
Register a Secret Vault.
Register a Secret Vault, which is defined by either custom logic or using the SecretManagement module.
The unique friendly Name of the Secret Vault within Pode.
.PARAMETER VaultParameters
A hashtable of extra parameters that should be supplied to either the SecretManagement module, or custom scriptblocks.
.PARAMETER UnlockSecret
An optional Secret to be used to unlock the Secret Vault if need.
.PARAMETER UnlockSecureSecret
An optional Secret, as a SecureString, to be used to unlock the Secret Vault if need.
.PARAMETER UnlockInterval
An optional number of minutes that Pode will periodically check/unlock the Secret Vault. (Default: 0)
If supplied, the Secret Vault will not be unlocked after registration. To unlock you'll need to call Unlock-PodeSecretVault.
An optional number of minutes that Secrets should be cached for. (Default: 0)
.PARAMETER InitScriptBlock
An optional scriptblock to run before the Secret Vault is registered, letting you initialise any connection, contexts, etc.
For SecretManagement module Secret Vaults, you can use thie parameter to specify the actual Vault name, and use the above Name parameter as a more friendly name if required.
For SecretManagement module Secret Vaults, this is the name/path of the extension module to be used.
.PARAMETER ScriptBlock
For custom Secret Vaults, this is a scriptblock used to read the Secret from the Vault.
.PARAMETER UnlockScriptBlock
For custom Secret Vaults, this is an optional scriptblock used to unlock the Secret Vault.
.PARAMETER RemoveScriptBlock
For custom Secret Vaults, this is an optional scriptblock used to remove a Secret from the Vault.
.PARAMETER SetScriptBlock
For custom Secret Vaults, this is an optional scriptblock used to create/update a Secret in the Vault.
.PARAMETER UnregisterScriptBlock
For custom Secret Vaults, this is an optional scriptblock used unregister the Secret Vault with any custom clean-up logic.
Register-PodeSecretVault -Name 'VaultName' -ModuleName 'Az.KeyVault' -VaultParameters @{ AZKVaultName = $name; SubscriptionId = $subId }
Register-PodeSecretVault -Name 'VaultName' -VaultParameters @{ Address = '' } -ScriptBlock { ... }

function Register-PodeSecretVault {
        [Parameter(Mandatory = $true)]




        $UnlockInterval = 0,


        $CacheTtl = 0, # in minutes


        [Parameter(ParameterSetName = 'SecretManagement')]

        [Parameter(Mandatory = $true, ParameterSetName = 'SecretManagement')]

        [Parameter(Mandatory = $true, ParameterSetName = 'Custom')]
        $ScriptBlock, # Read a secret

        [Parameter(ParameterSetName = 'Custom')]

        [Parameter(ParameterSetName = 'Custom')]

        [Parameter(ParameterSetName = 'Custom')]

        [Parameter(ParameterSetName = 'Custom')]

    # has the vault already been registered?
    if (Test-PodeSecretVault -Name $Name) {
        $autoImported = [string]::Empty
        if ($PodeContext.Server.Secrets.Vaults[$Name].AutoImported) {
            $autoImported = ' from auto-importing'

        throw "A Secret Vault with the name '$($Name)' has already been registered$($autoImported)"

    # base vault config
    if (![string]::IsNullOrEmpty($UnlockSecret)) {
        $UnlockSecureSecret = $UnlockSecret | ConvertTo-SecureString -AsPlainText -Force

    $vault = @{
        Name         = $Name
        Type         = $PSCmdlet.ParameterSetName.ToLowerInvariant()
        Parameters   = $VaultParameters
        AutoImported = $false
        LockableName = "__Pode_SecretVault_$($Name)__"
        Unlock       = @{
            Secret   = $UnlockSecureSecret
            Expiry   = $null
            Interval = $UnlockInterval
            Enabled  = (!(Test-PodeIsEmpty $UnlockSecureSecret))
        Cache        = @{
            Ttl     = $CacheTtl
            Enabled = ($CacheTtl -gt 0)

    # initialise the secret vault
    if ($null -ne $InitScriptBlock) {
        $vault | Initialize-PodeSecretVault -ScriptBlock $InitScriptBlock

