The SecretManagement and SecretStore release candidate 2 (RC2) modules are now available on the PowerShell Gallery. These releases contain an exciting new feature which allows users to provide non-sensitive metadata for secrets (note: this feature may not be available for all extension vaults).
For more context on these modules check out these previous blog posts:
- SecretManagement preview 3/SecretStore preview 1
- SecretManagement preview 4/SecretStore preview 2
- SecretManagement preview 5/SecretStore preview 3
- SecretManagement preview 6/SecretStore preview 4
- SecretManagement/SecretStore RC
Before installing this module, please uninstall the current preview versions of the module and restart your PowerShell session.
To install these updates run the following commands:
Uninstall-Module Microsoft.PowerShell.SecretManagement -Force Uninstall-Module Microsoft.PowerShell.SecretStore -Force # Restart your PowerShell session Install-Module -Name Microsoft.PowerShell.SecretStore -Repository PSGallery Register-SecretVault -Name SecretStore -ModuleName Microsoft.PowerShell.SecretStore -DefaultVault -AllowClobber
SecretManagement Updates
In addition to bug fixes, this release adds support for secret metadata. Users can now optionally provide non-sensitive metadata for their secrets. Secret metadata was a highly requested feature because as users store more secrets in SecretManagment, they may want to know what the secrets are intended for (for example, a particular subscription, or scenario). As users manage their secrets they may also want to add metadata around secret creation date, expiration time, or other information to manage the secret lifecycle. Metadata is optional for secret vaults to support so it may not be available for all vault extensions.
Fixes
Get-Secret
andRemove-Secret
cmdlets now honor theVaultName
parameter from a piped inSecretInformation
object- Secret name and vault name autocompletion now correctly handles names with spaces
Changes
A warning is now displayed when secret cmdlets are used and no vaults are currently registered. For example, if Get-SecretInfo is run without any vaults registered the following warning is emitted:
WARNING: There are currently no extension vaults registered. At least one vault must be registered before SecretManagement can add or retrieve secrets. You can download SecretManagement extension vault modules from PowerShellGallery. https://aka.ms/SecretManagementVaults
New Features
SecretInformation
class now has a newMetadata
property for the new secret metadata supportSet-Secret
cmdlet now has a new optional-Metadata
property to include additional non-sensitive data associated with a secret. Note that not all vaults will support metadata, if the-Metadata
parameter is used with a vault that does not support metadata the following error is emitted:
Cannot set secret metadata. Vault [Vault Name] does not support secret metadata.
- New
Set-SecretInfo
cmdlet that takes a-Metadata
property which sets additional non-sensitive data to a secret
SecretStore Updates
This release adds support for secret metadata.
How to use metadata with the SecretStore
To create a new secret with metadata you can run:
Set-Secret -Name foo -Secret fooSecret -Metadata @{purpose = "example"}
To view secret metadata you can then run the command
Get-SecretInfo | select name, metadata
You can also set metadata for an existing secret using the Set-SecretInfo
cmdlet:
Set-SecretInfo bar -Metadata @{purpose = "showing the new cmdlet"}
Since SecretMetadata is for non-sensitive data, if you need to store sensitive metadata you may want to consider storing it as a hashtable in the vault itself. For example, if I consider the username, or subscriptionID to be sensitive for particular secrets for resource1 and resource2, I may want to create a secret like:
Set-Secret -name secretMetadata -Secret @{ resource1 = "username1, subID1"; resource2 = "username, subID2"}
General Availability (GA)
This is a “go live” release, which means that we feel that this RC is feature complete and supported in production.
If no bugs are identified through this release, we will increment the versioning and declare the modules as GA in early April. If any high-risk bugs are identified we will continue to release RCs until the quality bar is met for a GA release.
The Extension Vault Ecosystem
To find other SecretManagement extension vault modules, search the PowerShell Gallery for the “SecretManagement” tag. Some community vault extensions that are available:
Thank you to everyone who has created vaults thus far!
Community blogs
There are also a number of community blogs and resources on this topic. Some of these include:
- SecretManagement Part 1 Introduction
- SecretManagement Part 2 Installation and first steps
- PowerShell: Microsoft’s SecretManagement Module
- Module Monday – Secret Management
- PWSHsecrets
- SecretManagement module for PowerShell
- Writing an Extension Vault for Powershell SecretManagement
Feedback and Support
Community feedback has been essential to the iterative development of these modules. Thank you to everyone who has contributed issues, and feedback thus far! As we approach General Availability for these modules now is the time to test the modules against your scenarios to request changes (especially breaking ones) and discover bugs. To file issues or get support for the SecretManagement interface or vault development experience please use the SecretManagement repository. For issues which pertain specifically to the SecretStore and its cmdlet interface please use the SecretStore repository.
Sydney Smith
PowerShell Team
0 comments