Retrieve secret from secret vault - without a password?

I’ve been playing around with the Powershell Secret Management module, hoping I could fix the issue of having passwords in certain scripts I’m running on a schedule. However, it seems that I’m not able to solve this issue with the secret management module. but I’m hoping I’m wrong and someone has a solution for me

So the situation is as followed. I’ve got Powershell scripts running on a schedule. These scripts perform actions and some of these actions require a login. For instance, a username and password for an SMTP server. I was hoping to store thee credentials in a secret vault and then retrieve the secret from the vault from the Powershell script.

However: in order to retrieve the secret from the vault, I need to supply a password…
Yes, i still need to code a password in my script. While the whole idea is to have no passwords in my script.

So, is this the wrong solution for my issue? Or can I access the vault in another manner which is still secure but does not require me to code the secret to the store in my script?

Any suggestions for other solutions are also very welcome :slight_smile:

Laurence,
Welcome to the forum. :wave:t4:

I might be wrong about that but as I understood it it’s not made for this purpose. So you will not be able to use it for this purpose properly.

The easiest way in my opinion is to use the account actually needed to access the target resource for the scheduled task to run. So you don’t even need to have credentials in the script.

If you want to use external resources outside your active directory domain you should try to store the credentials in a secure way. I don’t have personal experiences with it because I’ve never needed something like this so far.
I googled a few links for you … maybe they’ll help

https://www.sqlshack.com/how-to-secure-your-passwords-with-powershell/

https://blog.ctglobalservices.com/powershell/rja/store-encrypted-password-in-a-powershell-script/

https://4sysops.com/archives/encrypt-passwords-securely-in-your-powershell-scripts/

The key issue in my opinion isn’t the safe storage of the username and password anyway - it’s the way of providing them to the target resource. :wink:

hi Olaf,

Thank you very much for your reply. I had seen the solution to save the encrypted password in a text file before, but thought it wasn’t very neat. But, seeing all these posts now, it looks like this is a best practice within the community.

and who knows, maybe in the future there will be an addition to the secret management module to store these encrypted passwords without the need to authenticate with a password to retrieve them :slight_smile:

Hello … try the below that should fix your issue . After Setting the password one time you will not need to authenticate every time you retrieve a secret from your vault

Set-SecretStoreConfiguration -PasswordTimeout 0 -Authentication None -Force

Hi WinOpsEngineer,

thank you for the suggestion. It does looks promising, I’ve tested it out and it does work. It does raises the question: by setting the configuration to Authentication None, doesn’t this introduce the risk that someone else on the server is able to access my vault?

nope They will onoly have access if tehy are logged in as you . test it with another account