joshcorr / secretmanagement.hashicorp.vault.kv Goto Github PK
View Code? Open in Web Editor NEWA PowerShell SecretManagement extension for Hashicorp Vault Key Value Engine
License: MIT License
A PowerShell SecretManagement extension for Hashicorp Vault Key Value Engine
License: MIT License
Hello.
How to troubleshoot Test-SecretVault issue?
We're using server-side Vault HashiCorp and client-side as your module.
Register-SecretVault -ModuleName SecretManagement.Hashicorp.Vault.KV -Name 'xxx/yyy' -VaultParameters @{ VaultServer = 'https://server:8200'; VaultAuthType = 'LDAP'}
What kind of Name should be specified as name of vault? We're trying - /personal/user, space/unit/secrets/*/ and others types but nothing working
Is your feature request related to a problem? Please describe.
Vault with self-signed certificates currently won't function.
Describe the solution you'd like
Allow switch in secretvault config to bypass TLS checks. Can leverage the SkipCertificateCheck
switch built into invoke-restmethod
for 6.0 and above.
Describe alternatives you've considered
Tried some of the workarounds like without luck
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { return $true }
Additional context
Add any other context or screenshots about the feature request here.
On Windows 10 Pro is installed:
SecretManagement.Hashicorp.Vault.KV/2.0.0
Microsoft.PowerShell.SecretStore/1.0.5
Vault 1.9.2.
PowerShell7
I have started Vault in DEV mode and only token authentication is set up.
Logging has revealed that there is a problem with System.DateTime conversion and Token's expiration datetime.
The whole debug report:
PS C:\Vault\SecretManagement.Hashicorp.Vault.KV> Test-SecretVault -VaultName secret -AdditionalParameters $additionalparameters -Verbose
VERBOSE: Grabbing token for secret
VERBOSE: Token Expired at 01/01/1600 00:00:00. Retieving a new token
PowerShell credential request
Please Enter the token
Password for user Token: **************************
VERBOSE: POST with 45-byte payload
VERBOSE: received 461-byte response of content type application/json
VERBOSE: Content encoding: utf-8
Exception: Cannot convert null to type "System.DateTime".
PS C:\Vault\SecretManagement.Hashicorp.Vault.KV> $error[0] | fl -force
Exception : System.Management.Automation.ArgumentTransformationMetadataException: Cannot convert null to type "System.DateTime".
---> System.Management.Automation.PSInvalidCastException: Cannot convert null to type "System.DateTime".
at System.Management.Automation.LanguagePrimitives.ThrowInvalidCastException(Object valueToConvert, Type resultType)
at System.Management.Automation.LanguagePrimitives.ConvertNoConversion(Object valueToConvert, Type resultType, Boolean recurse, PSObject originalValueToConvert, IFormatProvider formatProvider, TypeTable backup
Table)
at System.Management.Automation.LanguagePrimitives.ConversionData1.Invoke(Object valueToConvert, Type resultType, Boolean recurse, PSObject originalValueToConvert, IFormatProvider formatProvider, TypeTable ba ckupTable) at System.Management.Automation.LanguagePrimitives.ConvertTo(Object valueToConvert, Type resultType, Boolean recursion, IFormatProvider formatProvider, TypeTable backupTypeTable) at System.Management.Automation.ArgumentTypeConverterAttribute.Transform(EngineIntrinsics engineIntrinsics, Object inputData, Boolean bindingParameters, Boolean bindingScriptCmdlet) --- End of inner exception stack trace --- at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception) at System.Management.Automation.Interpreter.ActionCallInstruction2.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
TargetObject :
CategoryInfo : MetadataError: (:) [], ArgumentTransformationMetadataException
FullyQualifiedErrorId : RuntimeException
ErrorDetails :
InvocationInfo : System.Management.Automation.InvocationInfo
ScriptStackTrace : at Invoke-VaultToken, C:\Vault\SecretManagement.Hashicorp.Vault.KV\SecretManagement.Hashicorp.Vault.KV\SecretManagement.Hashicorp.Vault.KV.Extension\SecretManagement.Hashicorp.Vault.KV.Extension.psm1: line 270
at Test-SecretVault, C:\Vault\SecretManagement.Hashicorp.Vault.KV\SecretManagement.Hashicorp.Vault.KV\SecretManagement.Hashicorp.Vault.KV.Extension\SecretManagement.Hashicorp.Vault.KV.Extension.psm1: lin
e 673
at , : line 1
PipelineIterationInfo : {}
PSMessageDetails :
Expected behaviour: valid token is retrieved, no datime error happens
Describe the bug
When running Unregister-SecretVault, "SecretManagement.Hashicorp.Vault.KV" is prompting for vault parameters just as when "Register-SecretVault" is run. This is not needed when Unregistering and seems like a bug.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
When running "Unregister-SecretVault", the defined vault should just get un-registered without the need to be prompted for data used during the actual registration step.
