New PowerShell Secrets Management Module - Easily use any secret provider

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Still requires me to type in a password. I want to see someone demo passwordless vault retrieval for automation. :/

👍︎︎ 22 👤︎︎ u/Szeraax 📅︎︎ Apr 29 2021 🗫︎ replies

this British guy is great. His video for the az104 really helped me pass that exam. Also it’s kinda hilarious seeing this ripped dude with giant rippling muscles squiggle on the whiteboard and explain IT concepts. My man looks like he smashes triathlons for breakfast

👍︎︎ 6 👤︎︎ u/stephenfawkes 📅︎︎ Apr 30 2021 🗫︎ replies

I'm still lost on the use of this.

It just seems like an easy way to programmatically access your secret vault...which seems dangerous as well.

It's like saying "Now we've made it easier to consolidate all of your passwords in one place, so you don't have to have them scattered all over your scripts AND you can access everything via one single password!"

It doesn't seem more secure to me, but I know I must be missing something obvious, I just don't know what?

👍︎︎ 1 👤︎︎ u/AlexHimself 📅︎︎ Apr 29 2021 🗫︎ replies

Thanks for the video John, sweet setup btw. As I learn more about scripts secret management always keeps me up at night while writing automation and wondering if someone can get my password lol

👍︎︎ 1 👤︎︎ u/neirad 📅︎︎ Apr 29 2021 🗫︎ replies

Hi John, thanks for all the awesome videos. Do you have anything on monitoring expiring certificates? I've come up with a crude powershell runbook solution but I feel there must be a better method I'm missing. Thanks in advance.

👍︎︎ 1 👤︎︎ u/JonesTheBond 📅︎︎ Apr 29 2021 🗫︎ replies

Can someone explain like I'm five what this is

👍︎︎ 1 👤︎︎ u/[deleted] 📅︎︎ Apr 30 2021 🗫︎ replies

John, Thanks for the videos. I am curious what software and monitor setup you are using. Thanks in advance. Lou

👍︎︎ 1 👤︎︎ u/louhg72 📅︎︎ May 04 2021 🗫︎ replies

You can use a PAM/PIM to input passwords into scripts as the parameters to a script. Only password that a users has is their regular logon username/password.

