Set-Secret deletes secrets unexpectedly

[danikuci1]

Prerequisites

• Write a descriptive title.
• Make sure you are able to repro it on the latest released version
• Search the existing issues.

Steps to reproduce

I am trying to leverage the secrets management module to manage secrets in Azure KeyVault and want to update some metadata when a password is updated. This works fine in the AKV but fails when doing it with the module.

Expected behavior

PS> Set-Secret -Name "SomeSecret" -SecureStringSecret $NewPasswordSecureString -Vault MyVault -Metadata @{Expiration = (Get-Date).AddMonth(1)}

Congrats! Your secret was updated and has all is well! Yay!

Actual behavior

PS> Set-Secret -Name "SomeSecret" -SecureStringSecret $NewPasswordSecureString -Vault MyVault -Metadata @{Expiration = (Get-Date).AddMonth(1)}

Set-Secret: Cannot add secret metadata 'SomeSecret' to vault 'MyVault': The vault does not support the Set-SecretInfo function.

Yet this works fine if I specify the same metadata with Set-AzKeyVaultSecret or do it manually through the portal

Error details

Exception             :
    Type        : System.Management.Automation.PSNotSupportedException
    ErrorRecord :
        Exception             :
            Type    : System.Management.Automation.ParentContainsErrorRecordException
            Message : Cannot add secret metadata '...' to vault '...: The vault does not support the
Set-SecretInfo function.
            HResult : -2146233087
        CategoryInfo          : NotImplemented: (:) [], ParentContainsErrorRecordException
        FullyQualifiedErrorId : NotSupported
    Message     : Cannot add secret metadata '...' to vault '...: The vault does not support the
Set-SecretInfo function.
    HResult     : -2146233067
TargetObject          : Microsoft.PowerShell.SecretManagement.ExtensionVaultModule
CategoryInfo          : NotImplemented: (Microsoft.PowerShel…xtensionVaultModule:ExtensionVaultModule) [Set-Secret],
PSNotSupportedException
FullyQualifiedErrorId : SetSecretMetadataCommandNotSupported,Microsoft.PowerShell.SecretManagement.SetSecretCommand
InvocationInfo        :
    MyCommand        : Set-Secret
    ScriptLineNumber : 1
    OffsetInLine     : 1
    HistoryId        : 48
    Line             : Set-Secret -Name "..." -SecureStringSecret $(New-Password -SecureString) -Vault
...-Metadata @{Expiration = (Get-Date).AddDays(100)} -Debug
    PositionMessage  : At line:1 char:1
                       + Set-Secret -Name "..." -SecureStringSecret $(New-Password -Sec …
                       + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    InvocationName   : Set-Secret
    CommandOrigin    : Internal
ScriptStackTrace      : at <ScriptBlock>, <No file>: line 1
PipelineIterationInfo :

Environment data

Name                           Value
----                           -----
PSVersion                      7.4.4
PSEdition                      Core
GitCommitId                    7.4.4
OS                             Microsoft Windows 10.0.20348
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Version

im not using cresendo

Visuals

No response

[andyleejordan]

Hi, can you please cross-file a bug with https://github.com/Azure/azure-powershell? They maintain https://www.powershellgallery.com/packages/Az.KeyVault/2.0.0 which is the implementing module you're getting an error from.

[danikuci1]

opened Azure/azure-powershell#25975 as requested, though im not sure the az.keyvault module is to blame here. consider the verbose output from Set-Secret:

VERBOSE: Performing the operation "Write secret to vault and override any existing secret of the same name" on target "asdf".
VERBOSE: Invoking command Set-Secret on module Az.KeyVault.Extension
VERBOSE: Invoking command Set-SecretInfo on module Az.KeyVault.Extension
Set-Secret: Cannot add secret metadata '624881344' to vault 'asdf: The vault does not support the Set-SecretInfo function.
VERBOSE: Invoking command Remove-Secret on module Az.KeyVault.Extension
VERBOSE: Secret 624881344 was successfully removed from vault asdf.

[danikuci1]

looking through the tests it seems maybe the module isnt intended to support metadata at all?

SecretManagement/test/Microsoft.PowerShell.SecretManagement.Tests.ps1

Line 127 in de1e499

# NOTE: Metadata is supported only through Set-SecretInfo (not Set-Secret)

contrary to this comment, Set-SecretInfo also does not set metadata in AKV, although it doesn't delete the secret at least 🤷