16

I upgraded Az Powershell to 4.6.1 today and started seeing the below warning. The question I have is what I am supposed to do about this warning? I could mute the warning but that wouldn't help me prepare for this breaking change at all. I checked the Az 4.6.1 Microsoft docs and they tell me I should still be using SecretValueText and provide no similar warning about deprecation or any alternative ways to get the secret value. So what is my update path for powershell that reads KeyVault secrets using SecretValueText?

WARNING: Breaking changes in the cmdlet 'Get-AzKeyVaultSecret' :
WARNING:  - "The output type 'Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultSecret' is changing" 
- The following properties in the output type are being deprecated :
 'SecretValueText'
WARNING: Note :The change is expected to take effect from the version :  '3.0.0'
WARNING:  - "The output type 'Microsoft.Azure.Commands.KeyVault.Models.PSDeletedKeyVaultSecret' is changing"
 - The following properties in the output type are being deprecated :
 'SecretValueText'
WARNING: Note :The change is expected to take effect from the version :  '3.0.0'
WARNING: NOTE : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.

Here is the current example in the Microsoft docs:

$secret = Get-AzKeyVaultSecret -VaultName 'Contoso' -Name 'ITSecret'
Write-Host "Secret Value is:" $secret.SecretValueText

Secret Value is: P@ssw0rd
Negatar
  • 637
  • 8
  • 14
  • Thanks for posting the workaround, but I'm not sure its a solution. It seems like it would work but is not officially supported either. So I'm afraid it might break at v3.0.0 too. – Negatar Sep 10 '20 at 16:01
  • I don’t think it will be broken, and my experience tells you not everything in azure will be documented, even if it break, it should be a new method to get the secret value, otherwise this command will make no sense. – Joy Wang Sep 10 '20 at 16:28

5 Answers5

15

This can be done with:

Get the secret with:

$secret = Get-AzKeyVaultSecret -VaultName {YourVaultName} -Name {YourSecret}
$pass = $secret.SecretValue | ConvertFrom-SecureString -AsPlainText

This is the same as $secret.SecretValueText

AnaSantos
  • 151
  • 2
  • Hmmm interesting. It must be some undocumented alias. Joy highlighted this as well. I do still get the SecretValueText depression warning when using SecretValue. That seems to be just because I have used `Get-AzKeyVaultSecret`. Maybe you guys got it right, but without the docs or someone from Microsoft confirming I'm not confident in SecretValue as a long term solution. :S – Negatar Sep 16 '20 at 22:42
  • Official docs https://learn.microsoft.com/en-us/powershell/azure/migrate-az-5.0.0#get-azkeyvaultsecret – alv Jun 02 '21 at 14:41
11

Microsoft documentation has now been updated This example is taken from the latest docs

$secret = Get-AzKeyVaultSecret -VaultName 'Contoso' -Name 'ITSecret'
$secretValueText = '';
$ssPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secret.SecretValue)
try {
    $secretValueText = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($ssPtr)
} finally {
    [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($ssPtr)
}
Write-Host "Secret Value is:" $secretValueText

Secret Value is: P@ssw0rd
Richard Hurley
  • 126
  • 1
  • 2
  • 2
    Wonder why they didn't just bundle these .net calls into the existing SecretValueText method. That could have avoided the breaking change and kept the simple syntax. – Negatar Dec 04 '20 at 20:42
8

Well, even if the SecretValueText will be deprecated, there is a way that will always work.

Just use $secret.SecretValue, it is a System.Security.SecureString, we just need to convert it to String, the $Password below is what you want.

$secret = Get-AzKeyVaultSecret -VaultName joykeyvault -Name mySecret123
$SecurePassword = $secret.SecretValue
$Password = [System.Net.NetworkCredential]::new("", $SecurePassword).Password

enter image description here

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
5

ConvertFrom-SecureString -AsPlainText is supported on in PowerShell 7. dont try it on lower version

Manvendra Bele
  • 157
  • 1
  • 2
  • 10
3

You can use the -AsPlainText switch on Get-AzKeyVaultSecret.

$secretText = Get-AzKeyVaultSecret -VaultName 'Contoso' -Name 'ITSecret' -AsPlainText

Another option is to add SecretValueText property back to the Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultSecretIdentityItem objects.

# Update PSKeyVaultSecretIdentityItem object type to include scriptproperty secretvaluetext
$Script = { Get-AzKeyVaultSecret -VaultName $this.VaultName -Name $this.Name -AsPlainText }
Update-TypeData -TypeName 'Microsoft.Azure.Commands.KeyVault.Models.PSKeyVaultSecretIdentityItem' -MemberName 'SecretValueText' -MemberType ScriptProperty -Value $Script

# SecretValueText property will contain decrypted secret text for the session
$secret = Get-AzKeyVaultSecret -VaultName 'Contoso' -Name 'ITSecret'
$secret.SecretValueText
AdminOfThings
  • 23,946
  • 4
  • 17
  • 27
  • `-AsPlainText` is not recognized as valid argument when running Az PowerShell in PowerShell 7. – zendu May 20 '21 at 22:41
  • @zendu this was added in [Az.KeyVault version 5.3.0 - December 2020](https://learn.microsoft.com/en-us/powershell/azure/release-notes-azureps?view=azps-6.2.1#530---december-2020) – felickz Jul 14 '21 at 14:40