Skip to main content

On Premise Engine Secret Storage Options

Updated today

There are multiple options for storing your secrets for the SigParser On Premise Engine ranked from easiest to most complicated.

appsettings.json (Easiest)

This option is fine for more organizations as long as the machine is secured. The appsettings.json template comes setup for this already.

secrets.json

You can keep your secrets.json on a path that is accessible to the application. You'll need to create an environment variable called ON_PREM_SECRETS_FILE_LOCATION with the full path to the secrets.json file.

For example:

C:/secure/secrets.json

Example File:

{
   "Office365": {
      "ClientSecret": "??????????????????????????????"
   }
}

Environment Variable

You can put the ClientSecret in an environment variable like so. For example, for the Office365 client secret you would name it

Office365.ClientSecret

Windows Credential Manager

Create a stored credential in Windows Credential Manager

# Ensure the module is installed
if (-not (Get-Module -ListAvailable -Name CredentialManager)) {
    Install-Module -Name CredentialManager -Scope CurrentUser -Force
}

Import-Module CredentialManager

# Define your values
$targetName = "ClientSecret"
$username = "dummy"  # Required, but not used in this case
$password = Read-Host -AsSecureString "Enter the ClientSecret value"

# Save the credential
New-StoredCredential -Target $targetName `
                     -Username $username `
                     -Password $password `
                     -Persist LocalMachine `
                     -Type Generic

Write-Host "Credential '$targetName' stored successfully."

Create a Powershell script .ps1 file on the server that will be run by the task schedule to invoke the EmailFetcher with the secret value in the command line argument. 

# Ensure CredentialManager module is installed
if (-not (Get-Module -ListAvailable -Name CredentialManager)) {
    try {
        Write-Host "Installing CredentialManager module..."
        Install-Module -Name CredentialManager -Scope CurrentUser -Force -ErrorAction Stop
    } catch {
        Write-Error "Failed to install CredentialManager module: $_"
        exit 1
    }
}

Import-Module CredentialManager -ErrorAction Stop

# Fetch the credential from Windows Credential Manager
try {
    $credential = Get-StoredCredential -Target "ClientSecret"

    if ($null -eq $credential) {
        Write-Error "Credential 'ClientSecret' not found in Windows Credential Manager."
        exit 1
    }

    $clientSecret = $credential.Password

    # Run the executable with the secret
    $processInfo = New-Object System.Diagnostics.ProcessStartInfo
    $processInfo.FileName = "EmailFetcher.exe"
    $processInfo.Arguments = "--Office365:ClientSecret `"$clientSecret`""
    $processInfo.RedirectStandardOutput = $true
    $processInfo.RedirectStandardError = $true
    $processInfo.UseShellExecute = $false
    $processInfo.CreateNoWindow = $true

    $process = New-Object System.Diagnostics.Process
    $process.StartInfo = $processInfo

    $process.Start() | Out-Null
    $stdout = $process.StandardOutput.ReadToEnd()
    $stderr = $process.StandardError.ReadToEnd()
    $process.WaitForExit()

    Write-Output $stdout
    if ($stderr) {
        Write-Error $stderr
    }

    exit $process.ExitCode
}
catch {
    Write-Error "An error occurred: $_"
    exit 1
}

Azure Key Vault with Powershell

  1. Create an Azure Key Vault

  2. Add a key to the Key Vault with the Client Secret

  3. Create a Powershell script .ps1 file on the server that will be run by the task scheduler to invoke the EmailFetcher with the secret passed in as a command line argument.

# Define variables
$vaultName = "YourKeyVaultName"
$secretName = "ClientSecret"
$emailFetcherPath = "C:\Path\To\EmailFetcher.exe"

# Temp file paths for stdout and stderr
$stdoutPath = [System.IO.Path]::GetTempFileName()
$stderrPath = [System.IO.Path]::GetTempFileName()

# Ensure Az module
try {
    if (-not (Get-Module -ListAvailable -Name Az.KeyVault)) {
        Install-Module -Name Az -Scope CurrentUser -Force -ErrorAction Stop
    }
    Import-Module Az -ErrorAction Stop
} catch {
    Write-Error "Failed to import/install Az PowerShell module: $_"
    exit 100
}

# Azure login
try {
    if (-not (Get-AzContext)) {
        Connect-AzAccount -ErrorAction Stop
    }
} catch {
    Write-Error "Azure login failed: $_"
    exit 101
}

# Fetch secret
try {
    $secret = Get-AzKeyVaultSecret -VaultName $vaultName -Name $secretName -ErrorAction Stop
    $clientSecret = $secret.SecretValueText
} catch {
    Write-Error "Failed to retrieve secret '$secretName' from Key Vault '$vaultName': $_"
    exit 102
}

# Build command args
$arguments = "--Office365:ClientSecret `"$clientSecret`""

# Start process with redirected output
try {
    $startInfo = New-Object System.Diagnostics.ProcessStartInfo
    $startInfo.FileName = $emailFetcherPath
    $startInfo.Arguments = $arguments
    $startInfo.RedirectStandardOutput = $true
    $startInfo.RedirectStandardError = $true
    $startInfo.UseShellExecute = $false
    $startInfo.CreateNoWindow = $true

    $process = New-Object System.Diagnostics.Process
    $process.StartInfo = $startInfo
    $process.Start() | Out-Null

    $stdout = $process.StandardOutput.ReadToEnd()
    $stderr = $process.StandardError.ReadToEnd()

    $process.WaitForExit()
    $exitCode = $process.ExitCode

    if ($stdout) {
        Write-Host "=== STDOUT ==="
        Write-Host $stdout
    }
    if ($stderr) {
        Write-Host "=== STDERR ==="
        Write-Host $stderr
    }

    exit $exitCode
} catch {
    Write-Error "Failed to run EmailFetcher.exe: $_"
    exit 103
}

Did this answer your question?