Skip to content

Powershell#

Powershell can be used to retrieve secrets from Vault via an API call to Vault. The most straight forward way to do this is using approle authentication.

Vault Policies#

Teams are responsible for setting up policies to give powershell access to specific secrets or paths. Use the following CLI commands to setup a role to read any secrets at secret/powershell/* or a variation of the terraform code examples.

Bash
vault policy write approle_powershell_access_policy - <<EOF
path "secret/data/powershell/*" {
  capabilities = ["create", "read", "update", "patch", "delete"]
}
EOF

Approle#

In order for powershell to connect to vault, it must authenticate. To create an approle, use the following CLI command or a variation of the terraform code examples and associate the policy that you created in the last step:

Bash
vault write auth/approle/role/powershell \
  token_policies="default,approle_powershell_access_policy"

role_id & secret_id#

Powershell will use a role_id & secret_id to authenticate to vault that will need to be retrieved:

Bash
# Read role-id
vault read auth/approle/role/powershell/role-id

# Create a secret-id
vault write -f auth/approle/role/powershell/secret-id

Basic Vault Read Example#

PowerShell
## Use an approle to get the value of a secret located at secret/powershell/test with key foo.

#Define Vault parameters
$vaultAddress = "https://hcp-vault-private-vault-fc507e0d.5d5b1f21.z1.hashicorp.cloud:8200"
$roleID = "" # Secrets best practices would be to pass this into the script as flags or environmental variables at runtime.
$secretID = "" # Secrets best practices would be to pass this into the script as flags or environmental variables at runtime.
$namespace = "admin/CESI"
$secretPath = "secret/data/powershell/test"

# Authenticate with Vault using AppRole
$authResponse = Invoke-RestMethod -Method Post -Uri "$vaultAddress/v1/auth/approle/login" -Body (@{ role_id = $roleID; secret_id = $secretID } | ConvertTo-Json) -ContentType "application/json" -Headers @{ "X-Vault-Namespace" = $namespace }
$vaultToken = $authResponse.auth.client_token

# Retrieve the secret from Vault
$secretResponse = Invoke-RestMethod -Method Get -Uri "$vaultAddress/v1/$secretPath" -Headers @{ "X-Vault-Token" = $vaultToken; "X-Vault-Namespace" = $namespace }

# Output the secret
$secretResponse.data.data.foo

Basic Vault Write Example#

PowerShell
# Define Vault parameters
$vaultAddress = "https://hcp-vault-private-vault-fc507e0d.5d5b1f21.z1.hashicorp.cloud:8200"
$roleID = "" # Secrets best practices would be to pass this into the script as flags or environmental variables at runtime.
$secretID = "" # Secrets best practices would be to pass this into the script as flags or environmental variables at runtime.
$namespace = "admin/CESI"
$secretPath = "secret/data/powershell/test"

# Authenticate with Vault using AppRole
$authResponse = Invoke-RestMethod -Method Post -Uri "$vaultAddress/v1/auth/approle/login" -Body (@{ role_id = $roleID; secret_id = $secretID } | ConvertTo-Json) -ContentType "application/json" -Headers @{ "X-Vault-Namespace" = $namespace }
$vaultToken = $authResponse.auth.client_token

# Define the data to write to the secret
$secretData = @{
    data = @{
        foo = "your_secret_value"
    }
}

# Write the secret to Vault
$writeResponse = Invoke-RestMethod -Method Post -Uri "$vaultAddress/v1/$secretPath" -Body ($secretData | ConvertTo-Json) -ContentType "application/json" -Headers @{ "X-Vault-Token" = $vaultToken; "X-Vault-Namespace" = $namespace }

# Output the response
$writeResponse.data