Search
StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

Managing credentials using the Secret Management PowerShell module

  • August 31, 2023
  • 7 min read
IT Production Manager. Nicolas is primarily focused on Microsoft technologies, he is a Microsoft MVP in Cloud and Datacenter Management.
IT Production Manager. Nicolas is primarily focused on Microsoft technologies, he is a Microsoft MVP in Cloud and Datacenter Management.


Secret Management is a new way to manage your credentials with PowerShell. Secret Management uses a vault to store the credentials. You can for example store your credentials locally using the SecretStore extension, but what is very interesting is to store credentials remotely using third-party secret vaults such as: Azure Key Vault, KeePass, LastPass, Bitwarden, …

You can see the list here:

Secret Management Module

The great advantage of this module is to handle many scenarios explained by Microsoft:

  • Sharing a script across the organization without knowing the local vault of all the users
  • Running a deployment script in local, test and production with the change of only a single parameter (-Vault)
  • Changing the backend of the authentication method to meet specific security or organizational needs without needing to update all my scripts

In this article, I will describe how to use the Secret Management module with the Azure Key Vault extension.

Getting Started

First, we need to install the Secret Management module using the following command:

Below is the output.

Below is the output

Next, we need to install the Azure Key Vault module using the following command:

Now, we need to create a Service Principal to interact with your Azure Key Vault.

Open the Azure portal, go to Azure Active Directory -> App Registrations and create a new one. Then copy/paste the AppID + TenantID + create a secret.

Azure Key Vault

Now, you can use this PowerShell code to interact with your Azure environment.

Then, create a new Azure Key Vault using the portal

Create a new Azure Key Vault using the portal

Go to the Access policies tab, and create a new one.

Access policies tab

 

Select the permissions you want to apply, in my case I need at least Get and List permissions.

Select the permissions you want to apply

Then, apply the policy to the Service Principal previously created.

Apply the policy to the Service Principal previously created

Everything is OK, we can now register the Azure Key Vault as a new Secret Vault:

Below is the output.

Register the Azure Key Vault as a new Secret Vault

Now you can test if you can access to your vault using PowerShell:

The output should be True

wp-image-22022

Everything is configured, you can now create a secret. In the Azure portal, go to your Azure Key Vault, click Secrets and Generate/Import.

In my example, I created a secret named PowerShell.

In the Azure portal, go to your Azure Key Vault, click Secrets and Generate/Import

We can try to retrieve the secret from our Azure Key Vault:

The first command retrieves the secret as secure string, and the second one retrieves the secret as plain text.

The first command retrieves the secret as secure string, and the second one retrieves the secret as plain text

Now, we can delete a secret, but I will need to update the access policy.

Update the access policy

I need to add the delete permission.

wp-image-22026

We can confirm that our secret no long exists.

Une image contenant texte, capture d’écran, Police, Bleu électrique Description générée automatiquement

Nothing appears in the portal.

wp-image-22028

And now, we can create a new secret but we also need to update the access policy.

We can create a new secret but we also need to update the access policy

Then, we can create a new secret named PowerShell2.

Below is the output.

Below is the output

And we can confirm in the portal that the new secret has been created.

We can confirm in the portal that the new secret has been created

Hey! Found Nicolas’s article helpful? Looking to deploy a new, easy-to-manage, and cost-effective hyperconverged infrastructure?
Alex Bykovskyi
Alex Bykovskyi StarWind Virtual HCI Appliance Product Manager
Well, we can help you with this one! Building a new hyperconverged environment is a breeze with StarWind Virtual HCI Appliance (VHCA). It’s a complete hyperconverged infrastructure solution that combines hypervisor (vSphere, Hyper-V, Proxmox, or our custom version of KVM), software-defined storage (StarWind VSAN), and streamlined management tools. Interested in diving deeper into VHCA’s capabilities and features? Book your StarWind Virtual HCI Appliance demo today!