functions/Get-TssSecret.ps1
|
function Get-TssSecret { <# .SYNOPSIS Get a secret from Secret Server .DESCRIPTION Get a secret(s) from Secret Server .PARAMETER Id Secret ID to retrieve, accepts an array of IDs .PARAMETER Comment Comment to provide for restricted secret (Require Comment is enabled) .PARAMETER Raw Output the raw response from the REST API endpoint .EXAMPLE PS C:\> Get-TssSecret -Id 93 Returns secret associated with the Secret ID, 93 .EXAMPLE PS C:\> Get-TssSecret -Id 1723 -Comment "Accessing application Y" Returns secret associated with the Secret ID, 1723, providing required comment .NOTES Requires New-TssSession session be set #> [cmdletbinding()] param( # Return only specific Secret, Secret Id [Parameter(Mandatory,ValueFromPipelineByPropertyName,ParameterSetName="norm")] [Alias("SecretId")] [int[]] $Id, # Provide comment for restricted secret [string] $Comment, # output the raw response from the API endpoint [switch] $Raw ) begin { $invokeParams = @{ } } process { . $TestTssSession -Session foreach ($secret in $Id) { $restResponse = $null $errorResponse = $null $uri = $TssSession.SecretServerUrl, $TssSession.ApiVersion, "secrets", $secret.ToString() -join '/' if ($Comment) { $uri = $uri, "restricted" -join "/" $body = "{'comment':'$Comment', 'includeInactive':'$true'}" $invokeParams.Uri = $Uri $invokeParams.Method = 'POST' $invokeParams.Body = $body } else { $uri = $uri, "includeInactive=true" -join "?" $invokeParams.Uri = $Uri $invokeParams.Method = 'GET' } $invokeParams.PersonalAccessToken = $TssSession.AuthToken try { $restResponse = Invoke-TssRestApi @invokeParams -ErrorAction Stop } catch { $errorResponse = $_.ErrorDetails.Message | ConvertFrom-Json } if ($Raw -and $restResponse) { $restResponse } elseif ($restResponse -and -not $restResponse.code) { $outSecret = [PSCustomObject]@{ SecretId = $restResponse.id SecretName = $restResponse.name TemplateId = $restResponse.secretTemplateId FolderId = if ($restResponse.folderId -eq -1) { $null } else { $restResponse.folderId } Status = if ($restResponse.active) { "Active" } else { "Inactive" } LauncherConnectSecretId = if ($restResponse.launcherConnectAsSecretId -eq -1) { $null } else { $restResponse.launcherConnectAsSecretId } Restricted = $restResponse.isRestricted OutOfSync = $restResponse.isOutOfSync OutOfSyncReason = $restResponse.outOfSyncReason AutoChangeEnabled = $restResponse.autoChangeEnabled AutoChangeNextPassword = $restResponse.AutoChangeNextPassword ApprovalForAccessRequired = $restResponse.requiresApprovalForAccess CommentRequired = $restResponse.requiresComment CheckedOut = $restResponse.checkedOut CheckoutEnabled = $restResponse.checkOutEnabled CheckoutUserId = if ($restResponse.checkOutUserId -eq -1) { $null } else { $restResponse.checkOutUserId } CheckoutUserName = if ($restResponse.checkOutUserDisplayName -eq -1) { $null } else { $restResponse.checkOutUserDisplayName } CheckoutIntervalMinutes = if ($restResponse.CheckoutIntervalMinutes -eq -1) { $null } else { $restResponse.checkOutIntervalMinutes } CheckoutChangePassword = $restResponse.checkOutChangePasswordEnabled AccessRequestWorkflowMapId = if ($restResponse.accessRequestWorkflowMapId -eq -1) { $null } else { $restResponse.accessRequestWorkflowMapId } Proxy = $restResponse.proxyEnabled SessionRecording = $restResponse.sessionRecordingEnabled SSHCommandsRestricted = $restResponse.restrictSshCommands SSHCommandsOwnersUnrestricted = $restResponse.allowOwnersUnrestrictedSshCommands DoubleLockEnabled = $restResponse.isDoubleLock DoubleLockId = if ($restResponse.doubleLockId -eq -1) { $null } else { $restResponse.doubleLockId } InheritsPermissions = $restResponse.enableInheritPermissions InheritsSecretPolicy = if ($restResponse.enableInheritSecretPolicy -eq -1) { $null } else { $restResponse.enableInheritSecretPolicy } SiteId = $restResponse.siteId SecretPolicyId = if ($restResponse.secretPolicyId -eq -1) { $null } else { $restResponse.secretPolicyId } HeartbeatStatus = $restResponse.lastHeartBeatStatus HeartbeatDate = [datetime]$restResponse.lastHeartBeatCheck PasswordChangeFailedCount = $restResponse.failedPasswordChangeAttempts PasswordChangeAttempt = [datetime]$restResponse.lastPasswordChangeAttempt TemplateName = $restResponse.secretTemplateName PasswordTypeWebscriptId = if ($restResponse.passwordTypeWebScriptId -eq -1) { $null } else { $restResponse.passwordTypeWebScriptId } } foreach ($itemDetail in $restResponse.items) { $name = $itemDetail.fieldName $value = $itemDetail.itemValue $outSecret.PSObject.Properties.Add([PSNoteProperty]::new($name,$value)) } $properties = $outSecret.PSObject.Properties | Sort-Object Name $final = [PSCustomObject]@{ } foreach ($prop in $properties) { $final.PSObject.Properties.Add([PSNoteProperty]::new($prop.Name,$prop.Value)) } $final } if ($errorResponse) { Write-Warning -Message "Issue retrieving secret [$secret]: $($errorResponse.message)" } if ($restResponse.code) { Write-Warning -Message "Issue retrieving secret [$secret]: $($restResponse.message)" } } } } |