I am trying to determine if this is just a dead-end of an approach. I have a fairly convoluted deployment workflow whereby various actors test a given MXD and deploy to varied AGS servers. As the trustee of the MXD I have little direct control over these resources though I can make suggestions. One approach which has worked okay with registered folders is to have a common AGS data store name that everyone agrees represents a project's data source. Each AGS server can set this up as needed under the rubric of that name. Then I have an ArcPy deployment script that I provide to these folks that (via an administrator connection) reads the data store publisher folder location and swaps the correct folder path in the MXD before deploying to AGS. This works okay.
Ideally it would be grand to do the same with SDE connections. However as one might expect the management of the passwords is the issue. As the AGS administrator, one can run arcpy.ListDataStoreItems and get the SDE credentials for a given data store (only interested here in publisher). But the password is returned as "ENCRYPTED_PASSWORD". In the current security model for 10.2.2 is there any arcpy method whereby I can take that encrypted password and create a new SDE connection with it to then install into a MXD?
When using arcpy.CreateArcSDEConnectionFile_management it wants the clear text version of the password and not the encrypted text string. Is there a way to provide this method the encrypted string or am I just going off into dodgy security territory? I have no need of the actual password itself but I suppose I am moving the credential out of AGS and into the MXD (just for the deployment) and I can see that might be a tad insecure. However, as this is run through an AGS administrator connection I would think that is within my scope. I am not quite sure.
Any feedback would be appreciated.