    # set vault config depending on vault type
    switch ($vault.Type) {
        'custom' {
            $vault | Register-PodeSecretCustomVault `
                -ScriptBlock $ScriptBlock `
                -UnlockScriptBlock $UnlockScriptBlock `
                -RemoveScriptBlock $RemoveScriptBlock `
                -SetScriptBlock $SetScriptBlock `
                -UnregisterScriptBlock $UnregisterScriptBlock

        'secretmanagement' {
            $vault | Register-PodeSecretManagementVault `
                -VaultName $VaultName `
                -ModuleName $ModuleName

    # create timer to clear cached secrets every minute

    # create a lockable so secrets are thread safe
    New-PodeLockable -Name $vault.LockableName

    # add vault config to context
    $PodeContext.Server.Secrets.Vaults[$Name] = $vault

    # unlock the vault?
    if (!$NoUnlock -and $vault.Unlock.Enabled) {
        Unlock-PodeSecretVault -Name $Name

Unregister a Secret Vault.
Unregister a Secret Vault. If the Vault was via the SecretManagement module it will also be unregistered there as well.
The Name of the Secret Vault in Pode to unregister.
Unregister-PodeSecretVault -Name 'VaultName'

function Unregister-PodeSecretVault {
        [Parameter(Mandatory = $true)]

    # has the vault been registered?
    if (!(Test-PodeSecretVault -Name $Name)) {

    # get vault
    $vault = $PodeContext.Server.Secrets.Vaults[$Name]

    # unlock depending on vault type, and set expiry
    switch ($vault.Type) {
        'custom' {
            $vault | Unregister-PodeSecretCustomVault

        'secretmanagement' {
            $vault | Unregister-PodeSecretManagementVault

    # unregister from Pode
    $null = $PodeContext.Server.Secrets.Vaults.Remove($Name)

Unlock the Secret Vault.
Unlock the Secret Vault.
The Name of the Secret Vault in Pode to be unlocked.
Unlock-PodeSecretVault -Name 'VaultName'

function Unlock-PodeSecretVault {
        [Parameter(Mandatory = $true)]

    # has the vault been registered?
    if (!(Test-PodeSecretVault -Name $Name)) {
        throw "No Secret Vault with the name '$($Name)' has been registered"

    # get vault
    $vault = $PodeContext.Server.Secrets.Vaults[$Name]
    $expiry = $null

    # is unlocking even enabled?
    if (!$vault.Unlock.Enabled) {

    # unlock depending on vault type, and set expiry
    $expiry = Lock-PodeObject -Name $vault.LockableName -Return -ScriptBlock {
        switch ($vault.Type) {
            'custom' {
                return ($vault | Unlock-PodeSecretCustomVault)

            'secretmanagement' {
                return ($vault | Unlock-PodeSecretManagementVault)

    # if we have an expiry returned, set to UTC and configure unlock schedule
    if ($null -ne $expiry) {
        $expiry = ([datetime]$expiry).ToUniversalTime()
        if ($expiry -le [datetime]::UtcNow) {
            throw "Secret Vault unlock expiry date is in the past (UTC): $($expiry)"

        $vault.Unlock.Expiry = $expiry

Fetches and returns information of a Secret Vault.
Fetches and returns information of a Secret Vault.
The Name(s) of a Secret Vault to retrieve.
$vault = Get-PodeSecretVault -Name 'VaultName'
$vaults = Get-PodeSecretVault -Name 'VaultName1', 'VaultName2'

function Get-PodeSecretVault {
        [Parameter(Mandatory = $true)]

    $vaults = $PodeContext.Server.Secrets.Vaults.Values

    # further filter by vault names
    if (($null -ne $Name) -and ($Name.Length -gt 0)) {
        $vaults = @(foreach ($_name in $Name) {
                foreach ($vault in $vaults) {
                    if ($vault.Name -ine $_name) {


    # return
    return $vaults

Tests if a Secret Vault has been registered.
Tests if a Secret Vault has been registered.
The Name of the Secret Vault to test.
if (Test-PodeSecretVault -Name 'VaultName') { ... }

function Test-PodeSecretVault {
        [Parameter(Mandatory = $true)]

    return (($null -ne $PodeContext.Server.Secrets.Vaults) -and $PodeContext.Server.Secrets.Vaults.ContainsKey($Name))

