Using Azure KeyVault secrets after a reboot

Product: PowerShell Universal
Version: 3.7.0

I am trying to hook in an Azure KeyVault. When i register the vault in line with the documentation and other forum posts posted. I am able to import the stored secrets and call them using the $secret:mysecrret variable.

Once I reboot, I see the previously documented errors about the secret not existing in the vault. None of the documented or posted workarounds seam to work for me.

When I examine the container logs, I see the following:

2023-01-12 09:09:46.377 +00:00 [INF] Finished groom job.
2023-01-12 09:09:53.246 +00:00 [ERR] Failed to read secret :The specified module 'Az.Accounts' with version '2.10.4' was not loaded because no valid module file was found in any module directory.
2023-01-12 09:09:53.772 +00:00 [ERR] Failed to read secret :The term 'Az.KeyVault\Get-AzKeyVaultSecret' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
2023-01-12 09:41:57.243 +00:00 [INF] Start installing Hangfire SQL objects...
[15:55:23 ERR] Failed to read secret :The term 'Az.KeyVault\Get-AzKeyVaultSecret' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
[15:55:24 ERR] Failed to read secret :The term 'Az.KeyVault\Get-AzKeyVaultSecret' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

Has anybody else see this or have a workaround which allows KeyVaults to work following a container reboot?

I am seeing inconsistency in being able to get AZ keyvault, as well. What is odd is how one time it won’t work with an error like this:

The command Connect-AzAccount is part of Azure PowerShell module “Az.Accounts” and it is not installed. Run “Install-Module Az.Accounts” to install it.
The term ‘Connect-AzAccount’ is not recognized as a name of a cmdlet, function, script file, or executable program.

Then, I refresh the element on the page and it works. It’s frustrating due to the inconsistency. I call get-secret a lot on some of my pages and sometimes everything loads fines, sometimes almost all of them fail and other times only some of them fail.

I am looking into this as we speak.

When I bring up a terminal, I get this:

When I close the terminal and open it again, the get-module command only returns the Universal package.

If I have any breakthroughs on this problem, I will post them

OK, I think I have a partial workaround which seams to kick it in to gear.

Following a reboot, I perform the following, and it seems to reconnect everything:

  1. Unregister the Vault
    Unregister-SecretVault -Name vaultname
    
  2. Register the Vault
    register-SecretVault -Name vaultname -name vaultname -ModuleName Az.KeyVault -VaultParameters @{
     AZKVaultName = 'vaultname'
     SubscriptionId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    }
    
  3. Add a new variable
    $VariableName="testvar3"
    New-PSUVariable -Name $VariableName -type string -Integrated -Value $VariableName -Vault vaultname -InputObject secret
    

It was the -InputObject parameter, which I was missing throughout my previous attempts. Once I add a new variable, it all kicks in.

@dkkazak, are you able to replicate this? I suspect the next action will be to see if there is any other system command which will do this. @adam Is there any internal cmd which does this already on boot?

How are you using that variable? I rarely call Get-Secret directly from PowerShell Universal. Instead, it is often from “shared” cmdlets that are used outside of the PowerShell Universal universe, as well.

I use the $secret: process to call the variable