👍︎︎ 1 👤︎︎ u/PersonaZ-i-M 📅︎︎ May 06 2021 🗫︎ replies

Captions

hey everyone in this video i want to explore how i can have secrets in my powershell scripts and use them no matter where those secrets have actually been stored and what that actual implementation is maybe it's saying on the file system maybe it's azure key vault maybe i'm using credential manage or hashi called volt or lastpass whatever it is i don't want to have to know about that within my script i want to be able to write a script and then whatever the user of that script choose to use for the implementation of actually storing the secrets it doesn't matter i don't have to change my script at all and we can do this with the brand new sequence management module as always if this is useful a like subscribe comment and share is appreciated and please hit that bell to be notified when i release new videos so the challenge is this i write my powershell script so i have my great powershell script and somewhere within there i need a secret now maybe that secret is something i just want to read in from wherever it is maybe i want to write it whatever that might be i want to interact with some secret now where possible we're trying to avoid secrets completely this was running in azure for example i could use it like managed identity so it automatically has an authentication authorization then i can use role-based access control on resources but let's say i do need a secret now there's many different ways we can think about actually having secrets i could have something ultimately for example on a file system i could absolutely use things like well it's cloud-based so i could think about i have solutions like azure key vault we have things locally on our machine using things like credential manager and as i kind of talked about there are many many kind of others as well hashicorp volt lastpass there's a huge number of these but to work with those they would all work in different ways so my code would be different and we really want to avoid that so what we're actually going to leverage is there's this new module and what this module actually is it's secret management so we have this brand new microsoft provided secret management module and what the whole point of this thing is it's completely going to abstract what the actual implementation is of the secret i don't care from my script this is going to expose a number of commands commands that let me for example write secrets get secrets modify the secrets so i'm going to have these standard commands for kind of set get etc and it's going to be the same command no matter how that's actually stored and that's kind of the key point so if i jump over for a second actually to powershell so the first thing is you install the module now the module i actually have to have is this secret management module so we have this command here to install module microsoft.powershell management now i'm also installing the microsoft.powershell.secret store so this is optional but this is going to give me a store on the local file system that i could leverage to store my secrets and completely optionally but for me i like to install it for scope of all users now i've run that from an elevated command that's already installed now i can go and look at well what are the commands actually for secret management and we can see it's very basic but we find we have commands well look i can set a secret we have that zoom in i can also if i scroll up there we go i can do things like well i can get secrets i can also well what are my secret vaults that are available and i can register secret vaults and there are things like remove secrets there are other things i can do but it's really these generic set of commands that i can use now additionally i have added kind of the secret store there's really not much you do with this you can see hey there's some secret store configuration and that's really about it i can unlock i can change its password now if i just go and look initially i've done a fresh installation on this machine i have no volts actually registered so the first thing we have to do is actually register the vault so i'm going to go ahead and actually register the secret store provider that module to add that to my secret management configuration i'm going to set it as the default vault so i've done that now if i do a get we can now see i have that configured so what i've actually done at this point is if i think about from that file system well i have various kind of providers so what i've done here is well i've added this secret store provider which actually writes things to the file system so that is essentially now registered with my sequence management so that's what we're doing in all of these configurations so let's go back so what i want to do now is i've kind of done that registration let's actually just create a secret so i'm just going to do a set secret i'm going to call it password1 and then i give it a value now the first time we use the secret store it's going to make us set a password this is the password to unlock that secret store vault on the file system so you can see here okay it's going to created it so this password is only once because i'm basically initializing that local file system based secret store so this is the password to unlock that vault so i would set that make sure i don't forget that i have to type it again and i've now configured that so if we think about our configuration the kind of the connection the unlock of that is a password so something in my configuration i'm going to use that to unlock now in an automation there are things i can do so i don't get prompted uh i can actually pass it as a secure credential now obviously there's a bit of a chicken and egg problem here and where do i store this so if i'm taking this approach i'm probably going to unlock that before the automation or work out some other way to pass it which is why some of these other ones might be more attractive and i can actually set it to not require a password so there is that option that's probably not a security best practice by default it wants a password so if we go back again and continue this so you can see okay so i have created that secret if again i look at my secret store configuration this is what i'm talking about so that's the secret store specific configuration and you can see my interaction is going to prompt me to enter the password it is set to require that password and there is a timeout of 900 and you you can change these notice if i wanted to i could have it as a secure string and i could unlock it and pass that i could also set the authentication to none so i don't require a password to unlock it's just unlocked again screw it best practice is probably not going to go that way now what this module was actually doing is storing it in the local file system so if i was to go and look at my local app data microsoft powershell secret management we'll see two folders so local store is the secret store where it has that actual encrypted data it's using the.net cryptography apis that's what it's actually using for the encryption the secret vault registry this other folder that just contains a json file of the actual vaults you have registered so that's really all that is doing now if we carry this on we wrote a secret can i get it hey i'll just run the get secret there it is and obviously i could save that to a variable i could say hey i need this and i can say hey my password is whatever that is to write it into a variable i can modify it so i can very easily modify it and what i might do here just to have a little bit fun if i go and look for example at my subscriptions over here i'm going to copy my subscription id just for a little giggle and what i'm going to do is paste that in here and execute that line and then i'll reset that to the default so now what i have that is that is set as a secret if i kind of just do a get secret and i would enter