Mount a Secret from a Secret Vault.
Mount a Secret from a Secret Vault, so it can be more easily referenced and support caching.
A unique friendly Name for the Secret.
The friendly name of the Secret Vault this Secret can be found in.
An optional array of Properties to be returned if the Secret contains multiple properties.
.PARAMETER ExpandProperty
An optional Property to be expanded from the Secret and return if it contains multiple properties.
The Key/Path of the Secret within the Secret Vault.
.PARAMETER ArgumentList
An optional array of Arguments to be supplied to a custom Secret Vault's scriptblocks.
An optional number of minutes to Cache the Secret's value for. You can use this parameter to override the Secret Vault's value. (Default: -1)
If the value is -1 it uses the Secret Vault's CacheTtl. A value of 0 is to disable caching for this Secret. A value >0 overrides the Secret Vault.
Mount-PodeSecret -Name 'SecretName' -Vault 'VaultName' -Key 'path/to/secret' -ExpandProperty 'foo'
Mount-PodeSecret -Name 'SecretName' -Vault 'VaultName' -Key 'key_of_secret' -CacheTtl 5

function Mount-PodeSecret {
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]



        [Parameter(Mandatory = $true)]


        # in minutes (-1 means use the vault default, 0 is off, anything higher than 0 is an override)
        $CacheTtl = -1

    # has the secret been mounted already?
    if (Test-PodeSecret -Name $Name) {
        throw "A Secret with the name '$($Name)' has already been mounted"

    # does the vault exist?
    if (!(Test-PodeSecretVault -Name $Vault)) {
        throw "No Secret Vault with the name '$($Vault)' has been registered"

    # check properties
    if (!(Test-PodeIsEmpty $Property) -and !(Test-PodeIsEmpty $ExpandProperty)) {
        throw 'You can only provide one of either Property or ExpandPropery, but not both'

    # which cache value?
    if ($CacheTtl -lt 0) {
        $CacheTtl = [int]$PodeContext.Server.Secrets.Vaults[$Vault].Cache.Ttl

    # mount secret reference
    $props = $Property
    if (![string]::IsNullOrWhiteSpace($ExpandProperty)) {
        $props = $ExpandProperty

    $PodeContext.Server.Secrets.Keys[$Name] = @{
        Key        = $Key
        Properties = @{
            Fields  = $props
            Expand  = (![string]::IsNullOrWhiteSpace($ExpandProperty))
            Enabled = (!(Test-PodeIsEmpty $props))
        Vault      = $Vault
        Arguments  = $ArgumentList
        Cache      = @{
            Ttl     = $CacheTtl
            Enabled = ($CacheTtl -gt 0)

Dismount a previously mounted Secret.
Dismount a previously mounted Secret.
The friendly Name of the Secret.
If supplied, the Secret will also be removed from the Secret Vault as well.
Dismount-PodeSecret -Name 'SecretName'
Dismount-PodeSecret -Name 'SecretName' -Remove

function Dismount-PodeSecret {
        [Parameter(Mandatory = $true)]


    # do nothing if the secret hasn't been mounted, unless Remove is specified
    if (!(Test-PodeSecret -Name $Name)) {
        if ($Remove) {
            throw "No Secret with the name '$($Name)' has been mounted to be removed from a Secret Vault"


    # if "remove" switch passed, remove the secret from the vault as well
    if ($Remove) {
        $secret = $PodeContext.Server.Secrets.Keys[$Name]
        Remove-PodeSecret -Key $secret.Key -Vault $secret.Vault -ArgumentList $secret.Arguments

    # remove reference
    $null = $PodeContext.Server.Secrets.Keys.Remove($Name)

Retrieve the value of a mounted Secret.
Retrieve the value of a mounted Secret from a Secret Vault. You can also use "$value = $secret:<NAME>" syntax in certain places.
The friendly Name of a Secret.
$value = Get-PodeSecret -Name 'SecretName'
$value = $secret:SecretName

function Get-PodeSecret {
        [Parameter(Mandatory = $true)]

    # has the secret been mounted?
    if (!(Test-PodeSecret -Name $Name)) {
        throw "No Secret with the name '$($Name)' has been mounted"

