SecretStore
SecretStore copied to clipboard
PowerShell
Request: Multiple instances of SecretStore
I don't know if this is a documentation issue or a bug, so I'll ask. I have a vault registered using Microsoft.PowerShell.SecretStore. I then tried to create a second vault.
Register-SecretVault -Name demo -Description "test vault" -ModuleName microsoft.powershell.secretstore
Get-SecretVault shows it. I have nothing in the vault but if I run Get-SecretInfo, I see all the entries from my default vault, even though the vault name shows the new demo vault. Are we limited to one vault per user of a given module? If so, that needs to be clearer in the documentation.
SecretManagement allows an extension vault to be registered multiple times, because it is possible that an extension vault may support different contexts via the registration VaultParameters. However, the SecretStore vault currently always operates in the logged on user scope (see SecretStore documentation: https://github.com/powershell/secretstore).
So registering SecretStore multiple times with different names just results in duplication of the same store, and doesn't make sense.
But we decided to allow this for maximum flexibility.
Ok then. Again, it would help to have this clearer in the documentation. The bottom line is that a user can only have 1 microsoft.powershell.secretstore vault per user scope. That's too bad because I can imagine a situation where I might want 2 stores based on the default Microsoft.PowerShell.SecretStore. Or are you expecting that people will really be using an extension vault like LastPass?
Thanks @jdhitsolutions I'd love to better understand why a user may want multiple SecretStore instances in a particular user scope, does having secretmetadata help users to organize their secrets in a way that doesnt require a second instance of the store?
Agree that we can make this more clear in the SecretStore documentation
I might want one store with data that is associated with a module or CI/CD project I'm running and a second store for personal items. I might want one group of data to have a longer unlock time and another set to be more secure. A single store means every secret is treated the same and maybe that isn't what I want.
I have same king of needs with @jdhitsolutions . Also custom or third party modules will benefit if secretstore can be register multiple times with different names and instances. Then custom module can create it's own store for it's secrets.
Really need this as well. The use case is:
- I need to have one vault protected with a password, so it will protect personal credentials and stuff unless unlocked.
- I also need one vault unprotected because of a PnP.PowerShell recommendation. https://pnp.github.io/powershell/articles/credentialmanagement.html
- preferably I would operate a separate vault for different customers
I'd like to have multiple Microsoft.PowerShell.SecretStore SecretStores to segment secrets between clients.
Sounds like there is a need for multiple store instances. Adding PS-Committee review for visibility.
/cc: @SteveL-MSFT, @SydneyhSmith
Is there a way to create independent, Microsoft.PowerShell.SecretStore instances by supplying values to -VaultParameters?
@PaulHigin this topic seems to be stale for a while again, but I need exactly the same functionality. So a +1 for this topic from my side.
I would also find this feature extremly useful. I totally agree with the uses-cases mentionned before.
I wanted to create two vaults based on SecretStore, per environment :
register-SecretVault -name SecretStoreDev -ModuleName Microsoft.PowerShell.SecretStore -Description "Dev Vault"
register-SecretVault -name SecretStoreProd -ModuleName Microsoft.PowerShell.SecretStore -Description "Prod Vault"
But its not enough to be able to have them, they need to be separated when you use Get-SecretStoreConfiguration
and when you use Set-SecretStoreConfiguration as i would like differernt passwords for each and locking behavior as example.
