Script Authentication Using Tokens

Overview

Manipulating the Secret Server API via scripts is very handy and powerful but also potentially dangerous, so it is critical to follow best practices to ensure robust security. This topic discusses these best practices. We recommend the Secret Server Software Development Kit for DevOps for all automated or machine-to-machine scripts. If not using the SDK, we strongly recommend creating an application account for script access and limiting permissions via both roles and the secrets themselves.

Best Practices

For security, it is critical that you:

  • Do not use admin accounts.
  • Use a least-privilege account, limiting role and secret access permissions.
  • Never store passwords or tokens in plain text. Use secure credentials instead—see below for details.
  • Use a least-privilage application account. These are restricted from logging in the UI.
  • Never use domain admin credentials in an automated script.
  • Create a specific service account with only the permissions needed to get the task done.
  • Always expire tokens. To expire tokens, navigate to the Admin > Configuration > Application and enable Session Timeout for Webservices, setting the timeout to a short period, the default is 20 mins.

Authentication Methods

Scripts Run by Automated Processes

Recommended methods:

  • Secret Server Software Development Kit for DevOps (SDK). The SDK is a great way to limit access to a specific client with encrypted credentials and IP restrictions. See Script Authentication Using Tokens for more information.

  • Integrated Windows Authentication (IWA).

Specific User Use Cases with Script Augmentation

Recommended methods:

  • Get credentials with two-factor authentication (2FA). This is a secure way to prompt users for credentials for manually run scripts.

  • Prompt with 2FA. This prompts the user for script credentials.

  • IWA.

Example Credential-Access Scripts

Recommended Methods

Get-Credential with 2FA

Copy
$application = "<Secret Server URL>"

function Get-Token
{
    [CmdletBinding()]
    param(
        $credentials
        [Switch] $UseTwoFactor
    )

    $creds = @{
        username = $credentials.UserName
        password = $credentials.GetNetworkCredential().Password
        grant_type = "password"
    };

    $headers = $null
    If ($UseTwoFactor) {        
        $headers = @{ 
            "OTP" = (Read-Host-Prompt "Enter your OTP for 2FA: ")        
        }    
    }

    try
    {
        $response = Invoke-RestMethod "$application/oauth2/token" -Method Post -Body $creds -Headers $headers;
        $token = $response.access_token;
        return $token;
    }
    catch
    {
        $result = $_.Exception.Response.GetResponseStream();
        $reader = New-Object System.IO.StreamReader($result);
        $reader.BaseStream.Position = 0;
        $reader.DiscardBufferedData();
        $responseBody = $reader.ReadToEnd() | ConvertFrom-Json
        Write-Host "ERROR: $($responseBody.error)"
        return;
    }
}

$token = Get-Token -credentials (Get-Credential) -UseTwoFactor 

Prompting for Credentials with 2FA

Copy
$application = "<Secret Server URL>"

function Get-Token
{
    [CmdletBinding()]
    param( [Switch] $UseTwoFactor    
    )

    $creds = @{
        username = Read-Host -Prompt "Enter your username: "
        password = Read-Host -Prompt "Enter your password: "
        grant_type = "password"
    };

    $headers = $null
    If ($UseTwoFactor) {        
    $headers = @{ 
        "OTP" = (Read-Host-Prompt "Enter your OTP for 2FA: ")
       }    
    }
    try
    {
        $response = Invoke-RestMethod "$application/oauth2/token" -Method Post -Body $creds -Headers $headers;
        $token = $response.access_token;
        return $token;
    }
    catch
    {
        $result = $_.Exception.Response.GetResponseStream();
        $reader = New-Object System.IO.StreamReader($result);
        $reader.BaseStream.Position = 0;
        $reader.DiscardBufferedData();
        $responseBody = $reader.ReadToEnd() | ConvertFrom-Json
        Write-Host "ERROR: $($responseBody.error)"
        return;
    }
}

$token = Get-Token -UseTwoFactor 

Integrated Windows Authentication

Secret Server Cloud does not support IWA.
Copy
$api = "<Secret Server URL>/winauthwebservices/api/v1"
$endpoint = "$api/secrets/3844"
$secret = Invoke-RestMethod $endpoint -UseDefaultCredentials
See Script Authentication Using Tokens for more information.

Downloading Example Scripts

Example Scripts:

For REST API Client Generation (Advanced), please see Script Authentication Using Tokens