    # get the secret and vault
    $secret = $PodeContext.Server.Secrets.Keys[$Name]

    # is the value cached?
    if ($secret.Cache.Enabled -and ($null -ne $secret.Cache.Expiry) -and ($secret.Cache.Expiry -gt [datetime]::UtcNow)) {
        return $secret.Cache.Value

    # fetch the secret depending on vault type
    $vault = $PodeContext.Server.Secrets.Vaults[$secret.Vault]
    $value = Lock-PodeObject -Name $vault.LockableName -Return -ScriptBlock {
        switch ($vault.Type) {
            'custom' {
                return Get-PodeSecretCustomKey -Vault $secret.Vault -Key $secret.Key -ArgumentList $secret.Arguments

            'secretmanagement' {
                return Get-PodeSecretManagementKey -Vault $secret.Vault -Key $secret.Key

    # filter the value by any properties
    if ($secret.Properties.Enabled) {
        if ($secret.Properties.Expand) {
            $value = Select-Object -InputObject $value -ExpandProperty $secret.Properties.Fields
        else {
            $value = Select-Object -InputObject $value -Property $secret.Properties.Fields

    # cache the value if needed
    if ($secret.Cache.Enabled) {
        $secret.Cache.Value = $value
        $secret.Cache.Expiry = [datetime]::UtcNow.AddMinutes($secret.Cache.Ttl)

    # return value
    return $value

Test if a Secret has been mounted.
Test if a Secret has been mounted.
The friendly Name of a Secret.
if (Test-PodeSecret -Name 'SecretName') { ... }

function Test-PodeSecret {
        [Parameter(Mandatory = $true)]

    return (($null -ne $PodeContext.Server.Secrets.Keys) -and $PodeContext.Server.Secrets.Keys.ContainsKey($Name))

Update the value of a mounted Secret.
Update the value of a mounted Secret in a Secret Vault. You can also use "$secret:<NAME> = $value" syntax in certain places.
The friendly Name of a Secret.
.PARAMETER InputObject
The value to use when updating the Secret.
Only the following object types are supported: byte[], string, securestring, pscredential, hashtable.
An optional Metadata hashtable.
Update-PodeSecret -Name 'SecretName' -InputObject @{ key = value }
Update-PodeSecret -Name 'SecretName' -InputObject 'value'
$secret:SecretName = 'value'

function Update-PodeSecret {
        [Parameter(Mandatory = $true)]

        #> byte[], string, securestring, pscredential, hashtable
        [Parameter(Mandatory = $true, ValueFromPipeline = $true)]


    # has the secret been mounted?
    if (!(Test-PodeSecret -Name $Name)) {
        throw "No Secret with the name '$($Name)' has been mounted"

    # make sure the value type is correct
    $InputObject = Protect-PodeSecretValueType -Value $InputObject

    # get the secret and vault
    $secret = $PodeContext.Server.Secrets.Keys[$Name]

    # reset the cache if enabled
    if ($secret.Cache.Enabled) {
        $secret.Cache.Value = $InputObject
        $secret.Cache.Expiry = [datetime]::UtcNow.AddMinutes($secret.Cache.Ttl)

    # if we're expanding a property, convert this to a hashtable
    if ($secret.Properties.Enabled -and $secret.Properties.Expand) {
        $InputObject = @{
            "$($secret.Properties.Fields)" = $InputObject

    # set the secret depending on vault type
    $vault = $PodeContext.Server.Secrets.Vaults[$secret.Vault]
    Lock-PodeObject -Name $vault.LockableName -ScriptBlock {
        switch ($vault.Type) {
            'custom' {
                Set-PodeSecretCustomKey -Vault $secret.Vault -Key $secret.Key -Value $InputObject -Metadata $Metadata -ArgumentList $secret.Arguments

            'secretmanagement' {
                Set-PodeSecretManagementKey -Vault $secret.Vault -Key $secret.Key -Value $InputObject -Metadata $Metadata

Remove a Secret from a Secret Vault.
Remove a Secret from a Secret Vault. To remove a mounted Secret, you can pass the Remove switch to Dismount-PodeSecret.
The Key/Path of the Secret within the Secret Vault.
The friendly name of the Secret Vault this Secret can be found in.
.PARAMETER ArgumentList
An optional array of Arguments to be supplied to a custom Secret Vault's scriptblocks.
Remove-PodeSecret -Key 'path/to/secret' -Vault 'VaultName'

function Remove-PodeSecret {
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]


