March 3rd, 2021

SecretManagement and SecretStore Release Candidate 2

The SecretManagement and SecretStore release candidate 2 (RC2) modules are now available on the PowerShell Gallery. These releases contain an exciting new feature which allows users to provide non-sensitive metadata for secrets (note: this feature may not be available for all extension vaults).

For more context on these modules check out these previous blog posts:

Before installing this module, please uninstall the current preview versions of the module and restart your PowerShell session.

To install these updates run the following commands:

Uninstall-Module Microsoft.PowerShell.SecretManagement -Force
Uninstall-Module Microsoft.PowerShell.SecretStore -Force
# Restart your PowerShell session
Install-Module -Name Microsoft.PowerShell.SecretStore -Repository PSGallery
Register-SecretVault -Name SecretStore -ModuleName Microsoft.PowerShell.SecretStore -DefaultVault -AllowClobber

SecretManagement Updates

In addition to bug fixes, this release adds support for secret metadata. Users can now optionally provide non-sensitive metadata for their secrets. Secret metadata was a highly requested feature because as users store more secrets in SecretManagment, they may want to know what the secrets are intended for (for example, a particular subscription, or scenario). As users manage their secrets they may also want to add metadata around secret creation date, expiration time, or other information to manage the secret lifecycle. Metadata is optional for secret vaults to support so it may not be available for all vault extensions.

Fixes

  • Get-Secret and Remove-Secret cmdlets now honor the VaultName parameter from a piped in SecretInformation object
  • Secret name and vault name autocompletion now correctly handles names with spaces

Changes

A warning is now displayed when secret cmdlets are used and no vaults are currently registered. For example, if Get-SecretInfo is run without any vaults registered the following warning is emitted:

WARNING:
        There are currently no extension vaults registered.
        At least one vault must be registered before SecretManagement can add or retrieve secrets.
        You can download SecretManagement extension vault modules from PowerShellGallery.
        https://aka.ms/SecretManagementVaults

New Features

  • SecretInformation class now has a new Metadata property for the new secret metadata support
  • Set-Secret cmdlet now has a new optional -Metadata property to include additional non-sensitive data associated with a secret. Note that not all vaults will support metadata, if the -Metadata parameter is used with a vault that does not support metadata the following error is emitted:
Cannot set secret metadata. Vault [Vault Name] does not support secret metadata.
  • New Set-SecretInfo cmdlet that takes a -Metadata property which sets additional non-sensitive data to a secret

SecretStore Updates

This release adds support for secret metadata.

How to use metadata with the SecretStore

To create a new secret with metadata you can run:

Set-Secret -Name foo -Secret fooSecret -Metadata @{purpose = "example"}

To view secret metadata you can then run the command

Get-SecretInfo | select name, metadata

You can also set metadata for an existing secret using the Set-SecretInfo cmdlet:

Set-SecretInfo bar -Metadata @{purpose = "showing the new cmdlet"}

Since SecretMetadata is for non-sensitive data, if you need to store sensitive metadata you may want to consider storing it as a hashtable in the vault itself. For example, if I consider the username, or subscriptionID to be sensitive for particular secrets for resource1 and resource2, I may want to create a secret like:

Set-Secret -name secretMetadata -Secret @{ resource1 = "username1, subID1"; resource2 = "username, subID2"}

General Availability (GA)

This is a “go live” release, which means that we feel that this RC is feature complete and supported in production.

If no bugs are identified through this release, we will increment the versioning and declare the modules as GA in early April. If any high-risk bugs are identified we will continue to release RCs until the quality bar is met for a GA release.

The Extension Vault Ecosystem

To find other SecretManagement extension vault modules, search the PowerShell Gallery for the “SecretManagement” tag. Some community vault extensions that are available:

Thank you to everyone who has created vaults thus far!

Community blogs

There are also a number of community blogs and resources on this topic. Some of these include:

Feedback and Support

Community feedback has been essential to the iterative development of these modules. Thank you to everyone who has contributed issues, and feedback thus far! As we approach General Availability for these modules now is the time to test the modules against your scenarios to request changes (especially breaking ones) and discover bugs. To file issues or get support for the SecretManagement interface or vault development experience please use the SecretManagement repository. For issues which pertain specifically to the SecretStore and its cmdlet interface please use the SecretStore repository.

Sydney Smith

PowerShell Team

 

 

 

Author

PM on the PowerShell team at Microsoft.

0 comments

Discussion are closed.