Skip to content

joshcorr/SecretManagement.Hashicorp.Vault.KV

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
3 branches 4 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
.github
 
 
.vscode
 
 
SecretManagement.Hashicorp.Vault.KV
 
 
tests
 
 
CHANGELOG.md
 
 
CONTRIBUTING.md
 
 
LICENSE
 
 
README.md
 
 
SecretManagement.Hashicorp.Vault.KV.build.ps1
 
 
SecretManagement.Hashicorp.Vault.KV QuickStart KV Version 2 distinctions

README.md

SecretManagement.Hashicorp.Vault.KV

GitHubSuper-Linter PSGallery SupportBadge

A PowerShell SecretManagement extension for Hashicorp Vault key- value (KV) Engine. This supports version 1, version2, and cubbyhole (similar to v1). It does not currently support all of the version 2 features like versioned secrets.

Extension Version 6.0+ 5.1 Constrained Language Mode
1.x.x Yes Yes No
2.x.x Yes No Yes

NOTE: This project is not maintained by Hashicorp.
I work on this in my free time because I use Vault.
If Hashicorp would like to adopt this module please reach out.

QuickStart

When registering a vault you need to provide at least these options:

Register-SecretVault -ModuleName SecretManagement.Hashicorp.Vault.KV -Name PowerShellTest -VaultParameters @{ VaultServer = 'http://vault.domain.local:8200'; VaultAuthType = 'Token'}

To disable HTTPS certificate checks (e.g. self-signed certs) use the VaultSkipVerify parameter

Register-SecretVault -ModuleName SecretManagement.Hashicorp.Vault.KV -Name PowerShellTest -VaultParameters @{ VaultServer = 'https://vault.domain.local:8200'; VaultAuthType = 'Token'; VaultSkipVerify = $true}

The vault name should match exactly, as Hashicorp vault is case sensitive. If no VaultParameters are provided the functions will prompt you on the first execution in your session. Additionally you may provide which version of KV you are using when registering. It defaults to version 2 of KV.

$VaultParameters = @{ VaultServer = 'https://vault-cluster.domain.local'
   VaultToken=$(Read-Host -AsSecureString | ConvertFrom-SecureString)
   KVVersion = 'v1'}

If you stored your secrets in a flat structure (i.e. no slashes in your path), You may want to return all secrets as a PSCredential. You can do this by providing the following:

$VaultParameters @{ ...
    OutputType = 'PSCredential'
}

The Default is to return it as a Hashtable.

You may provide either a single text string or a hashtable to the -Secret parameter.

KV Version 2 distinctions

  • Get-Secret only retrieves the newest secret
  • Get-SecretInfo retrieves the Hashicorp Metadata
  • Set-Secret Adds/Updates without CheckAndSet. Althought it can be passed with -Metadata @{cas=<versionNumber>}
  • Remove-Secret Removes the latest version of a secret

About

A PowerShell SecretManagement extension for Hashicorp Vault Key Value Engine

Resources

Readme

License

MIT license
Activity

Stars

26 stars

Watchers

5 watching

Forks

9 forks
Report repository

Releases 4

1.3.0 Latest
Nov 14, 2021
+ 3 releases

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages