Microsoft has released the SecretManagement Preview 3 module for its PowerShell scripting language and command-line shell to help developers manage secrets with a set of cmdlets.
The SecretManagement Preview 3 release follows a second preview Microsoft released in March and a first preview in February. The tool is designed to help users securely manage secrets in heterogeneous cloud environments.
However, the third preview of the SecretManagement module does contain breaking changes, so users of earlier previews will need to migrate their secrets before updating.
SecretManagement helps users store and retrieve secrets locally in an operating system’s built-in vault, such as the Windows Credential Manager. It’s also an “orchestrator for extension vaults which perform the actual secret storage and encryption”.
“SecretManagement is valuable in heterogeneous environments where you may want to separate the specifics of the vault from a common script which needs secrets,” explains Sydney Smith, a program manager on Microsoft’s PowerShell team.
“SecretManagement is also as a convenience feature which allows users to simplify their interactions with various vaults by only needing to learn a single set of cmdlets.”
In this preview Microsoft has separated the SecretManagement module from a built-in default vault and overhauled its design. It’s also separated the interface from accessing secrets and registering vaults from any vault implementation.
Paul Higinbotham, a senior software engineer on the PowerShell team, explains that since releasing the first alpha of the SecretManagement module it became “clear that the original vision and design suffered some shortcomings”.
A problem with the previous alpha release was that it depended on Windows Credential Manager, but to extend it to other platforms it needed to find an equivalent local vault.
“It turns out that CredMan is pretty unique, and there are no equivalent solutions on non-Windows platforms,” writes Higinbotham. “In addition community members pointed out that CredMan only works for interactive log-in accounts, and this means SecretManagement pre-release would not work with Windows built-in accounts or over PowerShell remoting.
So with this new design, Microsoft focused on the management of secrets.
“The purpose of SecretManagement is to provide scripts a common way to access secrets from widely different secret store solutions. So the new design leaves it to the individual vault solutions how they are installed, configured, and authenticated.”
Because of these issues, Microsoft has removed the built-in local vault from SecretManagement, leaving all storage mechanisms as extension vaults only. To address this issue it’s published SecretStore Preview 1, a cross-platform local extension vault.
According to Microsoft, this extension vault is “configurable and works over all supported PowerShell platforms on Windows, Linux, and macOS”.