joshcorr / secretmanagement.hashicorp.vault.kv Goto Github PK

Hello.

How to troubleshoot Test-SecretVault issue?
We're using server-side Vault HashiCorp and client-side as your module.

Register-SecretVault -ModuleName SecretManagement.Hashicorp.Vault.KV -Name 'xxx/yyy' -VaultParameters @{ VaultServer = 'https://server:8200'; VaultAuthType = 'LDAP'}

What kind of Name should be specified as name of vault? We're trying - /personal/user, space/unit/secrets/*/ and others types but nothing working

Is your feature request related to a problem? Please describe.
Vault with self-signed certificates currently won't function.

Describe the solution you'd like
Allow switch in secretvault config to bypass TLS checks. Can leverage the SkipCertificateCheck switch built into invoke-restmethod for 6.0 and above.

Describe alternatives you've considered
Tried some of the workarounds like without luck
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { return $true }

Additional context
Add any other context or screenshots about the feature request here.

On Windows 10 Pro is installed:

SecretManagement.Hashicorp.Vault.KV/2.0.0
Microsoft.PowerShell.SecretStore/1.0.5
Vault 1.9.2.
PowerShell7

I have started Vault in DEV mode and only token authentication is set up.

Logging has revealed that there is a problem with System.DateTime conversion and Token's expiration datetime.

The whole debug report:

PS C:\Vault\SecretManagement.Hashicorp.Vault.KV> Test-SecretVault -VaultName secret -AdditionalParameters $additionalparameters -Verbose
VERBOSE: Grabbing token for secret
VERBOSE: Token Expired at 01/01/1600 00:00:00. Retieving a new token

PowerShell credential request
Please Enter the token
Password for user Token: **************************

VERBOSE: POST with 45-byte payload
VERBOSE: received 461-byte response of content type application/json
VERBOSE: Content encoding: utf-8
Exception: Cannot convert null to type "System.DateTime".

PS C:\Vault\SecretManagement.Hashicorp.Vault.KV> $error[0] | fl -force

Exception : System.Management.Automation.ArgumentTransformationMetadataException: Cannot convert null to type "System.DateTime".
---> System.Management.Automation.PSInvalidCastException: Cannot convert null to type "System.DateTime".
at System.Management.Automation.LanguagePrimitives.ThrowInvalidCastException(Object valueToConvert, Type resultType)
at System.Management.Automation.LanguagePrimitives.ConvertNoConversion(Object valueToConvert, Type resultType, Boolean recurse, PSObject originalValueToConvert, IFormatProvider formatProvider, TypeTable backup
Table)
at System.Management.Automation.LanguagePrimitives.ConversionData1.Invoke(Object valueToConvert, Type resultType, Boolean recurse, PSObject originalValueToConvert, IFormatProvider formatProvider, TypeTable ba ckupTable) at System.Management.Automation.LanguagePrimitives.ConvertTo(Object valueToConvert, Type resultType, Boolean recursion, IFormatProvider formatProvider, TypeTable backupTypeTable) at System.Management.Automation.ArgumentTypeConverterAttribute.Transform(EngineIntrinsics engineIntrinsics, Object inputData, Boolean bindingParameters, Boolean bindingScriptCmdlet) --- End of inner exception stack trace --- at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception) at System.Management.Automation.Interpreter.ActionCallInstruction2.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
TargetObject :
CategoryInfo : MetadataError: (:) [], ArgumentTransformationMetadataException
FullyQualifiedErrorId : RuntimeException
ErrorDetails :
InvocationInfo : System.Management.Automation.InvocationInfo
ScriptStackTrace : at Invoke-VaultToken, C:\Vault\SecretManagement.Hashicorp.Vault.KV\SecretManagement.Hashicorp.Vault.KV\SecretManagement.Hashicorp.Vault.KV.Extension\SecretManagement.Hashicorp.Vault.KV.Extension.psm1: line 270
at Test-SecretVault, C:\Vault\SecretManagement.Hashicorp.Vault.KV\SecretManagement.Hashicorp.Vault.KV\SecretManagement.Hashicorp.Vault.KV.Extension\SecretManagement.Hashicorp.Vault.KV.Extension.psm1: lin
e 673
at , : line 1
PipelineIterationInfo : {}
PSMessageDetails :

Expected behaviour: valid token is retrieved, no datime error happens

Describe the bug
When running Unregister-SecretVault, "SecretManagement.Hashicorp.Vault.KV" is prompting for vault parameters just as when "Register-SecretVault" is run. This is not needed when Unregistering and seems like a bug.

