Secrets Error in 2.6 (on Azure)

adam · December 23, 2021, 6:56pm

Thanks for bearing with me on this. I’ve got a PR in progress for this module and should have a viable workaround next year to avoid all these headaches (any many more) that the secret management is causing.

adam · January 4, 2022, 6:50pm

After making changes to the secret management module, it looks like I can successfully manage secrets through PSU in Azure against Azure Key Vault. I documented the process here.

I was able to successfully create a trigger that connects and registers the vault. I then created a secret through PSU and it stored it in Az Key Vault. Then I was able to use that secret in an API and script.

insomniacc · January 5, 2022, 9:37am

This is awesome, good work

mabster · July 25, 2022, 11:48pm

Resurrecting this old thread.

This morning, having updated to 3.1.5, we are sporadically getting the old Cryptography_DpApi_ProfileMayNotBeLoaded error when trying to access secrets.

I ask for $Secret:FooCredential inside a module, it works fine.

If I ask for it from a script, I get the error.

Even calling Get-AzKeyVaultSecret -Name FooCredential -VaultName MyVault is throwing the error.

@adam Can you remember what we did to fix this? Was it something you introduced in the back end?

Matt

adam · July 26, 2022, 3:35am

I’m not sure why that would be happening all of a sudden. I don’t recall seeing this DpApi error. The problem that PSU was having with secret management was that it wasn’t threadsafe. We redesigned our secret management layer in v3 so this isn’t a problem any longer.

I found an exact issue with Posh-ACME. It’s using the Microsoft Secret Management module as well. It seems like they even implemented a work around (Set-AltPluginEncryption) to avoid this error. I’m not sure it’s helpful for figuring out what’s going on but it is interesting.

github.com/rmbolger/Posh-ACME

DPAPI Error running on Azure Function

opened 09:07AM - 29 Jan 21 UTC

closed 10:23PM - 22 Feb 21 UTC

andy968

bug cantfix

I am trying to test out generating a certificate using an Azure Powershell Funct…ion running Powershell 7. When trying to generate the certificate I am getting the following. It looks like something to do with the securestring for the Cloudflare API token. Any help would be appreciated `Import-Module Posh-ACME $Token = "xxxxxxxxxxxxxxxxxxxxxxxxx" | ConvertTo-SecureString -AsPlainText -Force $pArgs = @{ CFToken = $Token } New-PACertificate *.domain.co.uk -AcceptTOS -DnsPlugin Cloudflare -PluginArgs $pArgs -Contact hello@domain.com -PfxPass "test"` `ERROR: Cryptography_DpApi_ProfileMayNotBeLoaded Exception : Type : System.Security.Cryptography.CryptographicException TargetSite : Name : Protect DeclaringType : Microsoft.PowerShell.ProtectedData, System.Management.Automation, Version=7.0.3.0`

github.com

rmbolger/Posh-ACME/blob/5fd47aa6268b4cc543ce3716e4378c74afdcb0f9/Posh-ACME/Private/Set-AltPluginEncryption.ps1

function Set-AltPluginEncryption {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory,Position=0,ValueFromPipeline,ValueFromPipelineByPropertyName)]
        [Alias('Name')]
        [string]$ID,
        [Parameter(Mandatory)]
        [switch]$Enable,
        [switch]$Reset
    )

    Begin {
        # make sure we have a server configured
        if (-not ($server = Get-PAServer)) {
            throw "No ACME server configured. Run Set-PAServer first."
        }

        # save the current account to revert to if necessary
        $revertToAccount = Get-PAAccount
    }

This file has been truncated. show original

Are you running your scripts in the integrated environment when they fail? They don’t fail all the time?

mabster · July 26, 2022, 3:37am

Yeah I have a hand-rolled module that uses the $Secret scope and it works fine when I call it from a script, but if I try to get a secret from the script directly, it fails with that DpApi error.

Integrated environment, yeah.

adam · July 26, 2022, 3:39am

Can you do me a favor and grab the full stack trace of the exception?

try {
$Secret:BadSecret 
} catch {
   $_.Exception.StackTrace 
}

mabster · July 26, 2022, 4:09am

Hmm it’s not even catching an exception. I made my script look like this:

try {
    $Secret:TdCredential
} catch {
    Write-Host "Caught an exception! Here it is!"
   $_.Exception.StackTrace 
}

… and the job output is literally just:

 [error] Cryptography_DpApi_ProfileMayNotBeLoaded

EDIT: Tried this too, but got the same output:

try {
    Get-AzKeyVaultSecret -Name TdCredential -VaultName PSU
} catch {
    Write-Host "Caught an exception! Here it is!"
   $_.Exception.StackTrace 
}

I don’t understand why it’s able to access the secrets if I do so from within a module though. Baffling.

mabster · July 26, 2022, 4:25am

Get this. I changed my script to this:


function Foo {
    param(
        [PSCredential] $Credential = $Secret:TdCredential
    )

    Write-Host $Credential.UserName
}

Foo

That outputs the username of my TdCredential secret.

So accessing a secret from the default value of a parameter (which is what my module does) works. But accessing it directly throws the DpApi error.

Does that help? My brain is starting to leak out of my ears.

Ah! This does throw the error though!


function Foo {
    param(
        [PSCredential] $Credential = $Secret:TdCredential
    )

    Write-Host $Credential.UserName

    $Secret:TdCredential
}

Foo

I think it’s something to do with accessing the credential as a “whole” object, rather than cracking it open and accessing the username and password (via GetNetworkCredential()) separately. The module in which I’m successfully accessing a secret is always cracking it open.

mabster · July 26, 2022, 4:36am

It’s clearly something to do with the way PowerShell is treating PSCredential/SecureString under the hood. If I crack open the credential object using GetNetworkCredential() I can successully read both the username and password, but if I try to work with it as a PSCredential object (which I have to - the functions I’m calling need it) it errors.

It looks like I can use the secret now if I just pass it intact to the function that needs it. It only throws the DpApi error if I try to output it to the pipeline. Maybe that was always the case.

The only reason I would’ve been trying to output the secret was to check if it was working, which at the time it may not have been because of the whole “Sync-PsuConfiguration -Integrated” not being called at startup after registering the key vault.

I don’t know if I’m wasting your time trying to chase this down, Adam.

Topic		Replies	Views
Secret variables in Azure keyvault after V5 installation PowerShell Universal	6	204	April 2, 2025
Secrets Error in 2.9.1 Universal Automation	0	348	March 10, 2022
Azure KeyVault Secret Variables PowerShell Universal	11	1036	August 11, 2022
Updates in Azure Web App PowerShell Universal	68	4170	March 16, 2022
Setting Secrets in Azure KeyVault PowerShell Universal	1	299	March 17, 2023

Secrets Error in 2.6 (on Azure)

Related topics