Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question Regarding Azure Key Vault and OAuth 2.0 #225

Open
jesnyder13 opened this issue Jul 18, 2024 · 1 comment
Open

Question Regarding Azure Key Vault and OAuth 2.0 #225

jesnyder13 opened this issue Jul 18, 2024 · 1 comment

Comments

@jesnyder13
Copy link

Summary of the new feature / enhancement

The background of this question is that this module saves my team alot of refactoring when switching between vaults since a wide variety of vaults have extensions available. It is very very useful for working with creds on the shell.

I am attempting to use the Microsoft.PowerShell.SecretManagement module to access Azure Key Vault secrets in a hybrid environment. Our setup requires authentication coming from outside of the Azure tenant. For other Azure services, we can use either OAuth 2.0 authorization with a registered app or service principal authentication.

However, with the SecretManagement module, I've noticed that:

  1. The only authentication method available seems to be service principal.
  • When I use oauth I receive the following when using Get-Secret:
Connect-AzAccount -AccessToken ... #sucessful auth
Get-Secret ...
Message: AKV10000: Request is missing a Bearer or PoP token.
  • When I use service principal it works fine.
Connect-AzAccount -ServicePrincipal .., #sucessful auth
Get-Secret ... #successful secret retrieval
  1. There is currently no -AccessToken option for Get-Secret

I am specifically looking for a way to use OAuth 2.0 with this module, similar to how we can with other Azure services.

  1. Are there plans to add OAuth 2.0 support to the Microsoft.PowerShell.SecretManagement module for Azure Key Vault?
  2. In the meantime, is service principal authentication the recommended approach for our scenario?
  3. Are there any workarounds or best practices for using OAuth 2.0 with the SecretManagement module and Azure Key Vault?
  4. Is this a valid question?

Reference: https://learn.microsoft.com/en-us/powershell/utility-modules/secretmanagement/how-to/using-azure-keyvault?view=ps-modules

I have opened a case with the Key Vault Support Team #2407160040005824 but thought maybe I should check here as well.

Proposed technical implementation details (optional)

No response
@jesnyder13
Copy link
Author

After a call with support it seems the issue is not directly with the modules themselves.

  1. I can successfully obtain a bearer token for Azure Key Vault.
  2. Using this token, I'm able to retrieve secret values via the Invoke-RestMethod cmdlet, confirming the token's validity.
  3. However, when I attempt to use the Get-AzKeyVaultSecret cmdlet from the Az.KeyVault module, I receive an error: 'AKV10000: Request is missing a Bearer or PoP token.'
  4. During a support call, we tried various approaches with Set-AzContext, but we haven't found a way to make the Az.KeyVault module commands utilize the existing bearer token.

If you would be able to share a way that works with these modules on the shell to successfully interact with the Azure Key Vault using the bearer token I would be very grateful. If not I understand.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jesnyder13