Tss Session timed out

[harrychandrapdx]

Hi,

I am trying to manage about 20k secrets and usually, the TSS Session would time out before my scripts could complete. is there a way to extend a timeout for a session?

My next approach is to break it into smaller batches.

Thanks,
Harry

[wsmelton]

It will depend on what authentication type you are using in reference to using the module's methods. A token itself in Secret Server only lasts as long as the configured timeout, which defaults to 20 minutes. Various things can require that timeout to be increased to an acceptable time but overall 20 minutes in large environments that utilize the REST API is not going to be sufficient.

In addition to that, we also support the use of a Refresh Token, which default allows you to request 3 as max. This would mean if you authenticated using OAuth2 (username/password) you get an initial token (good for 20 minutes) and then refresh it up to 3 times. That gives you around 1.5 hours of processing time.

As it pertains to the module, I've added a method on the TssSession object called CheckTtl(). This method will let you check if your token is about to expire. The intent of this was to allow for long processes and give a method that the author can use to say when the expiration is within 5 minutes or 3 minutes then request a new token via the refresh method. If I am looping over a large number of Secrets this method lets me do something like this in my script process:

foreach ($secret in $secrets {

    if ($Session.CheckTokenTtl('minutes',5)) {
        Write-TssLog @logInfoParam -Message "Token nearing expiration, attempting to renew"
        try {
            $null = $Session.SessionRefresh()
        } catch {
            Write-TssLog @logFatalParam -Message "$currentCommand | [$folderName] | Unable to refresh token: $($_)"
            Write-Error "Unable to refresh token"
            break
        }
        Write-TssLog @logInfoParam -Message "Token nearing expiration, renewed"
    }

    # do some processing
}

The SessionRefresh() method can only be used if your token comes from an OAuth2 authentication. Using Client SDK option requires you to re-authenticate.

[harrychandrapdx]

Hi Shawn,

Thanks for the insight!

I am using the following method to create a connection:

$creds = New-Object System.Management.Automation.PSCredential ($ssUser, $SecurePass)
$Sess = New-TssSession -SecretServer $ssUrl -Credential $creds 

I think I will try to use the CheckTokenTtl and create a new connection when it is close to expiring.

Thank you again!!

-- Harry