search

PowerShell / SecretManagement

PowerShell module to consistent usage of secrets through different extension vaults
MIT License
325 stars 46 forks source link

Question Regarding Azure Key Vault and OAuth 2.0 #225

Open jesnyder13 opened 1 month ago

jesnyder13 commented 1 month ago

Summary of the new feature / enhancement

The background of this question is that this module saves my team alot of refactoring when switching between vaults since a wide variety of vaults have extensions available. It is very very useful for working with creds on the shell.

I am attempting to use the Microsoft.PowerShell.SecretManagement module to access Azure Key Vault secrets in a hybrid environment. Our setup requires authentication coming from outside of the Azure tenant. For other Azure services, we can use either OAuth 2.0 authorization with a registered app or service principal authentication.

However, with the SecretManagement module, I've noticed that:

  1. The only authentication method available seems to be service principal.
    • When I use oauth I receive the following when using Get-Secret: 
      Connect-AzAccount -AccessToken ... #sucessful auth
Get-Secret ...
Message: AKV10000: Request is missing a Bearer or PoP token.

I am specifically looking for a way to use OAuth 2.0 with this module, similar to how we can with other Azure services.

  1. Are there plans to add OAuth 2.0 support to the Microsoft.PowerShell.SecretManagement module for Azure Key Vault?
  2. In the meantime, is service principal authentication the recommended approach for our scenario?
  3. Are there any workarounds or best practices for using OAuth 2.0 with the SecretManagement module and Azure Key Vault?
  4. Is this a valid question?

Reference: https://learn.microsoft.com/en-us/powershell/utility-modules/secretmanagement/how-to/using-azure-keyvault?view=ps-modules

I have opened a case with the Key Vault Support Team #2407160040005824 but thought maybe I should check here as well.

Proposed technical implementation details (optional)

No response

jesnyder13 commented 1 month ago

After a call with support it seems the issue is not directly with the modules themselves.

  1. I can successfully obtain a bearer token for Azure Key Vault.
  2. Using this token, I'm able to retrieve secret values via the Invoke-RestMethod cmdlet, confirming the token's validity.
  3. However, when I attempt to use the Get-AzKeyVaultSecret cmdlet from the Az.KeyVault module, I receive an error: 'AKV10000: Request is missing a Bearer or PoP token.'
  4. During a support call, we tried various approaches with Set-AzContext, but we haven't found a way to make the Az.KeyVault module commands utilize the existing bearer token.

If you would be able to share a way that works with these modules on the shell to successfully interact with the Azure Key Vault using the bearer token I would be very grateful. If not I understand.