we would like to call Vault in Powershell scripts and get credentials to use in script. I am not sure how to handle the secret zero part securely without compromise. For example, if I use some kind of auth method to get initial vault token and then use it to read secrets, any one else who has access to the script can make minor changes to it and will be able to get access to secrets from vault. I wonder if anyone has a way to securely use vault in powershell or any other scripts which are in plaintext or if there is a way if some one make changes to the script (if the file hash changed) it would invalidate access to auth method. any help is very much appreciated.
Hi Vamsinm, welcome to the community!
Can you share a little more about how this script will be executed? Is it run ad-hoc by people, or within a pipeline etc? There are a few means of addressing this but some are more suitable than others depending on your workflow.
Cheers,
Grant
Hi Grant, script would be run ad-hoc by people or schedule on server. I see a way to securely use in gitlab pipeline but unfortunately powershell remote does not work from power shell core on Linux image. Thank you very much!
Thanks for the info - that helps.
In the situation that a user is executing the script, you could have them login to Vault via Azure AD (or another equivalent method). For example:
export VAULT_TOKEN=$(vault login -format=json -method=oidc| jq. -r .auth.client_token )
You could then have your script read from the environment variable.
Next up - scheduled on a server. Your GitLab idea is a great one since each pipeline has its own JWT that could be used to authenticate to Vault. If you used the Windows binary for the runner this could be a pretty clean way to achieve what you are going for. Assuming that isn’t an option though…
Machine authentication to Vault can occur in a few ways, depending on where it is running. For the public clouds you could use the compute instance metadata to authenticate, but if you are running on-premises you would need to fall back to certificate auth, kerberos, or HashiCorp’s AppRole auth method.
All of these come back to an underlying principle that you asked about in your original post - how to we make sure that identity (for Authn) is not tightly coupled with the script, but contextual based on who or what is executing it.
I hope that helps - shout if you have any follow up questions.
Cheers,
Grant
Hi Grant, Thank you very much for your response. I really like the gitlab CI JWT idea because Vault token is issues for JWT token and as soon as the Job is done vault token will also expires. there is very less chance that someone (human user) can grab the token and read secrets from Vault. that makes IT security Audit gods happy. but unfortunately that does not work because of the limitations with PowerShell core remoting from Linux to windows.
In other cases where exporting token to environment variables or using Cert authentication, human user will still be able to get access to secrets (for example Service account passwords) from vault which makes security auditors cringe 
It would cool to have some kind file hash check for using in (plain text files) scripts in order to check if there is unauthorized change it should invalidate access and only allow secrets from the script if hash is verified.
Thank you again for your help!