To Reproduce
Steps to reproduce the behavior:

1. Register new SecretVault.
2. Add URL + auth method
3. Run "Unregister-SecretVault" on the newly registered SecretVault.
4. The shell should now prompt for the URL to vault + the auth method in the same way as when you run "Register-SecretVault".

Expected behavior
When running "Unregister-SecretVault", the defined vault should just get un-registered without the need to be prompted for data used during the actual registration step.

Screenshots
.

Desktop (please complete the following information):

• OS: Windows Server 2016
• PowerShell Version: 7.2.0
• Microsoft.PowerShell.SecretManagement Version: 1.1.1
• SecretManagement.Hashicorp.Vault.KV Version: 1.3.0
• Hashicorp Vault Version: 1.9.0

Additional context
The SecretVault is still unregistered as intended, after leaving the prompted values empty , as seen in the screenshot.

When using userpass authentication in a Windows terminal noticed that the prompt for username/password is not provided. This is not the case in PowerShell7 or PowerShell 5.1

can you provide more examples on general usage? i'm having trouble figuring out exactly how to access secrets.

Need to create unit and integration testing. This might require some research into an automated setup for vault in container so that we can run test cases.

There should be a way to check the life of a Token generated by an Authentication method so that if a user needs a new token the extension prompts them.

https://www.vaultproject.io/docs/concepts/tokens#token-time-to-live-periodic-tokens-and-explicit-max-ttls

Error when unregistering vault

Unregister-SecretVault -Name secret
Unregister-SecretVault : A command that prompts the user failed because the host program or the command type does not
At line:1 char:1
+ Unregister-SecretVault -Name secret
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotImplemented: (:) [Unregister-SecretVault], HostException
    + FullyQualifiedErrorId : HostFunctionNotImplemented,Microsoft.PowerShell.SecretManagement.UnregisterSecretVaultCo
   mmand

Describe the bug
With a vault-token in the configuration for the vault, all commands fail when trying to create a variable that already exist.

To Reproduce
Steps to reproduce the behavior:

    # register vault
    [hashtable]$VaultParameters = @{
        VaultServer   = $Address
        VaultToken    = ($Token | ConvertTo-SecureString -AsPlainText -Force | ConvertFrom-SecureString)
        VaultAuthType = 'RenewToken'
    }

    Register-SecretVault -AllowClobber -ModuleName SecretManagement.Hashicorp.Vault.KV -Name $Name -VaultParameters $VaultParameters

  # test vault
  Get-SecretVault -Name $Name | Test-SecretVault

Expected behavior
It should not crash.

Screenshots

Desktop (please complete the following information):

PSVersion                      7.2.1
PSEdition                      Core
GitCommitId                    7.2.1
OS                             Linux 5.16.11-arch1-1 #1 SMP PREEMPT Thu, 24 Feb 2022 02:18:20 +0000
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

• OS: arch linux
• PowerShell Version: see above
• Microsoft.PowerShell.SecretManagement Version: 1.1.2
• SecretManagement.Hashicorp.Vault.KV Version: 2.0.0
• Hashicorp Vault Version: 1.7.4 (I think, that's what it says on the bottom of the website)

Additional context
Add any other context about the problem here.

Describe the bug
Cannot seem to set or retrieve any secrets in a Vault using AppRole authentication. Invoking Test-SecretVault fails with an error:

