How Can I Securely Access Key Vault Secrets from a macOS Script?

Not sure about PowerShell's capabilities on macOS, but Windows PowerShell allows you to create secure strings that can only be read by the user who created them. I’m part of a small group that actually uses PowerShell on Mac!

You could just allow the logged-in user access to the key vault. This seems like a more straightforward solution if the data isn’t particularly sensitive.

Is there a specific reason your script needs to stay on your computer? If you can run it on Azure as a virtual machine or a function app, you could utilize a managed identity to access the key vault directly. However, if it must run locally, you're right that simply putting the cert on your machine doesn't offer much advantage over having the webhook secret. One thing to consider is that you can integrate your script with macOS's Keychain, but that would require keeping constant access to the Keychain. What's the real risk here? If it's just someone spamming your webhook, that might not be a huge concern since the URI can be regenerated.

You're asking a great question! Having a certificate on disk can indeed just create a new secret to manage. The main goal here is to minimize the blast radius and simplify rotation and access control. It might be worth exploring if you actually need a service principal, or if using a managed identity or device identity could be a better fit for your macOS setup.