Accessing Secret variable from API

Product: PowerShell Universal
Version: 5.0.16

I have a secret variable defined in vault database. I have verified that I can access it by a script using code:

Write-Output $Secret:MysecretVariable

But when I try to get the value from an API Endpoint it always returns empty.

I’am using an API token for authentication and have tried to give the api token and Identity all roles but still no luck. I can see that $ClaimsPrincipal contains the role that has access to the secret variable.

I tried to find information about this in the documentation and forum but could not find a solution. In the older 3 version we used get-secret -name “mysecret” and used the BuiltInLocalVault.
But that does not exist on my fresh 5.0.16 installation, is the BuiltInLocalVault not added anymore?

Is it by design that you can’t access the secret variable located in database when using API? Or am I missing something?

You need to either change the requirements for gRPC authentication via the appsettings.json file by setting the mode to Integrated or Permissive (you can follow the instructions at this page), or you can use the Connect-PSUServer cmdlet to authenticate the API to be able to access secrets by following the example I provided for another user:

If you generate an App Token based on an identity that has access to the secrets (for example, your own login), and then use that with the Connect-PSUServer cmdlet, the script would run with the same level of access the account the token is based on has.

So, at the top of your script, you’d have something like:

$AppToken = <redacted>
Connect-PSUServer -AppToken $AppToken -ComputerName 'https://<redacted>'
1 Like

We don’t send secret values via the API at all. When using Get-Secret, it’s by-passing PSU and using the secret management module directly. Depending on the vault, you might be able to access the secret.

The database vault isn’t an actual Secret Management vault, so you won’t be able to use Get-Secret with it.

BuiltInLocalVault should still be available. It uses Credential Manager, but it is user specific. You need to be running as the same user as the PSU service to access that vault via Get-Secret.

If you really want to access a secret over an API, you could create an API to do this. Obviously, there are security implications here and its why PSU doesn’t provide it.

New-PSUEndpoint -Url '/secret/:name' -Endpoint {
     Get-Item -Path "Secret:\$Name"
}
2 Likes