Public/Get-OriAzBopKeyVaultSecret.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
<#
.SYNOPSIS
    Read Secret value from the KeyVault based on Managed Identity
.EXAMPLE
    $SecretUsername = Get-OriAzBopKeyVaultSecret `
                    -VaultName "MyKeyVaultName" `
                    -SecretName "MySecretWithUserName" `
                    -IdentityObjectId "xxxxxxxx-4321-1234-4321-xxxxxxxxxxxx" -Verbose
    $SecretCredential = Get-OriAzBopKeyVaultSecret `
                    -VaultName "MyKeyVaultName" `
                    -UserName $SecretUsername
                    -SecretName "MySecretWithUserPassword" `
                    -IdentityObjectId "xxxxxxxx-4321-1234-4321-xxxxxxxxxxxx" -Verbose
 
#>

function Get-OriAzBopKeyVaultSecret { 
    [CmdletBinding()]
    param
    (   
        [Parameter(Mandatory = $false, HelpMessage = "Type of resource")]
        [string] $Resource = "https://vault.azure.net",

        [Parameter(Mandatory = $false, HelpMessage = "Name of the KeyVault")]
        [string] $VaultName,

        [Parameter(Mandatory = $false, HelpMessage = "Name of the Secret in KeyVault")]
        [string] $SecretName,

        [Parameter(Mandatory = $false, HelpMessage = "Username when the value is not empty it returns values in PSCredential")]
        [string] $UserName,

        [Parameter(Mandatory = $false, HelpMessage = "ObejctId indefiticatio of Indentity. Eg. For onl-ci--identity it is ObjectId 'c5026693-9d1f-4131-99f6-17a42edc9e4a'")]
        [string] $IdentityObjectId         
    )
    $ErrorActionPreference = "Stop";
    Write-Verbose "-- Get-OriAzBopKeyVaultSecret --"
    Write-Verbose "Resource: $Resource "
    Write-Verbose "VaultName: $VaultName "
    Write-Verbose "SecretName: $SecretName "
    Write-Verbose "UserName: $UserName "
    Write-Verbose "IdentityObjectId: $IdentityObjectId "
    $authpar = @{ 
        Uri     = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01" 
        Body    = @{
            resource  = $Resource
            object_id = $IdentityObjectId
        }
        Headers = @{Metadata = "true" }
    }
    Write-Verbose "authpar: $(ConvertTo-Json $authpar) "
    $AuthRequest = Invoke-RestMethod @authpar
    if ([string]::IsNullOrEmpty($AuthRequest)) {
        Throw "Issue while Authorize to Manage Identity [Input param: $(ConvertTo-Json $authpar)]"
    }
    if ([string]::IsNullOrEmpty($AuthRequest.access_token)) {
        Throw "Issue getting access_token property from the Managed Identity [Input param: $(ConvertTo-Json $authpar)]"
    }

    $AccessToken = $AuthRequest.access_token

    $KeyvaultSecretUrl = 'https://{0}.vault.azure.net/secrets/{1}?api-version=2016-10-01' -f $VaultName, $SecretName
    $Headers = @{Authorization = "Bearer $AccessToken" }
    $GetKeyVaultSecret = @{
        Method  = "GET"
        Uri     = $KeyvaultSecretUrl
        Headers = $Headers
    }

    $Secret = Invoke-RestMethod @GetKeyVaultSecret
    if ([string]::IsNullOrEmpty($Secret)) {
        Throw "Issue getting KeyVaultSecret [Input param: $(ConvertTo-Json $GetKeyVaultSecret)]"
    }
    if ([string]::IsNullOrEmpty($Secret.value)) {
        Throw "Issue getting value property from the Secret [Input param: $(ConvertTo-Json $GetKeyVaultSecret)]"
    }
    
    $SecretValue = $Secret.value
    
    # When the UserName is set than it returns the content as PSCredential
    if (![string]::IsNullOrEmpty($UserName)) {
        $SecretKey = ConvertTo-SecureString $SecretValue -AsPlainText -Force
        $Credentials = New-Object System.Management.Automation.PSCredential ($UserName, $SecretKey)
        
        $toReturn = $Credentials
        #$Credentials.GetNetworkCredential()
    }
    else {
        $toReturn = $SecretValue
    } 
    Write-Verbose "-- End of Get-OriAzBopKeyVaultSecret --"
    return $toReturn
}