My recent article about the architecture of PowerShell Secret Management explained how the modules work together. This blog is a step by step guide on installation and usage of PowerShell Secrets Management.
Lets immediately start with installation.
1.) Installing the Modules
Secretsmanagement modules are hosted on the Powershell Gallery. As of today Feb. 23 2021, they are still a prerelease so the installation command is:
|
1 2 |
Install-Module Microsoft.PowerShell.SecretStore -AllowPrerelease Install-Module Microsoft.PowerShell.SecretManagement -AllowPrerelease |
2.) CmdLets provided by the modules
Now lets figure out what CmdLets we got with the newly installed modules
|
1 |
Get-Command -Module Microsoft.PowerShell.SecretStore |
SecretStore has 5 CmdLets (What you should know – every furture „Store“ Module will have 5 CmdLets with similar functionality)
|
1 2 3 4 5 6 7 |
CommandType Name Version Source ----------- ---- ------- ------ Cmdlet Get-SecretStoreConfiguration 0.9.0 Microsoft.PowerShell.SecretStore Cmdlet Reset-SecretStore 0.9.0 Microsoft.PowerShell.SecretStore Cmdlet Set-SecretStoreConfiguration 0.9.0 Microsoft.PowerShell.SecretStore Cmdlet Set-SecretStorePassword 0.9.0 Microsoft.PowerShell.SecretStore Cmdlet Unlock-SecretStore 0.9.0 Microsoft.PowerShell.SecretStore |
SecretManagement CmdLets are received by:
|
1 |
Get-Command -Module Microsoft.PowerShell.SecretManagement |
And the result is:
|
1 2 3 4 5 6 7 8 9 10 11 |
CommandType Name Version Source ----------- ---- ------- ------ Cmdlet Get-Secret 0.9.0 Microsoft.PowerShell.SecretManagement Cmdlet Get-SecretInfo 0.9.0 Microsoft.PowerShell.SecretManagement Cmdlet Get-SecretVault 0.9.0 Microsoft.PowerShell.SecretManagement Cmdlet Register-SecretVault 0.9.0 Microsoft.PowerShell.SecretManagement Cmdlet Remove-Secret 0.9.0 Microsoft.PowerShell.SecretManagement Cmdlet Set-Secret 0.9.0 Microsoft.PowerShell.SecretManagement Cmdlet Set-SecretVaultDefault 0.9.0 Microsoft.PowerShell.SecretManagement Cmdlet Test-SecretVault 0.9.0 Microsoft.PowerShell.SecretManagement Cmdlet Unregister-SecretVault 0.9.0 Microsoft.PowerShell.SecretManagement |
3.) Create a SecretStore Configuration
If you have a completely new configuration, simply start with:
|
1 2 3 4 5 6 7 8 |
PS C:\Users\roman> Get-SecretStoreConfiguration Vault Microsoft.PowerShell.SecretStore requires a password. Enter password: ****** Scope Authentication PasswordTimeout Interaction ----- -------------- --------------- ----------- CurrentUser Password 900 Prompt |
Now you have a configuration (aka a policy) how vaults are accessed.
4.) Create a vault
If we want to store secrets, you need to create vaults to store them somewhere. We just created a Store-Configuration. now lets create a vault.
|
1 |
Register-SecretVault -ModuleName Microsoft.PowerShell.SecretStore -Name myVault -Description 'Blog Example Vault' |
Lets see what we created:
|
1 |
Get-SecretVault |Select-Object Name,Description,IsDefault |
Results of our vault-listing:
|
1 2 3 |
Name Description IsDefault ---- ----------- --------- myVault Blog Example Vault False |
5.) Create secrets
Finally, we can store secrets.
|
1 2 3 |
Set-Secret -Name 'myStringSecret' -Secret 'abcdzyxw' -Vault myVault $myCred = Get-Credential Set-Secret -Name myCred -Secret $myCred -Vault myVault |
Interestingly the second command requires the secret password of the vault. Not sure why this is the case, probably password timeout.
Now lets see what secrets we have stored:
|
1 |
Get-SecretInfo |
This shows our currently stored secrets:
|
1 2 3 4 |
Name Type VaultName ---- ---- --------- myCred PSCredential myVault mySecString SecureString myVault |
6.) Read Secrets
Now finally comes the step, why we do the whole procedure, read secrets from the vault.
|
1 |
Get-Secret -Name mySecString -Vault myVault -AsPlainText |
Great – we can read a secret now. A future blog will probably deal with secrets in scripts any maybe other provider.
Have fun testing/experimenting.
Regards/Roman
Thanks for the picture: Photo by Georg Bommeli on Unsplash
