Powershell Secret Retrieval

$param2 = @{
Method = "Get"
Uri = "www.foo.com/v1/PROD/SSO/data/foo"
ContentType = "application/json"}

$headers = @{
'X-Vault-Token' = 'vaultToken'}

$secretVal = Invoke-RestMethod @param2 -Headers $headers

Im trying to pull an arbitrary secret from our vault but when the code runs nothing is returned for some reason. Any help would appreciated!
Also quick side note, when trying use to a client token the script errors out and says permission denied when using the one generated from powershell while logging in. However it will run using the token from the ui, any ideas on this one?

What is the path of your KVv2 mount? Your snippet would indicate that the mount path is PROD/SSO, which I’m going to guess is actually a folder.

If PROD/SSO is actually a folder then the URI needs to be something more like "www.foo.com/v1/secrets/data/PROD/SSO/foo" where secrets is the name of your KV mount path.

If the path is correct and you’re getting different results based on where the token is being generated from then I would look to see which policies are being applied to each token to see if there is a difference.

Im very sorry for the late response i was on pto, but when i try to do it the way you showed i get permission denied. My company policy doesnt allow me to put the full path but here is what i can put:


This path allows me access but wont print out anything, there is value at foo in the UI. PROD is another namespace under our company’s space and our team space. SSO is our v2 secrets engine.

Also for the token issue, i have all admin policies for me linked to each of my auth methods. This is only became an issue using powershell, i did this all through terminal with no such issues.

try adding the -output-curl-string parameter to your command using the Vault binary. That should output what you would use via CURL and should be fairly easy to translate to Invoke-RestMethod.

The URL you gave in your first post:

is rather different from your second post:


PowerShell seems to work fine for me, so I think whatever is causing your issue, is in what you’re not showing us.

PS C:\Users\maxbo> vault kv get secret/foobar
=== Secret Path ===

======= Metadata =======
Key                Value
---                -----
created_time       2022-12-28T19:49:13.0692512Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

=== Data ===
Key    Value
---    -----
foo    bar
PS C:\Users\maxbo>
PS C:\Users\maxbo> (Invoke-RestMethod -Uri "http://localhost:8200/v1/secret/data/foobar" -Headers @{'X-Vault-Token'='root'}).data.data.foo

it is different, i just didn’t post the full thing yet because i was waiting for our security team to give the okay on it essentially.

As for your second post, the only issue ive run into with powershell is it doesnt take the client token it generates. it all works besides that, i have to get my token from the ui and put it into the powershell script.

thanks for your help by the way it is very appreciated! ill go ahead and try this soon and get back to you!

I mimicked your powershell request, and i still received a permission denied. I don’t know what i am doing wrong, but all i did was translate from the mac terminal to powershell and nothing prints. i appreciate your help though.

I just tried this now and got a permission denied again. Thank you for your continued support.

Dumb question, but you’re updating the 'root' in the headers block to the token you get from the UI, correct?

Im sorry for the late response, i was on pto and it was a holiday as well. but yes i did change ‘root’ to my token from the UI.

Just a quick update here, i ended up solving this. I swapped to using Invoke-WebRequest instead of Invoke-RestMethod (I used WebRequest earlier but i mustve messed up my earlier script), this basically got rid of all of the issues i was having. So thank you for all the help!