DEV Community

Cover image for PowerShell Secret Management
Antonio Di Motta
Antonio Di Motta

Posted on • Edited on

PowerShell Secret Management

A secret management is the best way for securely storing and accessing secrets which are anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys.

All major cloud providers have a secret management service, for instance Azure Key Vault and AWS Secrets Manager. Usually the common way for managing these services is by web portal or CLI.

Another way to manage secrets is by using PowerShell SecretManagement Module. Next the description of the module grabbed directly from the github repository:

"PowerShell SecretManagement module provides a convenient way for an user to store and retrieve secrets. The secrets are stored in SecretManagement extension vaults. An extension vault is a PowerShell module that has been registered to SecretManagement. An extension vault can store secrets locally or remotely. Extension vaults are registered to the current logged in user context, and will be available only to that user (unless also registered to other users)."

Now, I'm going to describe how to manage secrets stored on Azure Key Vault.

Step 1, install the required modules:

# install secretmanagement module
PS > Install-Module -Name Microsoft.PowerShell.SecretManagement

# install extension vault provider for Azure KeyVault
PS > Install-Module -Name Az.KeyVault

# tip to find the extension vault providers available
PS > Find-Module -tag "SecretManagement"
Enter fullscreen mode Exit fullscreen mode

Step 2, register the extension vault to the current user:

PS > $subId = "<<keyvault-subscriptionid>>"
PS > $vaultName = "<<keyvault-name>>"
PS > Register-SecretVault -Name myAzKV -ModuleName Az.KeyVault -VaultParameters @{AZKVaultName=$vaultName;SubscriptionId=$subId}

# tip to show the list of extension vault registered (can have more)
PS > Get-SecretVault

Name   ModuleName  IsDefaultVault
----   ----------  --------------
myAzKV Az.KeyVault True
Enter fullscreen mode Exit fullscreen mode

Step 3, show the secrets currently stored on registered extension vault:

# get list of secrets
PS > Get-SecretInfo

Name    Type     VaultName
----    ----     ---------
key1    Unknown  myAzKV
key2    Unknown  myAzKV
Enter fullscreen mode Exit fullscreen mode

Step 4, store a new secret

PS > Set-Secret key3 -Vault myAzKV
cmdlet Set-Secret at command pipeline position 1
Supply values for the following parameters:
SecureStringSecret: ***********

# tip add metadata to secret
PS > Set-SecretInfo key3 -Metadata @{"purpose"="demo"}
Enter fullscreen mode Exit fullscreen mode

Step 5, retrieve the contents of a secret

# get secret contents
PS > Get-Secret key3 -AsPlainText -vault myAzKV
Hello World
Enter fullscreen mode Exit fullscreen mode

Thanks for reading!

Top comments (0)