Rotate Credential via REST API
Automatically any cloud-based account using a REST API with Keeper Secrets Manager
Overview
This documentation provides generic instructions on how to set up password rotation using any cloud-based application or API endpoint and PAM Gateway using "NOOP mode". This is a flag set in the Keeper record which tells the Gateway to skip the primary rotation method and directly execute your custom Post-Rotation script.
This guide includes pre-requisites, step-by-step instructions, and a Python script example.
Pre-requisites
KSM Application: Ensure that the Keeper Secrets Manager (KSM) application is set up.
Shared Folder: A shared folder should be set up where all the records will be stored.
PAM Configuration: Ensure that the PAM Configuration is set up and that the Gateway is running and attached to this configuration.
REST API Token: You will need an API Token to interact with the arbitrary API.
Step 1: Obtain REST API Token or Access Token
Follow the steps in your target application or service to generate an API token.
Store this API token in a Keeper record. The record can be of any type, but for this example, we will use a "Login" type.
Store the API Token in the "password" field.
Store the Organization URL in the "Website Address" field.
Name this record "API Access Details" as this title will be used to fetch the record in the script later.
Step 2: Set Up Rotation Record
Create a new PAM User record to store target User details whose password will be rotated.
Set the username to match the user's login ID.
Set the password to the current password set for the user (this really depends on the REST endpoint)
Step 3: Add PAM Script
Attach the below Python script that will perform the password rotation. The script has additional comments inside that describe each line.
Add the "Rotation Credential" record, which is the record created in Step 1 containing the API Token and URL.
Enable No-Operation (NOOP) atomic execution:
In the current PAM User record where user's details are stored, create a new custom text field labeled
NOOP
and set its value toTrue
.
Step 4: Configure Password Rotation Settings
Rotation Type: Set it to "On-Demand" for this example.
Password Complexity: Leave it as default unless you have specific requirements.
Rotation Settings: Point to the PAM Configuration set up earlier.
Administrative Credentials Record: Can should be left empty
Step 5: Python Environment Setup
Below steps are related to the environment where the Keeper Gateway is running.
Ensure that the Python environment has all necessary dependencies installed.
If you want to use a virtual environment, add a shebang line at the top of the script.
Note: Ensure that the shebang line does not contain spaces. If it does, create a symbolic link without spaces. Example to create a symbolic link on Linux:
sudo ln -s "/Users/john/PAM Rotation Example/.venv/bin/python3" /usr/local/bin/pam_rotation_venv_python3
Python Script
The Python script is well-commented and follows best practices. It imports necessary modules, initializes variables, and defines a rotation function to call an arbitrary REST API that changes user's password.
Last updated