OneWay Sync with Secrets Management

Product: PowerShell Universal
Version: 1.5.13

Love the new feature for one-way git sync. Wondering what is the best way to handle secrets since now you cannot edit them on the “production” server.

I have PSU running with the local system service account. To set the secrets I was able to start PowerShell as local system using psexec, import the SecretsManagement module, and set the variables via Set-Secret. And don’t forget to restart the service afterwards.

Note, trying to enter the creds via the GUI rundll32.exe keymgr.dll, KRShowKeyMgr started as system does not do the same thing.

Not sure if I am glancing over a something more obvious.

I was thinking some more on this and I noticed that even with two-way, you cannot modify secrets anyways. Wondering if adding functionality to modify secrets via the Admin web interface would be useful?

Hmmm that’s a tricky one that we didn’t think about. Setting them in the UI would be one way to do it.

When you add a variable call to variables.ps1 (New-PSUVariable) and it’s a secret, we won’t actually create the secret when it’s added. We’re just referencing the secret from the vault and grabbing the value when needed.

One way to work around this would be to have a dashboard that’s only accessible by admins or something that has a simple form on it that invokes Set-Secret. It would be running in the context of the account so should be able to create secrets.

New-UDForm -Content {
    New-UDTextbox -Id 'Secret' 
    New-UDTextbox -Id 'UserName' 
    New-UDTextbox -Id 'Password' -Type Password 
} -OnSubmit {
    $Password = ConvertTo-SecureString -AsPlainText -Value $EventData.Password
    $Credential = [PSCredential]::new($UserName, $Password)
    Set-Secret -Name $EventData.Secret -Secret $Credential