Desktop (please complete the following information):
Additional context
The SecretVault is still unregistered as intended, after leaving the prompted values empty , as seen in the screenshot.
When using userpass authentication in a Windows terminal noticed that the prompt for username/password is not provided. This is not the case in PowerShell7 or PowerShell 5.1
can you provide more examples on general usage? i'm having trouble figuring out exactly how to access secrets.
Need to create unit and integration testing. This might require some research into an automated setup for vault in container so that we can run test cases.
There should be a way to check the life of a Token generated by an Authentication method so that if a user needs a new token the extension prompts them.
Error when unregistering vault
Unregister-SecretVault -Name secret
Unregister-SecretVault : A command that prompts the user failed because the host program or the command type does not
At line:1 char:1
+ Unregister-SecretVault -Name secret
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotImplemented: (:) [Unregister-SecretVault], HostException
+ FullyQualifiedErrorId : HostFunctionNotImplemented,Microsoft.PowerShell.SecretManagement.UnregisterSecretVaultCo
mmand
Describe the bug
With a vault-token in the configuration for the vault, all commands fail when trying to create a variable that already exist.
To Reproduce
Steps to reproduce the behavior:
# register vault
[hashtable]$VaultParameters = @{
VaultServer = $Address
VaultToken = ($Token | ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString)
VaultAuthType = 'RenewToken'
}
Register-SecretVault -AllowClobber -ModuleName SecretManagement.Hashicorp.Vault.KV -Name $Name -VaultParameters $VaultParameters
# test vault
Get-SecretVault -Name $Name | Test-SecretVault
Expected behavior
It should not crash.
Desktop (please complete the following information):
PSVersion 7.2.1
PSEdition Core
GitCommitId 7.2.1
OS Linux 5.16.11-arch1-1 #1 SMP PREEMPT Thu, 24 Feb 2022 02:18:20 +0000
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Additional context
Add any other context about the problem here.
Describe the bug
Cannot seem to set or retrieve any secrets in a Vault using AppRole authentication. Invoking Test-SecretVault fails with an error:
Exception : System.Management.Automation.PSInvalidOperationException: Unable to run Test-SecretVault on vault secret
---> System.Management.Automation.CmdletInvocationException: Input string was not in a correct format.
---> System.FormatException: Input string was not in a correct format.
