Powershell retrieve KV secret from Vault

Hello All,

Hoping someone could assist please?

Basically I am trying to use powershell to retrieve a secret from Vault using approle.

Unfortunately I am not a powershell expert as well. How can I achieve this using api call within a powershell script so that:

VAULT KV SECRET -----> Pass secret to POWERSHELL and store as a variable

Many thanks.

To further add to my initial post, I am trying to use this powershell command to get a client_token from an approle. However, having issues trying to retrieve the client_token and using that to get the KV secret

$Vault_Address       = ''
$VAULT_ROOT          = $Vault_Address + '/v1'
$VAULT_LOGIN_APPROLE = $VAULT_ROOT+'/auth/approle/login'
$VAULT_KV_PATH       = $VAULT_ROOT+'/kv/user'

$RoleID              = 'fdacdafeasdadfa'
$SecretID            = 'ddafdacadcadadc'

#Set env variable for vault address
$ENV:VAULT_ADDR = $Vault_Address

$payload = @{
  "role_id"   = $RoleID
  "secret_id" = $SecretID

#Get client token from approle login
$Client_Token = Invoke-RestMethod -Method Post -Uri $VAULT_LOGIN_APPROLE -body $payload -Headers @headers

#Set vault token environment variable
$ENV:VAULT_TOKEN = $Client_Token

$header = @{
   'X-Vault-Token' = ${ENV:VAULT_TOKEN}

#Get the password from KV
$KV_Password = Invoke-RestMethod -Method Get -Uri $VAULT_KV_PATH -Headers $header


I am getting the error:

Invoke-RestMethod : {"errors":["missing client token"]}
At line:19 char:16
+ ... ientToken = Invoke-RestMethod -Method Post -Uri $VAULT_LOGIN_APPROLE  ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

The vault cli commands below is what I am trying to replicate using powershell api

$ENV:VAULT_ADDR = $vault_addr

$client_token = vault write --field=token auth/approle/logging/login role_id=$approle_id secret_id=$approle_secret

$ENV:VAULT_TOKEN = $client_token

$KV_Password = vault kv get -field=password kv/user

The error I am getting is because of the client token but I thought you would set the environment variable of the client token after you get it from approle login. Just like how it is done on vault CLI. So I am really stuck on this for hours. Any help would be much appreciated. Thanks.

Can you confirm your client token is being returned in this command?

I suspect it isn’t and you need to convert your $payload variable to JSON. Try this instead:

$payload = @{
  "role_id"   = $RoleID
  "secret_id" = $SecretID
} | ConvertTo-Json

Have you got this figured out? We’re trying to build scripts to be used in our CI/CD pipelines.

Isn’t it just a typo? Shouln’t it just be as simple as changing “${ENV:VAULT_TOKEN}”

…to either:

$header = @{
  "X-Vault-Token" =  "$($ENV:VAULT_TOKEN)"


$header = @{
  Authorization="Bearer $($ENV:VAULT_TOKEN)"