SecretManagement icon indicating copy to clipboard operation
SecretManagement copied to clipboard
verified publisher icon PowerShell

Question Regarding Azure Key Vault and OAuth 2.0

Open jesnyder13 opened this issue 1 year ago • 1 comments

Summary of the new feature / enhancement

The background of this question is that this module saves my team alot of refactoring when switching between vaults since a wide variety of vaults have extensions available. It is very very useful for working with creds on the shell.

I am attempting to use the Microsoft.PowerShell.SecretManagement module to access Azure Key Vault secrets in a hybrid environment. Our setup requires authentication coming from outside of the Azure tenant. For other Azure services, we can use either OAuth 2.0 authorization with a registered app or service principal authentication.

However, with the SecretManagement module, I've noticed that:

  1. The only authentication method available seems to be service principal.
  • When I use oauth I receive the following when using Get-Secret:
Connect-AzAccount -AccessToken ... #sucessful auth
Get-Secret ...
Message: AKV10000: Request is missing a Bearer or PoP token.
  • When I use service principal it works fine.
Connect-AzAccount -ServicePrincipal .., #sucessful auth
Get-Secret ... #successful secret retrieval
  1. There is currently no -AccessToken option for Get-Secret

I am specifically looking for a way to use OAuth 2.0 with this module, similar to how we can with other Azure services.

  1. Are there plans to add OAuth 2.0 support to the Microsoft.PowerShell.SecretManagement module for Azure Key Vault?
  2. In the meantime, is service principal authentication the recommended approach for our scenario?
  3. Are there any workarounds or best practices for using OAuth 2.0 with the SecretManagement module and Azure Key Vault?
  4. Is this a valid question?

Reference: https://learn.microsoft.com/en-us/powershell/utility-modules/secretmanagement/how-to/using-azure-keyvault?view=ps-modules

I have opened a case with the Key Vault Support Team #2407160040005824 but thought maybe I should check here as well.

Proposed technical implementation details (optional)

No response

jesnyder13 avatar Jul 18 '24 15:07 jesnyder13

After a call with support it seems the issue is not directly with the modules themselves.

  1. I can successfully obtain a bearer token for Azure Key Vault.
  2. Using this token, I'm able to retrieve secret values via the Invoke-RestMethod cmdlet, confirming the token's validity.
  3. However, when I attempt to use the Get-AzKeyVaultSecret cmdlet from the Az.KeyVault module, I receive an error: 'AKV10000: Request is missing a Bearer or PoP token.'
  4. During a support call, we tried various approaches with Set-AzContext, but we haven't found a way to make the Az.KeyVault module commands utilize the existing bearer token.

If you would be able to share a way that works with these modules on the shell to successfully interact with the Azure Key Vault using the bearer token I would be very grateful. If not I understand.

jesnyder13 avatar Jul 25 '24 13:07 jesnyder13