Implementation of supported secret types for CredMan#2
Implementation of supported secret types for CredMan#2SteveL-MSFT merged 11 commits intoPowerShell:masterfrom PaulHigin:initial_secrets_module
Conversation
Modules/Microsoft.PowerShell.SecretsManagement/src/code/SecretsManagement.cs
Outdated
Show resolved
Hide resolved
SteveL-MSFT
left a comment
SteveL-MSFT
left a comment
There was a problem hiding this comment.
Ok with the code changes, we should go through a cmdlet review however.
|
@SteveL-MSFT Then can you merge this to main branch? I don't have permissions and I don't want the work to get lost. |
Modules/Microsoft.PowerShell.SecretsManagement/src/Microsoft.PowerShell.SecretsManagement.psd1
Outdated
Show resolved
Hide resolved
| # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. | ||
| CmdletsToExport = 'Register-SecretsVault','Unregister-SecretsVault','Get-SecretsVault','Add-Secret','Remove-Secret','Get-Secret' | ||
| CmdletsToExport = @( | ||
| 'Register-SecretsVault','Unregister-SecretsVault','Get-SecretsVault','Add-Secret','Remove-Secret','Get-Secret','Get-Secrets') |
There was a problem hiding this comment.
There is still a Get-Secret and Get-Secrets cmdlets?
There was a problem hiding this comment.
I think we should have two cmdlets that a) return a secret value and b) enumerate secrets with a useful display. I feel doing this in a single (Get-Secret) cmdlet is confusing. We don't need to use the current cmdlet names but we should have two separate ones.
There was a problem hiding this comment.
For example:
New-PSSession -Credential (Get-Secret MyDomainCred)and
Get-Secrets
Name Value Vault
---------- ------------- ---------------
AzCred PSCredential AzVaultThere was a problem hiding this comment.
The original idea was to follow the pattern of Get-Command, Get-Alias and other Get cmdlets in that if you don't specify a filter or identifier, you enumerate them. This is a pretty consistent pattern in PowerShell.
In scripts, I expect it should always Get-Secret <secretName> [-Vault <ifneeded>]. Interactively, I expect folks to use Get-Secret to see what they have, then Get-Secret <secretName> to use.
There was a problem hiding this comment.
Yes, but that doesn't work here because in the cases you cited, a single type is returned, e.g., CmdletInfo, but in the secrets case we return five types.
And the two use patterns are completely different. In one case we return a single secret type instance.
New-PSSession -cn . -credential (Get-Secret MyCred)In the other we enumerate one or more secret dictionary entries along with contextual information.
Get-Secret
Name Value Vault
------ ------ -------
MyCred PSCredential AzVault
...The use patterns are not compatible and require separate cmdlets to avoid confusion.
2 participants
This is an initial implementation of local vault support for our secret types, using CredMan. We still need a Linux version, which I'll work on next. Tests still need to be created.