Warning about Breaking changes in the cmdlet 'Get-AzKeyVaultSecret' SecretValueText deprecated Az4.6.1

Question

I upgraded Az Powershell to 4.6.1 today and started seeing the below warning. The question I have is what I am supposed to do about this warning? I could mute the warning but that wouldn't help me prepare for this breaking change at all. I checked the Az 4.6.1 Microsoft docs and they tell me I should still be using SecretValueText and provide no similar warning about deprecation or any alternative ways to get the secret value. So what is my update path for powershell that reads KeyVault secrets using SecretValueText?

WARNING: Breaking changes in the cmdlet 'Get-AzKeyVaultSecret' :
WARNING:  - "The output type 'Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultSecret' is changing" 
- The following properties in the output type are being deprecated :
 'SecretValueText'
WARNING: Note :The change is expected to take effect from the version :  '3.0.0'
WARNING:  - "The output type 'Microsoft.Azure.Commands.KeyVault.Models.PSDeletedKeyVaultSecret' is changing"
 - The following properties in the output type are being deprecated :
 'SecretValueText'
WARNING: Note :The change is expected to take effect from the version :  '3.0.0'
WARNING: NOTE : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.

Here is the current example in the Microsoft docs:

$secret = Get-AzKeyVaultSecret -VaultName 'Contoso' -Name 'ITSecret'
Write-Host "Secret Value is:" $secret.SecretValueText

Secret Value is: P@ssw0rd

Answer 1

This can be done with:

Get the secret with:

$secret = Get-AzKeyVaultSecret -VaultName {YourVaultName} -Name {YourSecret}
$pass = $secret.SecretValue | ConvertFrom-SecureString -AsPlainText

This is the same as $secret.SecretValueText

Answer 2

Microsoft documentation has now been updated This example is taken from the latest docs

$secret = Get-AzKeyVaultSecret -VaultName 'Contoso' -Name 'ITSecret'
$secretValueText = '';
$ssPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secret.SecretValue)
try {
    $secretValueText = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ssPtr)
} finally {
    [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ssPtr)
}
Write-Host "Secret Value is:" $secretValueText

Secret Value is: P@ssw0rd

Answer 3

Well, even if the SecretValueText will be deprecated, there is a way that will always work.

Just use $secret.SecretValue, it is a System.Security.SecureString, we just need to convert it to String, the $Password below is what you want.

$secret = Get-AzKeyVaultSecret -VaultName joykeyvault -Name mySecret123
$SecurePassword = $secret.SecretValue
$Password = [System.Net.NetworkCredential]::new("", $SecurePassword).Password