phillippover
commented
2 years ago Working on a fix, will raise a PR when I have it tested locally.
Open phillippover opened 2 years ago
phillippover
commented
2 years ago Working on a fix, will raise a PR when I have it tested locally.
joshcorr
commented
2 years ago Thanks for the issue and initiative on a PR.
Be aware that this module is meant to be an extension with the PowerShell teams's SecretManagement(SM) Module. As a result there is a strict signature that needs to be used and it executes in a run space not directly accessible to the executing session. So adding parameters may not be completely possible (for this modules purpose). There is a register function in the SM module and you can provide credentials to this when registering a Vault (term used in the SM not to be confused with Hashicorp terms).
I have not been able to touch this project in a while, but if you create a PR I should be able to review it.
phillippover
commented
2 years ago @joshcorr Thanks for the heads up on the function signatures. That's changed my approach then. I'm thinking that as all of the functions include the AdditionalParameters hashtable, I could add the missing username/roleID in there and respond accordingly?
joshcorr
commented
2 years ago I was reviewing the code, and I believe you are right. Adding logic for role_id and secret_id could be possible, but an alternative approach could be for including a Credential object when registering the Vault. It could then be used for Userpass/LDAP/AppRole auth methods since they all require an account and secret.
The AdditionalParameters parameter you see in the extension is not directly accessible when using the SM module, but what ever you put into the VaultParameters is automatically passed to AdditionalParameters. VaultParameters being in the following example.
Register-SecretVault -ModuleName SecretManagement.Hashicorp.Vault.KV -Name secret -VaultParameters @{ VaultServer = 'http://localhost:8200'; KVVersion = 'v2'; VaultAuthType = 'AppRole'; Credential = (Get-credential -UserName role-id)} -AllowClobber -Verbose@phillippover I assigned this issue to you so you can work on a PR. If you have any questions feel free to ask. More than happy to help 😃
phillippover
commented
2 years ago PR raised.
joshcorr
commented
1 year ago @phillippover not sure if you saw, but I had a few comments on the PR.
Is your feature request related to a problem? Please describe. I'd like to use this module in an automation project which requires the vault to be unlocked unattended, without user interaction.
Describe the solution you'd like A Login parameter for Unlock-SecretVault that maps to Role-ID or UserName depending on AuthType, instantiating the Credential object fully, thus not requiring user interaction via Read-Host or Get-Credential.
Describe alternatives you've considered Attempted to Alias Read-Host and Get-Credential to allow unattended replies to Get-Credential, but this didn't work.