that particular name the other thing i can actually do as well just cancel out of that for a second is i can actually just do a get secret info so if i just run get secret info it will show me all of the secrets that are currently known across whatever vaults are registered right now and in this case i'm going to go and get that subscription id i just set and i'm going to store it in a variable so now my subscription id is stored in that variable so if we looked at that quickly there it is so i could use that later on now a secret doesn't have to just be a regular single string i can for example use a hash table so here i'm going to set a secret named password2 to be this hash table of username 1 equals a password username 2 is a different password i can absolutely do that i could then fetch it into a variable and here i could look at what's the the hash entry username one and there's its password now additionally metadata can be configured now a key point here is when i talk about these providers i'm going to talk about some other ones there's certain features they have to implement um setting the secrets getting a secret then there are optional configurations an optional configuration is something like a metadata the secret store they have supported metadata today for example key vault does not so you'd have to check with the actual provider on exactly well do they support some of the optional features like metadata but if it does i can go and configure this as well so if we jump back over to here what i'm going to do now is actually on that secret remember i don't have to say a volt because this is my default vault i'm going to set some metadata on it so here i'm just setting hey the metadata to the environment is dev and now when i get secret info i could look at the name and the metadata and hey i can see that information it's available to me this is great i'm looking at this local file system based through the secret store module now i wanted to use keyboard providing i actually have the azure key volt module installed it's now actually dealing with here the azure key bolt now what does this use so this is going to use whatever my current context is i've already done for example a connect a z account now that could be i'm a resource in azure i'm using managed identity that would still work but whatever my current context is that's what it's going to use for the key vault connection and then whatever permissions that context has it's going to use role-based access control to deem what i have access to and once again we can register this to secret management and the only thing i really have to do here is take the subscription id and the keyboard name so i'm going to go ahead and actually add a key vault now first i actually have to go and look at the keyboard so i have a kevo over here all i need at this point is its name so i'm going to copy the title and then if i jump over i'm going to put in here basically i'm passing it this this hash table of the keyboard name it needs these two things so i'm going to create this as the parameters so i've got my savile vol rbac name then my subscription id remember i i just got that actually from my local sequence store so i've got my key volt parameters and now i'm going to register a new vault i'm using the az dot key vault module and i'm going to name it key vault store and i'm passing it the volt parameters to tell it the key vault name and the subscription i've now registered then another vault and i can do get secret info from that particular fault now it's using my default context and notice i already have secrets because this particular key vault has secrets that i have permissions to so there's secret one and secret two and i also have a certificate which is what that's showing there as well i can now treat it exactly the same way though i don't have to do anything different for example here secret one get that secret as plain text no different than if i was getting it from that local secret store so here i run that there we go that actually went and got it from azure key vault and i could set secret so the whole point here i am doing nothing different my script just uses these generic commands that completely abstract away whatever the underlying implementation is of the sequence the person using my script can make a choice hey i'm going to use azure key vault i'm going to use the secret store i'm going to use credential manager i'm going to use hashtag vault it doesn't matter at all the script is completely abstracted through this secret management module and we can take it one step further so if we kind of carry on the demo i'm also going to go ahead and register the credential manager so i've already run this installation this is another module this time i'm going to register using that module the secret management credman and going to call it credman store so i'm registering that and what i'm now going to do is just again set a secret targeting the credman store and i've now created a secret likewise i can go and get it no difference if i fire up credential manager when we look at our windows credentials we should see a ps dot there it is it has gone ahead and created that within credential manager that's how it's storing it so that is obviously using my default user context for that but it's completely abstracted away for me now we have that credman module so this is uh obviously quite man then it's someone specific actually wrote this but this is using my current user who i've authenticated with on that machine and that's only going to be windows so now i've registered that as well so the key point is this is cross-platform so this works on really anything that the powershell core works powershell seven so windows linux mac os this works these work this this is windows specific so i should kind of point out windows only just for that one and again there are many many others what we can actually do is we can go and look at the powershell gallery and we can look for the tag of secret management and if we look for that tag and i've got kind of the pre-created search here well then there's the powershell secret management the powershell secret store there's one for key pass lastpass here's that credman one i just demonstrated bit warden hashicorp vault one password keychain chromium pleasant password server key based cyber arc a whole number of these so you pick which ones you actually want and again they get to pick what functionality says that core set of functionality then there are optional things such as that actual metadata etc i think that's really the the cool point i mean the final thing i can do is now i've got three different vaults registered i could quickly look across all of them so i can see look i have secrets in my secret store i have secrets also in my cred man and i have some from keyboard but my script does not care it does nothing different it's using those standard set of commands the get secret set secret that's all it has to do and then depending on what i've done on that particular environment controls where those actually are but it completely abstracts it away and that's the whole point of this it really just simplifies how i interact gives me choice without having to actually change my code all the sample commands i have here in my random stuff github which i've linked to in the description i hope this was useful you saw how simple this was this was me setting it up actually during the demo it all just worked which when i was practicing this it all just worked it's phenomenally simple but really really powerful so with that take care and i'll see you another video soon you

Info

Channel: John Savill's Technical Training

Views: 6,016

Rating: 5 out of 5

Keywords: azure, azure cloud, powershell, secrets, secret management, azure key vault, credential manager, secret store

Id: 7b0KGVI4VLY

Channel Id: undefined

Length: 20min 15sec (1215 seconds)

Published: Thu Apr 29 2021