Post

Tip #12: No need to save credentials in PoSH scripts

Posted
By Marius Wyss
2 min read

There is a cool solution to avoid lines like this in PowerShell:

1
2
3

$Password = "YOUR_PASSWORD"
$APIKey   = "YOUR_API_KEY"
$Token    = "YOUR_TOKEN"

and thus, prevent accidental leaks of credentials. Introducing Microsoft.PowerShell.SecretManagement and its extension Microsoft.PowerShell.SecretStore. By using these modules, you can share scripts without removing credentials and avoid storing them in files. To use it, you need to install two modules, configure the secret store, register a vault and then store secrets in the vault. See Getting Started.

Here is an example script how you could make use of it:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

# Install-Module Microsoft.PowerShell.SecretManagement
# Install-Module Microsoft.PowerShell.SecretStore

Import-Module Microsoft.PowerShell.SecretManagement
Import-Module Microsoft.PowerShell.SecretStore

$YourVaultName              = "TempleOfTheLastCrusade"
$YourSecretName             = "HolyGrail"
$YourSecretPurpose          = "Price of immortality"
$YourSecretPrompt           = "You must choose, but choose wisely"
$YourSecretPasswordTimeOut  = 900 # In Seconds

# Check if vault is there if not create and configure with a password and timeout
If (-not (Get-SecretVault -Name $YourVaultName -ErrorAction SilentlyContinue)) {
    Set-SecretStoreConfiguration -Scope CurrentUser -Authentication Password -PasswordTimeout $YourSecretPasswordTimeOut -Confirm:$false
    Register-SecretVault -Name $YourVaultName -ModuleName Microsoft.PowerShell.SecretStore -DefaultVault
}

# Check if secret is stored in the vault if not ask for it
If (-not (Get-Secret -Name $YourSecretName -Vault $YourVaultName -ErrorAction SilentlyContinue)) {
    $HolyGrail = Read-Host -assecurestring $YourSecretPrompt
    Set-Secret -Name $YourSecretName -Metadata @{Purpose = $YourSecretPurpose} -Secret $HolyGrail -Vault $YourVaultName
}

# Retrieve the stored secret from the specified vault and convert it to plain text
$TheHolyGrailInPlainSight = Get-Secret -Name $YourSecretName -Vault $YourVaultName -AsPlainText

Write-Host "The holy grail is: $TheHolyGrailInPlainSight"

If you haven’t created a SecretStore vault on your system yet, you’d have to create it with a password1 first. This password has a session timeout. That’s like the master password for your vault(s) and it’s secrets. If you register multiple vaults, each secret will be in each vault. Obviously with different values. This allows you to create, for instance, a DevVault and a ProdVault.2

First run secrets scriptFirst run

On the second run the secret will be read without prompt, unless the vault timeout has expired. Second runs secrets scriptSecond run

Find out more on this blog post https://devblogs.microsoft.com/powershell/secretmanagement-and-secretstore-are-generally-available/

Footnotes

  1. https://devblogs.microsoft.com/powershell/secretmanagement-and-secretstore-are-generally-available/#:~:text=Configuring%20the%20SecretStore ↩︎

  2. https://github.com/PowerShell/SecretStore/issues/58 ↩︎

tips, windows powershell
minitips tips
This post is licensed under CC BY 4.0 by the author.