search

Azure / azure-powershell

Microsoft Azure PowerShell
Other
4.14k stars 3.77k forks source link

Should be a slick way to store and retrieve a PSCredential object from a Key Vault Secret #10434

Open buchs opened 4 years ago

buchs commented 4 years ago

Description of the new feature

Need an easy way to store and retrieve a PSCredential object. For example:

$creds = Get-Credential
Set-AzKeyVaultSecret -VaultName $vaultName -name $secretName -PsCredential $creds

and

$credsRetrieved = Get-AzKeyVaultSecret -vaultName $VaultName -name $secretName -PsCredential

The Existing Mechanism

Here is the clunky way I have come up with to do it:

$Creds = Get-Credential -Message "$msg"
# create an vertical tab-delimited string from the values entered
$secretstring = $Creds.GetNetworkCredential().UserName + "`v" + $Creds.GetNetworkCredential().Password
$secretvalue = ConvertTo-SecureString $secretstring -AsPlainText -Force
# store in Key Vault
Set-AzKeyVaultSecret -VaultName $VaultName -name $DomainSecretName -secretvalue  $secretvalue

and

$secretValueParts = (Get-AzKeyVaultSecret -vaultName $VaultName -name $DomainSecretName).SecretValueText -Split "``v"
$password = ConvertTo-SecureString $secretValueParts[1] -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential ($secretValueParts[0], $password)
buchs commented 4 years ago

Since PSCredential objects are often used in PowerShell, I was surprised there wasn't already some way to do this. Seems natural.

wyunchi-ms commented 4 years ago

Hi @buchs thanks for your recommendation. We will consider it.

guidooliveira commented 4 years ago

This would be really useful, and reduce the amount of secrets stored.

dcaro commented 4 years ago

Supporting PSCredentials as is in Keyvault would be confusing for other customers of KV. We are considering a method in the KeyVault module that will convert PSCredentials to / from KV Secrets. Please react to let us know what you think of it.

buchs commented 4 years ago

I don’t understand why adding another credential type would be confusing to current users. They wouldn’t need to care or even notice the change. But I guess an additional module is a solution. Of key importance would be the word ”slick” in the title of this issue. Make it trivially easy to use.

dcaro commented 4 years ago

Sorry if I was not clear, we evaluated if native support of PSCredentials was an option instead of relying on secrets.