PaulHigin
commented
3 years ago Keep in mind that the store (Microsoft.PowerShell.SecretStore, https://github.com/powershell/secretstore) is a separate module. SecretManagement is designed to work with multiple vaults, and each vault module can store secrets how and where ever it wants to. These questions seem to be only for the one Microsoft.PowerShell.SecretStore vault module, and probably should be asked at that github repo.
Microsoft.PowerShell.SecretStore module stores secrets locally at a user location that cannot be modified.
A new vault module could be created to store and retrieve secrets from within an Azure DevOps pipeline, but the Microsoft.PowerShell.SecretStore does not do this by default. It would be possible to configure a DevOps pipeline to use Microsoft.PowerShell.SecretStore (and SecretManagement) modules, but it would have to be set up beforehand within some local account and with secrets pre-populated in the SecretStore.
Microsoft.PowerShell.SecretStore design does allow for a machine wide account option, rather than the current default user account scope, but that has not yet been implemented. Also it is not clear if it will be implemented due to security concerns.
Microsoft.PowerShell.SecretManagement module, by itself, does not come with any default vault. So you need to also install a vault module along with it. We have provided the Microsoft.PowerShell.SecretStore vault module as one option for local secret storage. But there are a lot of other community developed vault modules you can look into.
When searching for a way to secure credentials passwords which must be used within a Powershell/APi module to do sensitive work, I passed by this repository. First of all, this looks awesome. But it raises some questions
These are the questions for now. Thanks in advance for answering them.