PowerShell SecretManagement Extension?

[gregharms]

Is your feature request related to a problem? Please describe. Microsoft PowerShell SecretManagement module (still in preview) can be extended, but no CyberArk PAS extension yet on PowerShell Gallery. I'm intrigued by the idea of obtaining secrets from my CyberArk PAS vault via this new cross-platform module from Microsoft.

Describe the solution you'd like A SecretManagement extension that can talk to CyberArk PAS.

Describe alternatives you've considered I'm considering building my own SecretManagement.CyberArkPAS module but I'm realizing my favored path would likely be wrappers around existing functions in psPAS. For example, Get-SecretInfo would be calling Get-PASAccount. So thought before I get too deep into development, asking here to see if it would fit better as an added capability of psPAS or a peer project within pspete's great collection of CyberArk projects.

Additional context https://github.com/PowerShell/SecretManagement

[pspete]

No doubt this would be a great project. If it helps, psPAS will only contain features/commands which directly interact with the CyberArk API endpoints; by all means, use the available psPAS commands to create the extension, it is this kind of project which perfectly encapsulates why psPAS was developed 😃 I'd be happy to contribute/collaborate...

[gregharms]

I'll update this thread if/when I get capacity to work on this. Or if someone else gets some time to tackle it they might come across the issue and update us all.

Thanks for the reply!

[aaearon]

I took this an opportunity to expand my PowerShell knowledge and came up with https://github.com/aaearon/SecretManagement.CyberArk. In the end, it just wraps a lot of psPAS modules.

Couple of notes:

• As you can see the code is really brittle with zero to no error handling.
• Get-Secret -Name windowsAdmin01 finds the account via Get-PASAccount -search windowsAdmin01 and because Get-Secret should only return a single secret, when multiple results are returned, it just takes the first result and there is no good way to filter further. By default, the CyberArk API does not seem to have the account's name property as a searchable field so I could not rely on that.
• The SecretManagement module is still maturing itself so it may introduce changes that break the extension.

In addition to that, I am struggling to find a use case for this myself. Maybe I am not 'getting it' but it feels like using just psPAS without SecretManagement would be a lot more straightforward.

[NathanielMaier]

Looks great, @aaearon! I don't have an immediate use case, but I'm wondering if this would help write product-agnostic code. It looks like you'd still have to handle the New-PASSession piece before using Set-Secret/Get-Secret with your extension, but then switching out to a different SecretManagement extension should be easier.

So the "secret zero" problem about having a password to login with New-PASSession - typically could be solved with pspete's CredentialRetriever module. Would there be a way to allow that to be used from this SecretManagement extension in addition to psPAS? It'd be slick if you could Get-Secret using the CCP or CP and then Set-Secret to add something with psPAS.

[pspete]

Closing this issue, further discussion can be raised on the https://github.com/aaearon/SecretManagement.CyberArk repo 😃