search

joshcorr / SecretManagement.Hashicorp.Vault.KV

A PowerShell SecretManagement extension for Hashicorp Vault Key Value Engine
MIT License
30 stars 10 forks source link

Extracting value from key:value pair on a secret path #6

Closed szahri closed 3 years ago

szahri commented 3 years ago

Hi there, I'm just having a play with this module and trying to figure out how to get a value from a key within a secret path.

Example : I have a key:value called testuser:testpass1234 under the secret/mysecrets/secret1 path.

While I can do this successfully:

get-secret -name mysecrets/secret1 -Vault secret

UserName                          Password
--------                          --------
mysecrets/secret1 System.Security.SecureString

I'm unable to access the value of testuser underneath this path:

get-secret -name mysecrets/secret1/test -Vault secret

It just bombs out with the following error :

Get-Secret : Unable to get secret sysadmin/Temp/test from vault secret
At line:1 char:1
+ Get-Secret -Vault secret
+ ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Microsoft.Power...sionVaultModule:ExtensionVaultModule) [Get-Secret], PSInvalidOperationException
    + FullyQualifiedErrorId : GetSecretInvalidOperation,Microsoft.PowerShell.SecretManagement.GetSecretCommand

Get-Secret : The secret mysecrets/secret1/test was not found.
At line:1 char:1
+ Get-Secret -Vault secret
+ ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Microsoft.Power...etSecretCommand:GetSecretCommand) [Get-Secret], ItemNotFoundException
    + FullyQualifiedErrorId : GetSecretNotFound,Microsoft.PowerShell.SecretManagement.GetSecretCommand

In comparison, using native vault command I could definitely extract the key:value pair like so:

vault kv get -version=1 secret/mysecrets/secret1/test 

==== Data ====
Key                             Value
---                               -----
testuser                       testpass1234

How do I go about extracting the same info using your module? Or am I using it the wrong way? I'm using kv1 engine. Nice work btw :)

Thanks J

joshcorr commented 3 years ago

1st off, thanks for submitting an issue and using the extension!

A few quick question so I can look into it:

What version of PowerShell are you using ($psversiontable)? What version of SecretManagement are you using? Or are you loading this module directly into your PowerShell session?

I have a branch I have been sitting on for some GA changes, so will include this fix if I can.

szahri commented 3 years ago

Hi Josh, Here are the details :

$PSVersionTable

Name                           Value                                                                                                                                                                        
----                           -----                                                                                                                                                                        
PSVersion                      5.1.19041.906                                                                                                                                                                
PSEdition                      Desktop                                                                                                                                                                      
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                                                                                                      
BuildVersion                   10.0.19041.906                                                                                                                                                               
CLRVersion                     4.0.30319.42000                                                                                                                                                              
WSManStackVersion              3.0                                                                                                                                                                          
PSRemotingProtocolVersion      2.3                                                                                                                                                                          
SerializationVersion           1.1.0.1

The version of SecretManagement and SecretStore are 1.0.0 and 1.0.2 respectively.

Thanks! J

joshcorr commented 3 years ago

I am trying to re-create this and understand the situation a little bit more.

This is what I initially had:

image

This is what I think you setup, correct?

image

joshcorr commented 3 years ago

I can retrieve secrets from both locations.

image

The design of the extension might not be optimal for most Hashicorp Vault use right now. The current output type I am returning is a PSCredential, but maybe a better output type would be a hashtable. That way you can use the custom key/value under the path.

joshcorr commented 3 years ago

@szahri Please checkout the new Preview Branch . This now includes the default output of a Hashtable, which might help with part of the problem.

Example usage below: image

joshcorr commented 3 years ago

@szahri Were you able to test the new version?

rhochmayr commented 3 years ago

Hi Joshua

Just testet the preview relese and this is working perfectly! Both ways, reading and writing secrets btw. Thanks for all the work on this module, consuming HC Vault is extremely comfortable on windows powershell systems with this.

Cheers, Rob

joshcorr commented 3 years ago

This issue should now be resolved. Please open another issue if you have any further problems with this functionality.