First look at the Secrets Management Module

It is still an alpha version, but longely awaited. Using credentials, keys and other secrets in scripts to do something on ourselfes behalf, is difficult to implement and manage and is also error-prone. Now Microsoft is working on a PowerShell Module called Microsoft.PowerShell.SecretsManagement which may change the landscape of secrets management completely

As i think this is a really important module, i spent a few minutes and tested the functionality.

Installation

To install the module from the PowerShell Gallery into your user context type:

install-module Microsoft.PowerShell.SecretsManagement -AllowPrerelease

This installs the module and provides the following commands.

get-command -Module Microsoft.PowerShell.SecretsManagement|select-object Name

Name
----
Add-Secret
Get-Secret
Get-SecretInfo
Get-SecretsVault
Register-SecretsVault
Remove-Secret
Unregister-SecretsVault

Usage – Vaults and Secrets

This opens the main functionality. There are vaults where you are able to store secrets and there are secrets which you may store into vaults

What Vaults do we have ?

Get-SecretsVault

Name              ModuleName ImplementingType
----              ---------- ----------------
BuiltInLocalVault

As mentioned in the original blog, the module ships with the default Vault with is a CredMan vault on the local machine.

Storing and using a Secret

Secrets may have multiple formats, the ones i have to do mostly are strings (API Keys or GUIDS) of Credentials. Now lets store a credential in the vault.

Add-Secret -Name mycred -Secret (Get-Credential)

PowerShell credential request
Enter your credentials.
User: roman
Password for user roman: *********

Now lets store a Guid as a string type secret.

Add-Secret -Name MyGuid -Secret '20d23b5b-65a4-4c87-9865-c7c612967dcf'

What secrets do we have now ?

Get-SecretInfo

Name   Vault             TypeName
----   -----             --------
mycred BuiltInLocalVault PSCredential
MyGuid BuiltInLocalVault String

To use the secret in a script, simply use the Get-Secret commandlet.

"This is the secrect we stored: " + (Get-Secret -Name MyGuid)
This is the secrect we stored: System.Security.SecureString

Do they survive a new session – YES ! We exit the session, start a new one and the secrets are still there.

My summary is – i really love the Module and the approach. This will solve a lot of issues in scripts today. Regards/Roman

Leave a Reply