wrong tree?