Centrify Infrastructure Services (Privilege Access Service) has the ability to store secrets. These secrets can be free-form text or files (currently up to 5mb in size).
There will be use cases where the contents of these secrets need to be programmatically accessed EG from inside an application or as part of orchestration/DevOps processes.
By leveraging Centrify's OAuth2 authorization framework, this article will describe how to configure an OAuth2 app that enables a PowerShell script to obtain the contents of a text-based secret from the Centrify platform.
However, it does not stop there. Using this methodology (Oauth2 apps & scopes) and the example script as a base, any programmatic call to the Centrify Identity Platform required for automation may be achieved. Including writing objects such as systems, shared accounts, secrets ETC. Pretty much everything that can be done via the portal can be automated/configured programmatically.
Whilst this example is in PowerShell any compliant code can leverage this methodology (Java, C#, Go ETC). For example, I have Python code to run SQL queries against the Centrify Identity Platform from LINUX, but that's for another post
For more detail on the Centrify Identity Platform API's see https://developer.centrify.com
Bed Time reading on OAuth2 : https://tools.ietf.org/html/rfc6749
Create the OAuth2 application and service account
As an administrative user, log in to the admin portal for your Centrify Infrastructure Services Tenant
Select Apps -> Click Add Web Apps
Select the Custom Tab -> Click OAuth2 Client -> Add
Click Yes to add the application
Close the Add Web Apps Pop Up
Configure the application - Stage 1
Enter a suitable application ID and description - Make a note of the application ID, this is needed later.
Select General Usage
- Under the client ID Type select the Confidential and Must be OAuth Client buttons
- Enter your tenant URL in the Issuer field
- Ensure the token type is JwtRS256 (JIT)
- Select Client Creds
- Ensure that Auth Code, Implicit and Resource Owner are not selected
- Set the Token Lifetime to be short (EG 5 mins)
- Ensure Issue refresh tokens is not checked
- Ensure User must confirm authorization request is not selected
- Under Scope definitions, Click Add
- Enter a suitable scope name and description - Make a note of the scope name, this is needed later.
- Click Add to define the API endpoints permitted under the scope
- Add RedRock/query
- Add ServerManage/RetrieveDataVaultItemContents
- Click Save
Save the application definition
Configure the application service account - Stage 2
- Click General usage
- Create a Centrify directory user service account by selecting Click here to create one
Define an associated Centrify Identity Platform Service Account
- Enter a suitable login name
- Choose an appropriate suffix for the service account
- Make a note of the login name and suffix, this is needed later.
- Enter an email address, this is mandatory but is not used (at present)
- Enter a suitable display name
- Generate a password for the service account and copy/store it temporarily (or save it as a secret) - this is needed later.
- Ensure Is Oauth confidential client (preview) is checked
- Note that Password never expires is greyed out - this is mandatory for the associated Oauth2 service account
- Click Create User
Create a Role for the API Service Account
Add the API Service Account to the Role
Save the Role
Search for your OAuth2 app and click on it
Add the Role to your application
Save the application config
Create a test secret - Stage 3
1. From the Admin portal, select Infrastructure -> Secrets
2. Click Add Text
- Enter a Name, a Description and a Secret. Make a note of the Name, this will be needed later
- Click Save
Click on the newly created Secret
Under permissions, Click Add
- In the search box, enter the name of the Service account you created in Stage 2
- Select the service account from the list
- Click Add
- Permit the service account to retrieve the secret
- Save the permissions setting
Running the PowerShell script
Base64 encode the service account and password
The OAuth2 Application authorizes the RESTapi to call endpoints using the Scope definition. This is done by issuing a bearer token that is subsequently used during further REST calls. In order to obtain the bearer token, the code must first present a base64 encoded user/password string to the Centrify Identity Platform
Using the Service account, suffix and password noted in stage 2, generate the base64 encoded string. This can be done in PowerShell using the following command:
$bytes = [System.Text.Encoding]::UTF8.GetBytes("YOUR-SERVICE-ACCOUNT@YOUR-SUFFIX:YOUR-PASSWORD");$base64 = [Convert]::ToBase64String($bytes);Write-Host($base64)
PS C:\Users\kevsmith> $bytes = [System.Text.Encoding]::UTF8.GetBytes("dummyuser@lph:notarealpassword");$base64 = [Convert]::ToBase64String($bytes);Write-Host($base64)
Download the attached cgetsecret.txt file and save it somewhere suitable as cgetsecret.ps1 NOTE The file extension change
Startup PowerShell as a regular user and ensure you are in the directory where you saved the script
Now you have the base64 encoded string, you can use the script to pull the test secret using the OAuth2 APP. The script requires the following parameters
Using your base64 encoded credentials, your application, your scope and your test secret as noted during the stages above, try a test pull of your secret. If you secret has spaces in the name surround them with quotes. EG 'My Secret'
Use the -diags switch to get verbose output
PS C:\Users\kevsmith> .\cgetsecret.ps1 -tenant lph.my.centrify.com -credentials xxxxx -app OAuth2CIPS -scope CIPSscope -secret cipsecret
ERROR: failed to get OAuth2 token The remote server returned an error: (500) Internal Server Error.
There is an issue with your base64 credentials string or OAuth2 application definition. Check the application name and scope parameter. Double check the configuration of your application in the tenant
ERROR: unsupported secret type [file]
Only text-based secrets can be obtained by cgetsecret
ERROR: You are not authorized to perform this operation. Please contact your IT helpdesk.
The associated service account for the application does not have retrieve permissions for the secret