Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set-Secret deletes secrets unexpectedly #227

Open
3 tasks done
danikuci1 opened this issue Aug 16, 2024 · 3 comments
Open
3 tasks done

Set-Secret deletes secrets unexpectedly #227

danikuci1 opened this issue Aug 16, 2024 · 3 comments

Comments

@danikuci1
Copy link

Prerequisites

  • Write a descriptive title.
  • Make sure you are able to repro it on the latest released version
  • Search the existing issues.

Steps to reproduce

I am trying to leverage the secrets management module to manage secrets in Azure KeyVault and want to update some metadata when a password is updated. This works fine in the AKV but fails when doing it with the module.

Expected behavior

PS> Set-Secret -Name "SomeSecret" -SecureStringSecret $NewPasswordSecureString -Vault MyVault -Metadata @{Expiration = (Get-Date).AddMonth(1)}

Congrats! Your secret was updated and has all is well! Yay!

Actual behavior

PS> Set-Secret -Name "SomeSecret" -SecureStringSecret $NewPasswordSecureString -Vault MyVault -Metadata @{Expiration = (Get-Date).AddMonth(1)}

Set-Secret: Cannot add secret metadata 'SomeSecret' to vault 'MyVault': The vault does not support the Set-SecretInfo function.

Yet this works fine if I specify the same metadata with Set-AzKeyVaultSecret or do it manually through the portal

Error details

Exception             :
    Type        : System.Management.Automation.PSNotSupportedException
    ErrorRecord :
        Exception             :
            Type    : System.Management.Automation.ParentContainsErrorRecordException
            Message : Cannot add secret metadata '...' to vault '...: The vault does not support the
Set-SecretInfo function.
            HResult : -2146233087
        CategoryInfo          : NotImplemented: (:) [], ParentContainsErrorRecordException
        FullyQualifiedErrorId : NotSupported
    Message     : Cannot add secret metadata '...' to vault '...: The vault does not support the
Set-SecretInfo function.
    HResult     : -2146233067
TargetObject          : Microsoft.PowerShell.SecretManagement.ExtensionVaultModule
CategoryInfo          : NotImplemented: (Microsoft.PowerShel…xtensionVaultModule:ExtensionVaultModule) [Set-Secret],
PSNotSupportedException
FullyQualifiedErrorId : SetSecretMetadataCommandNotSupported,Microsoft.PowerShell.SecretManagement.SetSecretCommand
InvocationInfo        :
    MyCommand        : Set-Secret
    ScriptLineNumber : 1
    OffsetInLine     : 1
    HistoryId        : 48
    Line             : Set-Secret -Name "..." -SecureStringSecret $(New-Password -SecureString) -Vault
...-Metadata @{Expiration = (Get-Date).AddDays(100)} -Debug
    PositionMessage  : At line:1 char:1
                       + Set-Secret -Name "..." -SecureStringSecret $(New-Password -Sec …
                       + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    InvocationName   : Set-Secret
    CommandOrigin    : Internal
ScriptStackTrace      : at <ScriptBlock>, <No file>: line 1
PipelineIterationInfo :

Environment data

Name                           Value
----                           -----
PSVersion                      7.4.4
PSEdition                      Core
GitCommitId                    7.4.4
OS                             Microsoft Windows 10.0.20348
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Version

im not using cresendo

Visuals

No response
@andyleejordan
Copy link
Member

Hi, can you please cross-file a bug with https://github.com/Azure/azure-powershell? They maintain https://www.powershellgallery.com/packages/Az.KeyVault/2.0.0 which is the implementing module you're getting an error from.

@danikuci1 danikuci1 mentioned this issue Aug 29, 2024
Open
@danikuci1
Copy link
Author

opened Azure/azure-powershell#25975 as requested, though im not sure the az.keyvault module is to blame here. consider the verbose output from Set-Secret:

VERBOSE: Performing the operation "Write secret to vault and override any existing secret of the same name" on target "asdf".
VERBOSE: Invoking command Set-Secret on module Az.KeyVault.Extension
VERBOSE: Invoking command Set-SecretInfo on module Az.KeyVault.Extension
Set-Secret: Cannot add secret metadata '624881344' to vault 'asdf: The vault does not support the Set-SecretInfo function.
VERBOSE: Invoking command Remove-Secret on module Az.KeyVault.Extension
VERBOSE: Secret 624881344 was successfully removed from vault asdf.

@danikuci1
Copy link
Author

looking through the tests it seems maybe the module isnt intended to support metadata at all?

SecretManagement/test/Microsoft.PowerShell.SecretManagement.Tests.ps1

Line 127 in de1e499

# NOTE: Metadata is supported only through Set-SecretInfo (not Set-Secret)

contrary to this comment, Set-SecretInfo also does not set metadata in AKV, although it doesn't delete the secret at least 🤷

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andyleejordan @danikuci1