Exception : System.Management.Automation.PSInvalidOperationException: Unable to run Test-SecretVault on vault secret
---> System.Management.Automation.CmdletInvocationException: Input string was not in a correct format.
---> System.FormatException: Input string was not in a correct format.
at System.Number.ThrowOverflowOrFormatException(ParsingStatus status, TypeCode type)
at System.Byte.Parse(ReadOnlySpan1 s, NumberStyles style, IFormatProvider provider) at Microsoft.PowerShell.SecureStringHelper.ByteArrayFromString(String s) at Microsoft.PowerShell.SecureStringHelper.Unprotect(String input) at Microsoft.PowerShell.Commands.ConvertToSecureStringCommand.ProcessRecord() at System.Management.Automation.Cmdlet.DoProcessRecord() at System.Management.Automation.CommandProcessor.ProcessRecord() --- End of inner exception stack trace --- at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input) at System.Management.Automation.PowerShell.Worker.ConstructPipelineAndDoWork(Runspace rs, Boolean performSyncInvoke) at System.Management.Automation.PowerShell.Worker.CreateRunspaceIfNeededAndDoWork(Runspace rsToUse, Boolean isSync) at System.Management.Automation.PowerShell.CoreInvokeHelper[TInput,TOutput](PSDataCollection1 input, PSDataCollection1 output, PSI nvocationSettings settings) at System.Management.Automation.PowerShell.CoreInvoke[TInput,TOutput](PSDataCollection1 input, PSDataCollection1 output, PSInvocat ionSettings settings) at System.Management.Automation.PowerShell.CoreInvoke[TOutput](IEnumerable input, PSDataCollection1 output, PSInvocationSettings se
ttings)
at System.Management.Automation.PowerShell.Invoke(IEnumerable input, PSInvocationSettings settings)
at System.Management.Automation.PowerShell.Invoke()
at Microsoft.PowerShell.SecretManagement.PowerShellInvoker.InvokeScriptWithHost[T](PSCmdlet cmdlet, String script, Object[] args, Ex
ception& terminatingError) in D:\a_work\1\s\src\code\Utils.cs:line 1554
--- End of inner exception stack trace ---
TargetObject : Microsoft.PowerShell.SecretManagement.ExtensionVaultModule
CategoryInfo : InvalidOperation: (Microsoft.PowerShel…xtensionVaultModule:ExtensionVaultModule) [Test-SecretVault], PSInvalidOperationException
FullyQualifiedErrorId : TestSecretVaultInvalidOperation,Microsoft.PowerShell.SecretManagement.TestSecretVaultCommand
ErrorDetails :
InvocationInfo : System.Management.Automation.InvocationInfo
ScriptStackTrace : at , : line 1
PipelineIterationInfo : {0, 1}
PSMessageDetails :

Invoking Register-SecrectVault with the following commands:
[securestring]$secure_password = ConvertTo-SecureString $user_password -AsPlainText -Force
[pscredential]$credentials = New-Object System.Management.Automation.PSCredential ($user_name, $secure_password)
Register-SecretVault -ModuleName SecretManagement.Hashicorp.Vault.KV -Name "secret" -VaultParameters @{ VaultServer = http://localhost:8200; VaultAuthType = "AppRole"; KVVersion = 'v1'; VaultToken = $credentials; VaultSkipVerify = $false}

Don't know if this is correct, but haven't found any useful examples to confirm.

To Reproduce
Steps to reproduce the behavior:

1. [securestring]$secure_password = ConvertTo-SecureString $user_password -AsPlainText -Force
   [pscredential]$credentials = New-Object System.Management.Automation.PSCredential ($user_name, $secure_password)
   Register-SecretVault -ModuleName SecretManagement.Hashicorp.Vault.KV -Name "secret" -VaultParameters @{ VaultServer = http://localhost:8200; VaultAuthType = "AppRole"; KVVersion = 'v1'; VaultToken = $credentials; VaultSkipVerify = $false}
2. Test-SecretVault -Name secret -Debug
3. Test-SecretVault: Unable to run Test-SecretVault on vault secret
   VERBOSE: Vault secret failed validation test

Confirm
Continue with this operation?
[Y] Yes [A] Yes to All [H] Halt Command [S] Suspend [?] Help (default is "Y"):
False

Expected behavior
Test-SecretVault returns success/true

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: ubuntu 22.03
• PowerShell Version
  Name Value

PSVersion 7.2.5
PSEdition Core
GitCommitId 7.2.5
OS Linux 5.10.102.1-microsoft-standard-WSL2 #1 SMP Wed Mar 2 00:30:59 UTC 2022
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0

• Microsoft.PowerShell.SecretManagement Version
  ModuleType Version PreRelease Name ExportedCommands

Binary 1.1.2 Microsoft.PowerShell.SecretManagem… {Get-Secret, Get-SecretInfo, Get-SecretVault, Register-SecretVault…}

• SecretManagement.Hashicorp.Vault.KV Version
  ModuleType Version PreRelease Name ExportedCommands

Manifest 2.0.1 Preview SecretManagement.Hashicorp.Vault.KV

• Hashicorp Vault Version
  1.1.1

Additional context
Add any other context about the problem here.

This should be easy to implement as an option for people, may also create a way to renew tokens when they expire

Is your feature request related to a problem? Please describe.
Hi. We're using github tokens to authenticate with vault. I have an old power-shell script that does the following:

function Get-VaultToken {
    [CmdletBinding()]
    Param (
        [Parameter(Mandatory = $true)]
        [string]
        $Address,

        [Parameter(Mandatory = $true)]
        [string]
        $GithubToken
    )

    $Uri = "${Address}v1/auth/github/login"
    $Body = @{
        token = $GithubToken
    } | ConvertTo-Json
    $Headers = @{
        "Content-type" = "application/json"
    }

    $Response = Invoke-RestMethod -Method Post -Uri $Uri -Body $Body -Headers $Headers
    $Token = $Response.auth.client_token
    If (!$Token) {
        Throw "Failed to get token from Vault"
    }

    return $Token
}

but I would like to switch to using the secret-management module if possible. I've thought about just using the current Get-VaultToken to get the token and then register with the vault provider, but I'm unsure how long the vault token lives for, so I'm guessing it wouldn't be a particularly good solution.

