Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PowerCommander - Add-KeeperSecretManagerClient can't return base64 configuration string #103

Closed
rdavisunr opened this issue Oct 13, 2023 · 7 comments

Comments

@rdavisunr
Copy link

rdavisunr commented Oct 13, 2023

PowerCommander doesn't seem to have the option to return a base64 configuration string when creating a Keeper Secret Manager Client. Only the one time access token is provided as a return value. Example:
Add-KeeperSecretManagerClient -App “someApp”

Whereas, the regular Commader CLI can do the following:
secrets-manager client add --app someApp --config-init b64

Could you please add the ability to create base64 configs in the PowerCommander Add-KeeperSecretManagerClient function?

Alternatively, is there a current method in PowerCommander to convert a one time access token into a base64 config?

Extra Context

I am evaluating the Secret Manager product as a possible purchase add-on for my organization (we are a current Keeper customer).

Here's what I am trying to accomplish:

During an automated Infrastructure Deployment...

  • Create Shared Folders, Applications and Device Clients with PowerCommander
  • Invoke Keeper Terraform to create secrets for the Shared Folders (your terraform module requires a configuration, which is why I need the b64 value)
  • Use SecretsManager PowerShell plugin to pull secrets as needed (also using b64 config value).
@sk-keeper
Copy link
Collaborator

It looks like this task belongs rather to secrets-manager project then to keeper sdk for .Net.
Secrets Manager already has a code sample of converting one time token to KSM configuration
https://github.com/Keeper-Security/secrets-manager/blob/a8187c3d1f215f1dbcdad9bccaa61a0d4de9b176/sdk/dotNet/SecretManagement.Keeper/SecretManagement.Keeper.psm1#L37

That configuration could be converted to base64 text as

  1. Load KSM library
    a. $module = Get-InstalledModule SecretManagement.Keeper
    b. Add-Type -Path "$($module.InstalledLocation)\SecretManagement.Keeper.dll"
  2. Get configuration from the token
    a $result = [SecretManagement.Keeper.Client]::GetVaultConfigFromToken($token).GetAwaiter().GetResult()
  3. Convert configuration to JSON
    a. $js = $result.Data | ConvertTo-Json
  4. Convert JSON to Base64
    a. $b64 = [System.Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($js))

I will transfer this issue to secrets manager repository

@rdavisunr
Copy link
Author

@sk-keeper - I believe this repo was the correct spot for this issue.

You are correct that KSM can be used to exchange a one-time token for a base64 configuration.

However, I'd like to see that ability added to PowerCommander. Specifically, the Add-KeeperSecretManagerClient function.

In full-fledged Keeper Commander CLI, you can get a base64 config back at the time you add/create a client. For example:
secrets-manager client add --app someApp --config-init b64

I would like that same ability in PowerCommander's Add-KeeperSecretManagerClient function.

@sk-keeper
Copy link
Collaborator

sk-keeper commented Nov 9, 2023

@rdavisunr
KeeperSDK/PowerCommander and SecretsManager are two separates SDKs that use different APIs.
In order to start using SecretsManager a one time access token should be created. It is done with KeeperSDK.
KeeperSDK does not know how this token is going to be used.

It is SecretsManager API that converts one time access token access token into base64 configuration.
Python's Commander distributes both Keeper and SecretsManager SDKs
It is OK for Python's Commander since it is not a library like .Net Keeper SDK.

We do not want to distribute SecretsManager SDK with .Net Keeper SDK/PowerCommander.
Moreover PowerCommander targets .Net Framework while SecretsManager SDK uses .Net Core.

You mentioned in your original message:

Use SecretsManager [PowerShell plugin](https://docs.keeper.io/secrets-manager/secrets-manager/integrations/powershell-plugin) to pull secrets as needed (also using b64 config value).

It looks like you already have both SDKs in your setup. You can use already installed SecretsManager SDK to create Base64 configuration from the one time access token.
Ideally, SecretsManager team would expose that functionality as cmdlet in SecretsManager PowerShell plugin

@sk-keeper
Copy link
Collaborator

sk-keeper commented Nov 9, 2023

@rdavisunr - If you are going to use both SDKs then extending SecretsManager SKD would be the easiest solution.
Otherwise we could try to convert one time access token into KSM configuration using direct KSM backend APIs.

@rdavisunr
Copy link
Author

rdavisunr commented Nov 9, 2023

It looks like you already have both SDKs in your setup. You can use already installed SecretsManager SDK to create Base64 configuration from the one time access token.

The part of the deployment that uses the Secrets Manager PowerShell plugin runs separately and in a different environment from the part that is using PowerCommander to create folders, apps, clients and Terraform for secrets.

Ultimately, I was just hoping for feature parity between Keeper Commander CLI and PowerCommander. But, I understand the limitations after your explanation.

@sk-keeper
Copy link
Collaborator

We'll add that missing step (exchange one time token for ksm configuration) into Keeper SDK. It is just one API call.

@sk-keeper
Copy link
Collaborator

PowerCommander v0.9.3 is published to PowerShell Gallery.
It adds -B64 parameter to Add-KeeperSecretManagerClient cmdlet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants