Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

[HOW TO] Use an OAuth2 application and PowerShell to programmatically get the contents of a secret

11 April,19 at 11:51 AM

Centrify Infrastructure Services (Privilege Access Service) has the ability to store secrets. These secrets can be free-form text or files (currently up to 5mb in size). 


There will be use cases where the contents of these secrets need to be programmatically accessed EG from inside an application or as part of orchestration/DevOps processes. 


By leveraging Centrify's OAuth2 authorization framework, this article will describe how to configure an OAuth2 app that enables a PowerShell script to obtain the contents of a text-based secret from the Centrify platform.


However, it does not stop there. Using this methodology (Oauth2 apps & scopes) and the example script as a base, any programmatic call to the Centrify Identity Platform required for automation may be achieved. Including writing objects such as systems, shared accounts, secrets ETC. Pretty much everything that can be done via the portal can be automated/configured programmatically. 


Whilst this example is in PowerShell any compliant code can leverage this methodology (Java, C#, Go ETC). For example, I have Python code to run SQL queries against the Centrify Identity Platform from LINUX, but that's for another post Smiley Happy


For more detail on the Centrify Identity Platform API's see

Bed Time reading on OAuth2 :


Create the OAuth2 application and service account


As an administrative user, log in to the admin portal for your Centrify Infrastructure Services Tenant 



Select Apps -> Click Add Web Apps










Select the Custom Tab -> Click OAuth2 Client -> Add



Click Yes to add the application



Close the Add Web Apps Pop Up


Configure the application - Stage 1


Enter a suitable application ID and description - Make a note of the application ID, this is needed later.




Select General Usage 


  1. Under the client ID Type select the Confidential and Must be OAuth Client buttons
  2. Enter your tenant URL in the Issuer field




Select Tokens 


  1. Ensure the token type is JwtRS256 (JIT)
  2. Select Client Creds
  3. Ensure that Auth Code, Implicit and Resource Owner are not selected
  4. Set the Token Lifetime to be short (EG 5 mins)
  5. Ensure Issue refresh tokens is not checked




Select Scope


  1. Ensure User must confirm authorization request is not selected
  2. Under Scope definitions, Click Add




  1. Enter a suitable scope name and description - Make a note of the scope name, this is needed later.
  2. Click Add to define the API endpoints permitted under the scope



  1. Add RedRock/query
  2. Add ServerManage/RetrieveDataVaultItemContents
  3. Click Save


 Save the application definition




Configure the application service account - Stage 2


  1. Click General usage
  2. Create a Centrify directory user service account by selecting Click here to create one




Define an associated Centrify Identity Platform Service Account 


  1. Enter a suitable login name 
  2. Choose an appropriate suffix for the service account 
  3. Make a note of the login name and suffix,  this is needed later.
  4. Enter an email address, this is mandatory but is not used (at present)
  5. Enter a suitable display name
  6. Generate a password for the service account and copy/store it temporarily (or save it as a secret)  - this is needed later.
  7. Ensure Is Oauth confidential client (preview) is checked
  8. Note that Password never expires is greyed out - this is mandatory for the associated Oauth2 service account
  9. Click Create User



Create a Role for the API Service Account






Add the API Service Account to the Role




Save the Role


Search for your OAuth2 app and click on it




Add the Role to your application




Save the application config


Create a test secret - Stage 3


1. From the Admin portal, select Infrastructure -> Secrets

2. Click Add Text 




  1. Enter a Name, a Description and a Secret. Make a note of the Name, this will be needed later
  2. Click Save 



Click on the newly created Secret




Under permissions, Click Add




  1. In the search box, enter the name of the Service account you created in Stage 2
  2. Select the service account from the list
  3. Click Add
  4. Permit the service account to retrieve the secret
  5. Save the permissions setting



Running the PowerShell script 


Base64 encode the service account and password


The OAuth2 Application authorizes the RESTapi to call endpoints using the Scope definition. This is done by issuing a bearer token that is subsequently used during further REST calls. In order to obtain the bearer token, the code must first present a base64 encoded user/password string to the Centrify Identity Platform


Using the Service account, suffix and password noted in stage 2, generate the base64 encoded string. This can be done in PowerShell using the following command:


$bytes = [System.Text.Encoding]::UTF8.GetBytes("YOUR-SERVICE-ACCOUNT@YOUR-SUFFIX:YOUR-PASSWORD");$base64 = [Convert]::ToBase64String($bytes);Write-Host($base64)



PS C:\Users\kevsmith> $bytes = [System.Text.Encoding]::UTF8.GetBytes("dummyuser@lph:notarealpassword");$base64 = [Convert]::ToBase64String($bytes);Write-Host($base64)



Download the attached cgetsecret.txt file and save it somewhere suitable as cgetsecret.ps1  NOTE The file extension change


Startup PowerShell as a regular user and ensure you are in the directory where you saved the script


Now you have the base64 encoded string, you can use the script to pull the test secret using the OAuth2 APP. The script requires the following parameters





Using your base64 encoded credentials, your application, your scope and your test secret as noted during the stages above, try a test pull of your secret. If you secret has spaces in the name surround them with quotes. EG 'My Secret'


Use the -diags switch to get verbose output




PS C:\Users\kevsmith> .\cgetsecret.ps1 -tenant -credentials xxxxx -app OAuth2CIPS -scope CIPSscope -secret cipsecret





ERROR: failed to get OAuth2 token The remote server returned an error: (500) Internal Server Error.

There is an issue with your base64 credentials string or OAuth2 application definition. Check the application name and scope parameter. Double check the configuration of your application in the tenant


ERROR: unsupported secret type [file]

 Only text-based secrets can be obtained  by cgetsecret


ERROR: You are not authorized to perform this operation. Please contact your IT helpdesk.

The associated service account for the application does not have retrieve permissions for the secret


Related Articles

No related Articles