Describe the solution you'd like
Support github as an authentication method, which uses a provided github token to exchange for a vault token.

Describe alternatives you've considered
Create a cmd-let that does the Get-VaultToken above, and adds/updates the secret-management vault with the new token.

Additional context

Is your feature request related to a problem? Please describe.
Nope

Describe the solution you'd like
I'd like to use this module with Windows PowerShell

Describe alternatives you've considered
I considered using PowerShell 7, but I cannot do that.

Additional context
n/a

Is your feature request related to a problem? Please describe.
I'd like to use this module in an automation project which requires the vault to be unlocked unattended, without user interaction.

Describe the solution you'd like
A Login parameter for Unlock-SecretVault that maps to Role-ID or UserName depending on AuthType, instantiating the Credential object fully, thus not requiring user interaction via Read-Host or Get-Credential.

Describe alternatives you've considered
Attempted to Alias Read-Host and Get-Credential to allow unattended replies to Get-Credential, but this didn't work.

Maybe something like this. https://github.com/potatoqualitee/releases/blob/main/.github/workflows/dbatools.yml

Hi there,
I'm just having a play with this module and trying to figure out how to get a value from a key within a secret path.

Example : I have a key:value called testuser:testpass1234 under the secret/mysecrets/secret1 path.

While I can do this successfully:

get-secret -name mysecrets/secret1 -Vault secret

UserName                          Password
--------                          --------
mysecrets/secret1 System.Security.SecureString

I'm unable to access the value of testuser underneath this path:

get-secret -name mysecrets/secret1/test -Vault secret

It just bombs out with the following error :

Get-Secret : Unable to get secret sysadmin/Temp/test from vault secret
At line:1 char:1
+ Get-Secret -Vault secret
+ ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Microsoft.Power...sionVaultModule:ExtensionVaultModule) [Get-Secret], PSInvalidOperationException
    + FullyQualifiedErrorId : GetSecretInvalidOperation,Microsoft.PowerShell.SecretManagement.GetSecretCommand
 
Get-Secret : The secret mysecrets/secret1/test was not found.
At line:1 char:1
+ Get-Secret -Vault secret
+ ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Microsoft.Power...etSecretCommand:GetSecretCommand) [Get-Secret], ItemNotFoundException
    + FullyQualifiedErrorId : GetSecretNotFound,Microsoft.PowerShell.SecretManagement.GetSecretCommand

In comparison, using native vault command I could definitely extract the key:value pair like so:

vault kv get -version=1 secret/mysecrets/secret1/test 

==== Data ====
Key                             Value
---                               -----
testuser                       testpass1234

How do I go about extracting the same info using your module?
Or am I using it the wrong way?
I'm using kv1 engine.
Nice work btw :)

Thanks
J

Need to test and pin this extension to the latest GA SecretManagement version

It seems this requires access to sys/mounts as its creating and deleting the entire secrets store in vault.

It would be nice if this could also mount to existing secrets stores in vault created and managed by a vault administrator in addition to removing the need for privileged access to sys/mounts. Adopting this library will be hard for organizations with existing vault implementations without this feature.

Also thinking through how this is setup now, if I wanted to use this module for a team of people to access credentials across multiple machines is hard because I can't re-mount the secrets store from vault on a second machine currently because I have no way to access the secrets store created by the other machine or even other user.

Also not a huge deal, but troubleshooting what was happening was difficult because there doesn't seem to be any user feedback when the Test-SecretVault was getting a permission denied on v1/sys/mounts endpoint. I would just get False even with verbose on, not sure if this can be fixed with the way the module is wrapped by secretsmanagement but it was frustrating.

Issues with 1.2.0 Preview and Unlock-VaultSecret seems to be tied to Constrained Language Mode (CLM).

Unlock-SecretVault -Name secret -Verbose

cmdlet Unlock-SecretVault at command pipeline position 1
Supply values for the following parameters:
Password: ******
VERBOSE: Invoking command Unlock-SecretVault on module SecretManagement.Hashicorp.Vault.KV.Extension
WARNING: Cannot unlock extension vault 'secret': The vault does not support the Unlock-SecretVault function.

When trying to upload secrets with multiple level jsons, I get the following warning:
WARNING: Resulting JSON is truncated as serialization has exceeded the set depth of 2.

I believe it might be related to using the ConvertTo-Json cmdlet in the API call.