Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Warning about Breaking changes in the cmdlet 'Get-AzKeyVaultSecret' SecretValueText deprecated Az4.6.1

I upgraded Az Powershell to 4.6.1 today and started seeing the below warning. The question I have is what I am supposed to do about this warning? I could mute the warning but that wouldn't help me prepare for this breaking change at all. I checked the Az 4.6.1 Microsoft docs and they tell me I should still be using SecretValueText and provide no similar warning about deprecation or any alternative ways to get the secret value. So what is my update path for powershell that reads KeyVault secrets using SecretValueText?

WARNING: Breaking changes in the cmdlet 'Get-AzKeyVaultSecret' :
WARNING:  - "The output type 'Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultSecret' is changing" 
- The following properties in the output type are being deprecated :
 'SecretValueText'
WARNING: Note :The change is expected to take effect from the version :  '3.0.0'
WARNING:  - "The output type 'Microsoft.Azure.Commands.KeyVault.Models.PSDeletedKeyVaultSecret' is changing"
 - The following properties in the output type are being deprecated :
 'SecretValueText'
WARNING: Note :The change is expected to take effect from the version :  '3.0.0'
WARNING: NOTE : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.

Here is the current example in the Microsoft docs:

$secret = Get-AzKeyVaultSecret -VaultName 'Contoso' -Name 'ITSecret'
Write-Host "Secret Value is:" $secret.SecretValueText

Secret Value is: P@ssw0rd
like image 265
Negatar Avatar asked Sep 03 '20 22:09

Negatar


3 Answers

This can be done with:

Get the secret with:

$secret = Get-AzKeyVaultSecret -VaultName {YourVaultName} -Name {YourSecret}
$pass = $secret.SecretValue | ConvertFrom-SecureString -AsPlainText

This is the same as $secret.SecretValueText

like image 118
AnaSantos Avatar answered Nov 16 '22 11:11

AnaSantos


Microsoft documentation has now been updated This example is taken from the latest docs

$secret = Get-AzKeyVaultSecret -VaultName 'Contoso' -Name 'ITSecret'
$secretValueText = '';
$ssPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secret.SecretValue)
try {
    $secretValueText = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ssPtr)
} finally {
    [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ssPtr)
}
Write-Host "Secret Value is:" $secretValueText

Secret Value is: P@ssw0rd
like image 11
Richard Hurley Avatar answered Nov 16 '22 12:11

Richard Hurley


Well, even if the SecretValueText will be deprecated, there is a way that will always work.

Just use $secret.SecretValue, it is a System.Security.SecureString, we just need to convert it to String, the $Password below is what you want.

$secret = Get-AzKeyVaultSecret -VaultName joykeyvault -Name mySecret123
$SecurePassword = $secret.SecretValue
$Password = [System.Net.NetworkCredential]::new("", $SecurePassword).Password

enter image description here

like image 7
Joy Wang Avatar answered Nov 16 '22 11:11

Joy Wang