    # has the vault been registered?
    if (!(Test-PodeSecretVault -Name $Vault)) {
        throw "No Secret Vault with the name '$($Vault)' has been registered"

    # remove the secret depending on vault type
    $_vault = $PodeContext.Server.Secrets.Vaults[$Vault]
    Lock-PodeObject -Name $_vault.LockableName -ScriptBlock {
        switch ($_vault.Type) {
            'custom' {
                Remove-PodeSecretCustomKey -Vault $Vault -Key $Key -ArgumentList $ArgumentList

            'secretmanagement' {
                Remove-PodeSecretManagementKey -Vault $Vault -Key $Key

Read a Secret from a Secret Vault.
Read a Secret from a Secret Vault.
The Key/Path of the Secret within the Secret Vault.
The friendly name of the Secret Vault this Secret can be found in.
An optional array of Properties to be returned if the Secret contains multiple properties.
.PARAMETER ExpandProperty
An optional Property to be expanded from the Secret and return if it contains multiple properties.
.PARAMETER ArgumentList
An optional array of Arguments to be supplied to a custom Secret Vault's scriptblocks.
$value = Read-PodeSecret -Key 'path/to/secret' -Vault 'VaultName'
$value = Read-PodeSecret -Key 'key_of_secret' -Vault 'VaultName' -Property prop1, prop2

function Read-PodeSecret {
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]




    # has the vault been registered?
    if (!(Test-PodeSecretVault -Name $Vault)) {
        throw "No Secret Vault with the name '$($Vault)' has been registered"

    # fetch the secret depending on vault type
    $_vault = $PodeContext.Server.Secrets.Vaults[$Vault]
    $value = Lock-PodeObject -Name $_vault.LockableName -Return -ScriptBlock {
        switch ($_vault.Type) {
            'custom' {
                return Get-PodeSecretCustomKey -Vault $Vault -Key $Key -ArgumentList $ArgumentList

            'secretmanagement' {
                return Get-PodeSecretManagementKey -Vault $Vault -Key $Key

    # filter the value by any properties
    if (![string]::IsNullOrWhiteSpace($ExpandProperty)) {
        $value = Select-Object -InputObject $value -ExpandProperty $ExpandProperty
    elseif (![string]::IsNullOrEmpty($Property)) {
        $value = Select-Object -InputObject $value -Property $Property

    # return value
    return $value

Create/update a Secret in a Secret Vault.
Create/update a Secret in a Secret Vault.
The Key/Path of the Secret within the Secret Vault.
The friendly name of the Secret Vault this Secret should be created in.
.PARAMETER InputObject
The value to use when updating the Secret.
Only the following object types are supported: byte[], string, securestring, pscredential, hashtable.
An optional Metadata hashtable.
.PARAMETER ArgumentList
An optional array of Arguments to be supplied to a custom Secret Vault's scriptblocks.
Set-PodeSecret -Key 'path/to/secret' -Vault 'VaultName' -InputObject 'value'
Set-PodeSecret -Key 'key_of_secret' -Vault 'VaultName' -InputObject @{ key = value }

function Set-PodeSecret {
        [Parameter(Mandatory = $true)]

        [Parameter(Mandatory = $true)]

        #> byte[], string, securestring, pscredential, hashtable
        [Parameter(Mandatory = $true, ValueFromPipeline = $true)]



    # has the vault been registered?
    if (!(Test-PodeSecretVault -Name $Vault)) {
        throw "No Secret Vault with the name '$($Vault)' has been registered"

    # make sure the value type is correct
    $InputObject = Protect-PodeSecretValueType -Value $InputObject

    # set the secret depending on vault type
    $_vault = $PodeContext.Server.Secrets.Vaults[$Vault]
    Lock-PodeObject -Name $_vault.LockableName -ScriptBlock {
        switch ($_vault.Type) {
            'custom' {
                Set-PodeSecretCustomKey -Vault $Vault -Key $Key -Value $InputObject -Metadata $Metadata -ArgumentList $ArgumentList

            'secretmanagement' {
                Set-PodeSecretManagementKey -Vault $Vault -Key $Key -Value $InputObject -Metadata $Metadata