search

PowerShell / SecretManagement

PowerShell module to consistent usage of secrets through different extension vaults
MIT License
325 stars 46 forks source link

Set-Secret deletes secrets unexpectedly #227

Open danikuci1 opened 4 weeks ago

danikuci1 commented 4 weeks ago

Prerequisites

Steps to reproduce

I am trying to leverage the secrets management module to manage secrets in Azure KeyVault and want to update some metadata when a password is updated. This works fine in the AKV but fails when doing it with the module.

Expected behavior

PS> Set-Secret -Name "SomeSecret" -SecureStringSecret $NewPasswordSecureString -Vault MyVault -Metadata @{Expiration = (Get-Date).AddMonth(1)}

Congrats! Your secret was updated and has all is well! Yay!

Actual behavior

PS> Set-Secret -Name "SomeSecret" -SecureStringSecret $NewPasswordSecureString -Vault MyVault -Metadata @{Expiration = (Get-Date).AddMonth(1)}

Set-Secret: Cannot add secret metadata 'SomeSecret' to vault 'MyVault': The vault does not support the Set-SecretInfo function.

Yet this works fine if I specify the same metadata with Set-AzKeyVaultSecret or do it manually through the portal

Error details

Exception             :
    Type        : System.Management.Automation.PSNotSupportedException
    ErrorRecord :
        Exception             :
            Type    : System.Management.Automation.ParentContainsErrorRecordException
            Message : Cannot add secret metadata '...' to vault '...: The vault does not support the
Set-SecretInfo function.
            HResult : -2146233087
        CategoryInfo          : NotImplemented: (:) [], ParentContainsErrorRecordException
        FullyQualifiedErrorId : NotSupported
    Message     : Cannot add secret metadata '...' to vault '...: The vault does not support the
Set-SecretInfo function.
    HResult     : -2146233067
TargetObject          : Microsoft.PowerShell.SecretManagement.ExtensionVaultModule
CategoryInfo          : NotImplemented: (Microsoft.PowerShel…xtensionVaultModule:ExtensionVaultModule) [Set-Secret],
PSNotSupportedException
FullyQualifiedErrorId : SetSecretMetadataCommandNotSupported,Microsoft.PowerShell.SecretManagement.SetSecretCommand
InvocationInfo        :
    MyCommand        : Set-Secret
    ScriptLineNumber : 1
    OffsetInLine     : 1
    HistoryId        : 48
    Line             : Set-Secret -Name "..." -SecureStringSecret $(New-Password -SecureString) -Vault
...-Metadata @{Expiration = (Get-Date).AddDays(100)} -Debug
    PositionMessage  : At line:1 char:1
                       + Set-Secret -Name "..." -SecureStringSecret $(New-Password -Sec …
                       + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    InvocationName   : Set-Secret
    CommandOrigin    : Internal
ScriptStackTrace      : at <ScriptBlock>, <No file>: line 1
PipelineIterationInfo :

Environment data

Name                           Value
----                           -----
PSVersion                      7.4.4
PSEdition                      Core
GitCommitId                    7.4.4
OS                             Microsoft Windows 10.0.20348
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Version

im not using cresendo

Visuals

No response

andyleejordan commented 3 weeks ago

Hi, can you please cross-file a bug with https://github.com/Azure/azure-powershell? They maintain https://www.powershellgallery.com/packages/Az.KeyVault/2.0.0 which is the implementing module you're getting an error from.

danikuci1 commented 2 weeks ago

opened https://github.com/Azure/azure-powershell/issues/25975 as requested, though im not sure the az.keyvault module is to blame here. consider the verbose output from Set-Secret:

VERBOSE: Performing the operation "Write secret to vault and override any existing secret of the same name" on target "asdf".
VERBOSE: Invoking command Set-Secret on module Az.KeyVault.Extension
VERBOSE: Invoking command Set-SecretInfo on module Az.KeyVault.Extension
Set-Secret: Cannot add secret metadata '624881344' to vault 'asdf: The vault does not support the Set-SecretInfo function.
VERBOSE: Invoking command Remove-Secret on module Az.KeyVault.Extension
VERBOSE: Secret 624881344 was successfully removed from vault asdf.
danikuci1 commented 2 weeks ago

looking through the tests it seems maybe the module isnt intended to support metadata at all?

https://github.com/PowerShell/SecretManagement/blob/de1e4996241f4234e5ff893e12d15e81001db2fd/test/Microsoft.PowerShell.SecretManagement.Tests.ps1#L127

contrary to this comment, Set-SecretInfo also does not set metadata in AKV, although it doesn't delete the secret at least 🤷