Implementation of supported secret types for CredMan #2
Conversation
Modules/Microsoft.PowerShell.SecretsManagement/src/code/SecretsManagement.cs
Outdated
Show resolved
Hide resolved
|
@SteveL-MSFT Then can you merge this to main branch? I don't have permissions and I don't want the work to get lost. |
Modules/Microsoft.PowerShell.SecretsManagement/src/Microsoft.PowerShell.SecretsManagement.psd1
Outdated
Show resolved
Hide resolved
| @@ -73,7 +46,9 @@ PowerShellVersion = '5.1' | |||
| FunctionsToExport = @() | |||
|
|
|||
| # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. | |||
| CmdletsToExport = 'Register-SecretsVault','Unregister-SecretsVault','Get-SecretsVault','Add-Secret','Remove-Secret','Get-Secret' | |||
| CmdletsToExport = @( | |||
| 'Register-SecretsVault','Unregister-SecretsVault','Get-SecretsVault','Add-Secret','Remove-Secret','Get-Secret','Get-Secrets') | |||
There was a problem hiding this comment.
There is still a Get-Secret and Get-Secrets cmdlets?
There was a problem hiding this comment.
I think we should have two cmdlets that a) return a secret value and b) enumerate secrets with a useful display. I feel doing this in a single (Get-Secret) cmdlet is confusing. We don't need to use the current cmdlet names but we should have two separate ones.
There was a problem hiding this comment.
For example:
New-PSSession -Credential (Get-Secret MyDomainCred)and
Get-Secrets
Name Value Vault
---------- ------------- ---------------
AzCred PSCredential AzVaultThere was a problem hiding this comment.
The original idea was to follow the pattern of Get-Command, Get-Alias and other Get cmdlets in that if you don't specify a filter or identifier, you enumerate them. This is a pretty consistent pattern in PowerShell.
In scripts, I expect it should always Get-Secret <secretName> [-Vault <ifneeded>]. Interactively, I expect folks to use Get-Secret to see what they have, then Get-Secret <secretName> to use.
There was a problem hiding this comment.
Yes, but that doesn't work here because in the cases you cited, a single type is returned, e.g., CmdletInfo, but in the secrets case we return five types.
And the two use patterns are completely different. In one case we return a single secret type instance.
New-PSSession -cn . -credential (Get-Secret MyCred)In the other we enumerate one or more secret dictionary entries along with contextual information.
Get-Secret
Name Value Vault
------ ------ -------
MyCred PSCredential AzVault
...The use patterns are not compatible and require separate cmdlets to avoid confusion.
This is an initial implementation of local vault support for our secret types, using CredMan. We still need a Linux version, which I'll work on next. Tests still need to be created.