Adding a new Secret with Requires Approval enabled - PowerShell script

Sample script to add a new Secret with the "Requires Approval for Access" security setting enabled. In this example, we use an Active Directory Account Secret template and add a user and group as approvers:


function errorCheck {
    param($result)
    if($result.Errors.length -gt 0){
        "The following errors were received:"
        $result.Errors[0]
        exit
    }
}

function findFieldId {
    param($template, [string]$name)
    $template.Fields | ForEach-Object {
        if ($_.DisplayName -eq $name) {
            $fieldid = $_.Id
            return $_.Id
        }
    }
    if ($fieldid -eq $null) {
        Write-Host "No matching field ID was found."
        exit
    }
}

function findTemplate {
    param($templateType)
    $result_temp = $proxy.GetSecretTemplates($token)
    errorCheck $result_temp
    $templates = $result_temp.SecretTemplates
    $templates | ForEach-Object {
        if($_.Name -eq $templateType){
            return $_
        }
    }
    if ($templates.length -lt 1) {
        Write-Host "No matching Secret template was found."
        exit
    }
}

function findFolderId {
    param($folderName)
    $result_folder = $proxy.SearchFolders($token, $folderName)
    errorCheck $result_folder
    return $result_folder.Folders[0].Id
}

function CreateNewSecret {
    param($newFolder, $newTemplate, $newDomain, $newUser, $newPassword)

    # login info
    $url = 'https://yoursecretserverurl/webservices/sswebservice.asmx'
    $username = read-host "Enter your Secret Server username"
    $password = read-host "Password" -AsSecureString
    $proxy = New-WebServiceProxy -uri $url -UseDefaultCredential

    # authenticate to Secret Server
    Write-Host "`nAuthenticating..."
    $result_auth = $proxy.Authenticate($username, [Runtime.InteropServices.Marshal]::PtrToStringAuto(
        [Runtime.InteropServices.Marshal]::SecureStringToBSTR($password)), '', '')
    errorCheck $result_auth
    Write-Host "Authentication Successful."

    # obtain token
    $token = $result_auth.Token
    
    $template = findTemplate $newTemplate

    # if no password is provided, generate a new password
    if($newPassword.length -lt 1)
    {
        Write-Host "`nNo password provided: generating a new password..."
        $pwdId = (findFieldId $template "Password")
        $result_pwd = $proxy.GeneratePassword($token, $pwdId)
        errorCheck $result_pwd
        $newPassword = $result_pwd.GeneratedPassword
    }

    # ensure you are including ALL Secret fields here, even if they are empty
    $secretItemFields = ((findFieldId $template "Domain"), (findFieldId $template "Username"), (findFieldId $template "Password"), (findFieldId $template "Notes"), (findFieldId $template "Server"))
    $secretItemValues = ($newDomain, $newUser, $newPassword, "", "")

    $folderId = findFolderId $newFolder
    
    $secretName = $newDomain + "\" + $newUser

    $result_add = $proxy.AddSecret($token, $template.Id, $secretName, $secretItemFields, $secretItemValues, $folderId)
    
    errorCheck $result_add
    
    Write-Host "`nSecret $secretName has been created."

    $updateSecret = $result_add.secret
    
    Write-Host "`nEnabling Requires Approval for Access..."
    
    # set IsChangeToSettings to be true to put changes in effect
    $updateSecret.SecretSettings.IsChangeToSettings = 1
    
    # enable request approval and specify approver(s)
    $updateSecret.SecretSettings.RequiresApprovalForAccess = 1

    $type = $proxy.GetType().GetMethod("UpdateSecretPermission").GetParameters()[2].ParameterType.FullName
    
    $userRecord1 = New-Object -TypeName $type
    $userRecord2 = New-Object -TypeName $type

    $userRecord1.UserId = 3
    $userRecord1.GroupId = $null
    $userRecord1.IsUser = $true
    $userRecord2.UserId = $null
    $userRecord2.GroupId = 10
    $userRecord2.IsUser = $false
    
    $updateSecret.SecretSettings.Approvers = @($userRecord1, $userRecord2)
    
    $result_update = $proxy.UpdateSecret($token, $updateSecret)
    errorCheck $result_update
    
    Write-Host "Require Approval enabled.`n"
    return
}

# provide new account information, including the destination folder and template type
$newFolder = 'Server Accounts'
$newTemplate = 'Active Directory Account'
$newDomain = 'mydomain.local'
$newUser = 'Jane Doe'
# leave password blank to generate a new one
$newPassword = ''

CreateNewSecret $newFolder $newTemplate $newDomain $newUser $newPassword

Article ID: 408, Created On: 3/17/2014, Modified: 3/17/2014

Feedback (0)