SSIS: Unable to access sensitive parameter in script task using GetSensitiveValue() in DontSaveSensitive mode
Running SQL Server 2014. I am following the instructions on the following web-link:
https://www.hansmichiels.com/2016/11/19/using-sensitive-parameters-ssis-series/
Basically, I don't think what has been posted on this site is correct. The author contends that a package can be set to 'DontSaveSensitive' while being able to access to parameters that are set to sensitive. Whenever I try this, I get a blank value in the GetSensitiveValue() function and the package just runs continuously. Just for grins, I deployed the package to the server and set the sensitive environment variables, but the package continued to run continuously.
The package runs successfully when it is set to 'EncryptSensitiveWithUserKey'.
TL,DR
Is it possible to access parameter values in a C# script task where the package is set to 'DontSaveSensitive' or do I have to 'EncryptSensitiveWithUserKey'?
Update: All three variables below are selected as read-only but return blank during debug. Note: the parameter values are populated with data.
public void Main()
{
// Variable declaration(s).
string strSftpUserName = (string)Dts.Variables["$Package::SftpUserName"].GetSensitiveValue();
string strSftpPassword = (string)Dts.Variables["$Package::SftpPassword"].GetSensitiveValue();
string strSshHostKeyFingerprint = (string)Dts.Variables["$Package::SftpSshHostKeyFingerprint"].GetSensitiveValue();
// Setup session options.
SessionOptions sessionOptions = new SessionOptions
{
// Set session options here.
};
try
{
using (Session session = new Session())
{
// Do something here.
}
Dts.TaskResult = (int)ScriptResults.Success;
}
catch (Exception ex)
{
// Print results to SSIS log.
Dts.Events.FireError(0, strTaskName, ex.Message, null, 0);
// Something went wrong, report a failure.
Dts.TaskResult = (int)ScriptResults.Failure;
}
}
Solution 1:
I figured it out. The short story is that the parameter must be set to sensitive, the parameter value must be retrieved with GetSensitiveValue(), and both the package and project have to be encrypted via the ProtectionLevel. I chose to EncryptWithUserKey. Next is to create sensitive environment variables that are then mapped to the package parameters. Final point (which I was missing), the package has to be compiled under the proxy account that is used to run the package.
https://docs.microsoft.com/en-us/sql/integration-services/security/access-control-for-sensitive-data-in-packages?view=sql-server-2017