PowerCommander - Add-KeeperSecretManagerClient can't return base64 configuration string

[rdavisunr]

PowerCommander doesn't seem to have the option to return a base64 configuration string when creating a Keeper Secret Manager Client. Only the one time access token is provided as a return value. Example:
Add-KeeperSecretManagerClient -App “someApp”

Whereas, the regular Commader CLI can do the following:
secrets-manager client add --app someApp --config-init b64

Could you please add the ability to create base64 configs in the PowerCommander Add-KeeperSecretManagerClient function?

Alternatively, is there a current method in PowerCommander to convert a one time access token into a base64 config?

Extra Context

I am evaluating the Secret Manager product as a possible purchase add-on for my organization (we are a current Keeper customer).

Here's what I am trying to accomplish:

During an automated Infrastructure Deployment...

• Create Shared Folders, Applications and Device Clients with PowerCommander
• Invoke Keeper Terraform to create secrets for the Shared Folders (your terraform module requires a configuration, which is why I need the b64 value)
• Use SecretsManager PowerShell plugin to pull secrets as needed (also using b64 config value).

[sk-keeper]

It looks like this task belongs rather to secrets-manager project then to keeper sdk for .Net.
Secrets Manager already has a code sample of converting one time token to KSM configuration
https://github.com/Keeper-Security/secrets-manager/blob/a8187c3d1f215f1dbcdad9bccaa61a0d4de9b176/sdk/dotNet/SecretManagement.Keeper/SecretManagement.Keeper.psm1#L37

That configuration could be converted to base64 text as

1. Load KSM library
   a. $module = Get-InstalledModule SecretManagement.Keeper
   b. Add-Type -Path "$($module.InstalledLocation)\SecretManagement.Keeper.dll"
2. Get configuration from the token
   a $result = [SecretManagement.Keeper.Client]::GetVaultConfigFromToken($token).GetAwaiter().GetResult()
3. Convert configuration to JSON
   a. $js = $result.Data | ConvertTo-Json
4. Convert JSON to Base64
   a. $b64 = [System.Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($js))

I will transfer this issue to secrets manager repository

[rdavisunr]

@sk-keeper - I believe this repo was the correct spot for this issue.

You are correct that KSM can be used to exchange a one-time token for a base64 configuration.

However, I'd like to see that ability added to PowerCommander. Specifically, the Add-KeeperSecretManagerClient function.

In full-fledged Keeper Commander CLI, you can get a base64 config back at the time you add/create a client. For example:
secrets-manager client add --app someApp --config-init b64

I would like that same ability in PowerCommander's Add-KeeperSecretManagerClient function.

[sk-keeper]

@rdavisunr
KeeperSDK/PowerCommander and SecretsManager are two separates SDKs that use different APIs.
In order to start using SecretsManager a one time access token should be created. It is done with KeeperSDK.
KeeperSDK does not know how this token is going to be used.

It is SecretsManager API that converts one time access token access token into base64 configuration.
Python's Commander distributes both Keeper and SecretsManager SDKs
It is OK for Python's Commander since it is not a library like .Net Keeper SDK.

We do not want to distribute SecretsManager SDK with .Net Keeper SDK/PowerCommander.
Moreover PowerCommander targets .Net Framework while SecretsManager SDK uses .Net Core.

You mentioned in your original message:

Use SecretsManager [PowerShell plugin](https://docs.keeper.io/secrets-manager/secrets-manager/integrations/powershell-plugin) to pull secrets as needed (also using b64 config value).

It looks like you already have both SDKs in your setup. You can use already installed SecretsManager SDK to create Base64 configuration from the one time access token.
Ideally, SecretsManager team would expose that functionality as cmdlet in SecretsManager PowerShell plugin

[sk-keeper]

@rdavisunr - If you are going to use both SDKs then extending SecretsManager SKD would be the easiest solution.
Otherwise we could try to convert one time access token into KSM configuration using direct KSM backend APIs.

[rdavisunr]

It looks like you already have both SDKs in your setup. You can use already installed SecretsManager SDK to create Base64 configuration from the one time access token.

The part of the deployment that uses the Secrets Manager PowerShell plugin runs separately and in a different environment from the part that is using PowerCommander to create folders, apps, clients and Terraform for secrets.

Ultimately, I was just hoping for feature parity between Keeper Commander CLI and PowerCommander. But, I understand the limitations after your explanation.

[sk-keeper]

We'll add that missing step (exchange one time token for ksm configuration) into Keeper SDK. It is just one API call.

[sk-keeper]

PowerCommander v0.9.3 is published to PowerShell Gallery.
It adds -B64 parameter to Add-KeeperSecretManagerClient cmdlet.