at System.Number.ThrowOverflowOrFormatException(ParsingStatus status, TypeCode type)
at System.Byte.Parse(ReadOnlySpan1 s, NumberStyles style, IFormatProvider provider) at Microsoft.PowerShell.SecureStringHelper.ByteArrayFromString(String s) at Microsoft.PowerShell.SecureStringHelper.Unprotect(String input) at Microsoft.PowerShell.Commands.ConvertToSecureStringCommand.ProcessRecord() at System.Management.Automation.Cmdlet.DoProcessRecord() at System.Management.Automation.CommandProcessor.ProcessRecord() --- End of inner exception stack trace --- at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input) at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke) at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync) at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection
1 input, PSDataCollection1 output, PSI nvocationSettings settings) at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection
1 input, PSDataCollection1 output, PSInvocat ionSettings settings) at System.Management.Automation.PowerShell.CoreInvoke[TOutput](IEnumerable input, PSDataCollection
1 output, PSInvocationSettings se
ttings)
at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.Invoke()
at Microsoft.PowerShell.SecretManagement.PowerShellInvoker.InvokeScriptWithHost[T](PSCmdlet cmdlet, String script, Object[] args, Ex
ception& terminatingError) in D:\a_work\1\s\src\code\Utils.cs:line 1554
--- End of inner exception stack trace ---
TargetObject : Microsoft.PowerShell.SecretManagement.ExtensionVaultModule
CategoryInfo : InvalidOperation: (Microsoft.PowerShel…xtensionVaultModule:ExtensionVaultModule) [Test-SecretVault], PSInvalidOperationException
FullyQualifiedErrorId : TestSecretVaultInvalidOperation,Microsoft.PowerShell.SecretManagement.TestSecretVaultCommand
ErrorDetails :
InvocationInfo : System.Management.Automation.InvocationInfo
ScriptStackTrace : at , : line 1
PipelineIterationInfo : {0, 1}
PSMessageDetails :
Invoking Register-SecrectVault with the following commands:
[securestring]$secure_password = ConvertTo-SecureString $user_password -AsPlainText -Force
[pscredential]$credentials = New-Object System.Management.Automation.PSCredential ($user_name, $secure_password)
Register-SecretVault -ModuleName SecretManagement.Hashicorp.Vault.KV -Name "secret" -VaultParameters @{ VaultServer = http://localhost:8200; VaultAuthType = "AppRole"; KVVersion = 'v1'; VaultToken = $credentials; VaultSkipVerify = $false}
Don't know if this is correct, but haven't found any useful examples to confirm.
To Reproduce
Steps to reproduce the behavior:
Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"):
False
Expected behavior
Test-SecretVault returns success/true
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
PSVersion 7.2.5
PSEdition Core
GitCommitId 7.2.5
OS Linux 5.10.102.1-microsoft-standard-WSL2 #1 SMP Wed Mar 2 00:30:59 UTC 2022
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
Binary 1.1.2 Microsoft.PowerShell.SecretManagem… {Get-Secret, Get-SecretInfo, Get-SecretVault, Register-SecretVault…}
Manifest 2.0.1 Preview SecretManagement.Hashicorp.Vault.KV
Additional context
Add any other context about the problem here.
This should be easy to implement as an option for people, may also create a way to renew tokens when they expire
Is your feature request related to a problem? Please describe.
Hi. We're using github tokens to authenticate with vault. I have an old power-shell script that does the following:
function Get-VaultToken {
[CmdletBinding()]
Param (
[Parameter(Mandatory = $true)]
[string]
$Address,
[Parameter(Mandatory = $true)]
[string]
$GithubToken
)
$Uri = "${Address}v1/auth/github/login"
$Body = @{
token = $GithubToken
} | ConvertTo-Json
$Headers = @{
"Content-type" = "application/json"
}
$Response = Invoke-RestMethod -Method Post -Uri $Uri -Body $Body -Headers $Headers
$Token = $Response.auth.client_token
If (!$Token) {
Throw "Failed to get token from Vault"
}
return $Token
}
but I would like to switch to using the secret-management module if possible. I've thought about just using the current Get-VaultToken
to get the token and then register with the vault provider, but I'm unsure how long the vault token lives for, so I'm guessing it wouldn't be a particularly good solution.
Describe the solution you'd like
Support github
as an authentication method, which uses a provided github token to exchange for a vault token.
Describe alternatives you've considered
Create a cmd-let that does the Get-VaultToken
above, and adds/updates the secret-management vault with the new token.
Additional context
Is your feature request related to a problem? Please describe.
Nope
Describe the solution you'd like
I'd like to use this module with Windows PowerShell
Describe alternatives you've considered
I considered using PowerShell 7, but I cannot do that.
