Product: PowerShell Universal
Version: 5.016
Hi folks, what does this command do? I would like to import secrets from another vault into PSU’s variable store.
It lists all of the available secrets in my other vault but does not appear to actually import anything.
Fwiw, and maybe I missed something scope-wise, but I also can’t retrieve a manually added secret, $secret:abc doesn’t return a value, I can get the variable info with Get-PSUVariable but again no value. I did configure the database password.
Depending on where you’re attempting to use the cmdlet or call the variable, you may need to change the requirements for gRPC authentication via the appsettings.json file by setting the mode to Integrated or Permissive (you can follow the instructions at this page), or you can use the Connect-PSUServer cmdlet to authenticate the API to be able to access secrets by following the example I provided for another user:
If you generate an App Token based on an identity that has access to the secrets (for example, your own login), and then use that with the Connect-PSUServer cmdlet, the script would run with the same level of access the account the token is based on has.
So, at the top of your script, you’d have something like:
$AppToken = <redacted>
Connect-PSUServer -AppToken $AppToken -ComputerName 'https://<redacted>'
The intent is to just use the secrets within a PSU script created under the same user that added the secrets, I shouldn’t need to explicitly connect to PSU from that script, right?
I did connect to PSU server for testing, from a local PS terminal. Get-PSUVariable works in that case but the value (credential) is still blank.
There is a warning in PSU on the secret that says “The value of this secret does not exist in the vault.”. It seems the actual values are not getting stored in the DB for some reason.
Did you verify that you have PSU configured with the correct password in the appsettings.json file, so it can properly encrypt/decrypt data?
Yes I’ve added the secrets/database section in appsettings per the docs. Do I need to “initialize” the built in secret DB somehow? That error occurs on both database and SecretStore vault.
Is this a brand new install or is this an upgrade from a previous PSU version? I ask because I had a similar issue when I first upgraded from 4.x to 5.x, where the syntax of the DB setting in appsettings.json was changed. See below, and make sure your settings are similar.
In v4 and lower, in the custom appsettings.json file you would set your custom database path as:
"Data": {
"ConnectionString": "filename=%ProgramData%\\UniversalAutomation\\database.db"
}
In v5, this apparently needs to be changed to:
"Data": {
"ConnectionString": "Data Source=%ProgramData%\\UniversalAutomation\\database.db"
I don’t recall seeing anything about the value needing to be changed from filename= to Data Source= but maybe I overlooked it. Either way, changing it to that is now allowing PSU to access the DB properly and I can pull Secret variables.
It is a new install… appsettings does look correct though. The variables section has some strange behavior to begin with. Even if I change the name, half the time it doesn’t stick and retains the default “Variable” name…
I’m going to test secrets on another v4 install for comparison… I may just throw in the towel and stay with my existing Secret store.
Also, back to the original question. Looking at wording on v4 variable page, “Import-PSUSecret” makes more sense now (v4 has Import via GUI, in v5 it is MIA). I believe it just references those secrets wherever they are stored, so they can be retrieved with the PSU commands. (Not importing into the actual PSU database)
Okay. You may want to file an issue on the GitHub repo, for the values not sticking.
There is a bug right now in v5 for variables not actually writing to the database (or secret store I assume). If you create the variable, then immediately edit it with the secret value again, it will stick.
Fix should be coming soon.
A bit of clarity: I had the same problem. I followed dcssoe’s advice, but I couldn’t “Edit Properties” - that didn’t help. I had to “Set Secret Value”. After that, it worked and I even saw the new encrypted value pop into the Variables table of the database.