Additional context
n/a
Is your feature request related to a problem? Please describe.
I'd like to use this module in an automation project which requires the vault to be unlocked unattended, without user interaction.
Describe the solution you'd like
A Login parameter for Unlock-SecretVault that maps to Role-ID or UserName depending on AuthType, instantiating the Credential object fully, thus not requiring user interaction via Read-Host or Get-Credential.
Describe alternatives you've considered
Attempted to Alias Read-Host and Get-Credential to allow unattended replies to Get-Credential, but this didn't work.
Maybe something like this. https://github.com/potatoqualitee/releases/blob/main/.github/workflows/dbatools.yml
Hi there,
I'm just having a play with this module and trying to figure out how to get a value from a key within a secret path.
Example : I have a key:value
called testuser:testpass1234
under the secret/mysecrets/secret1
path.
While I can do this successfully:
get-secret -name mysecrets/secret1 -Vault secret
UserName Password
-------- --------
mysecrets/secret1 System.Security.SecureString
I'm unable to access the value of testuser
underneath this path:
get-secret -name mysecrets/secret1/test -Vault secret
It just bombs out with the following error :
Get-Secret : Unable to get secret sysadmin/Temp/test from vault secret
At line:1 char:1
+ Get-Secret -Vault secret
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (Microsoft.Power...sionVaultModule:ExtensionVaultModule) [Get-Secret], PSInvalidOperationException
+ FullyQualifiedErrorId : GetSecretInvalidOperation,Microsoft.PowerShell.SecretManagement.GetSecretCommand
Get-Secret : The secret mysecrets/secret1/test was not found.
At line:1 char:1
+ Get-Secret -Vault secret
+ ~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Microsoft.Power...etSecretCommand:GetSecretCommand) [Get-Secret], ItemNotFoundException
+ FullyQualifiedErrorId : GetSecretNotFound,Microsoft.PowerShell.SecretManagement.GetSecretCommand
In comparison, using native vault command I could definitely extract the key:value pair like so:
vault kv get -version=1 secret/mysecrets/secret1/test
==== Data ====
Key Value
--- -----
testuser testpass1234
How do I go about extracting the same info using your module?
Or am I using it the wrong way?
I'm using kv1 engine.
Nice work btw :)
Thanks
J
Need to test and pin this extension to the latest GA SecretManagement version
It seems this requires access to sys/mounts as its creating and deleting the entire secrets store in vault.
It would be nice if this could also mount to existing secrets stores in vault created and managed by a vault administrator in addition to removing the need for privileged access to sys/mounts. Adopting this library will be hard for organizations with existing vault implementations without this feature.
Also thinking through how this is setup now, if I wanted to use this module for a team of people to access credentials across multiple machines is hard because I can't re-mount the secrets store from vault on a second machine currently because I have no way to access the secrets store created by the other machine or even other user.
Also not a huge deal, but troubleshooting what was happening was difficult because there doesn't seem to be any user feedback when the Test-SecretVault was getting a permission denied on v1/sys/mounts endpoint. I would just get False even with verbose on, not sure if this can be fixed with the way the module is wrapped by secretsmanagement but it was frustrating.
Issues with 1.2.0 Preview and Unlock-VaultSecret
seems to be tied to Constrained Language Mode (CLM).
Unlock-SecretVault -Name secret -Verbose
cmdlet Unlock-SecretVault at command pipeline position 1
Supply values for the following parameters:
Password: ******
VERBOSE: Invoking command Unlock-SecretVault on module SecretManagement.Hashicorp.Vault.KV.Extension
WARNING: Cannot unlock extension vault 'secret': The vault does not support the Unlock-SecretVault function.
When trying to upload secrets with multiple level jsons, I get the following warning:
WARNING: Resulting JSON is truncated as serialization has exceeded the set depth of 2.
I believe it might be related to using the ConvertTo-Json
cmdlet in the API call.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.