11 April,19 at 11:51 AM
Centrify Infrastructure Services (Privilege Access Service) has the ability to store secrets. These secrets can be free-form text or files (currently up to 5mb in size).
There will be use cases where the contents of these secrets need to be programmatically accessed EG from inside an application or as part of orchestration/DevOps processes.
By leveraging Centrify's OAuth2 authorization framework, this article will describe how to configure an OAuth2 app that enables a PowerShell script to obtain the contents of a text-based secret from the Centrify platform.
However, it does not stop there. Using this methodology (Oauth2 apps & scopes) and the example script as a base, any programmatic call to the Centrify Identity Platform required for automation may be achieved. Including writing objects such as systems, shared accounts, secrets ETC. Pretty much everything that can be done via the portal can be automated/configured programmatically.
Whilst this example is in PowerShell any compliant code can leverage this methodology (Java, C#, Go ETC). For example, I have Python code to run SQL queries against the Centrify Identity Platform from LINUX, but that's for another post
For more detail on the Centrify Identity Platform API's see https://developer.centrify.com
Bed Time reading on OAuth2 : https://tools.ietf.org/html/rfc6749
Create the OAuth2 application and service account
As an administrative user, log in to the admin portal for your Centrify Infrastructure Services Tenant
Example: https://lph.my.centrify.com/manage
Select Apps -> Click Add Web Apps
Select the Custom Tab -> Click OAuth2 Client -> Add
Click Yes to add the application
Close the Add Web Apps Pop Up
Configure the application - Stage 1
Enter a suitable application ID and description - Make a note of the application ID, this is needed later.
Select General Usage
Select Tokens
Select Scope
Save the application definition
Configure the application service account - Stage 2
Define an associated Centrify Identity Platform Service Account
Create a Role for the API Service Account
Add the API Service Account to the Role
Save the Role
Search for your OAuth2 app and click on it
Add the Role to your application
Save the application config
Create a test secret - Stage 3
1. From the Admin portal, select Infrastructure -> Secrets
2. Click Add Text
Click on the newly created Secret
Under permissions, Click Add
Running the PowerShell script
Base64 encode the service account and password
The OAuth2 Application authorizes the RESTapi to call endpoints using the Scope definition. This is done by issuing a bearer token that is subsequently used during further REST calls. In order to obtain the bearer token, the code must first present a base64 encoded user/password string to the Centrify Identity Platform
Using the Service account, suffix and password noted in stage 2, generate the base64 encoded string. This can be done in PowerShell using the following command:
$bytes = [System.Text.Encoding]::UTF8.GetBytes("YOUR-SERVICE-ACCOUNT@YOUR-SUFFIX:YOUR-PASSWORD");$base64 = [Convert]::ToBase64String($bytes);Write-Host($base64)
Example:
PS C:\Users\kevsmith> $bytes = [System.Text.Encoding]::UTF8.GetBytes("dummyuser@lph:notarealpassword");$base64 = [Convert]::ToBase64String($bytes);Write-Host($base64) ZHVtbXl1c2VyQGxwaDpub3RhcmVhbHBhc3N3b3Jk
Download the attached cgetsecret.txt file and save it somewhere suitable as cgetsecret.ps1 NOTE The file extension change
Startup PowerShell as a regular user and ensure you are in the directory where you saved the script
Now you have the base64 encoded string, you can use the script to pull the test secret using the OAuth2 APP. The script requires the following parameters
cgetsecret.ps1 [-tenant] [-app] [-scope] [-credentials] [-secret] [-diags]
Using your base64 encoded credentials, your application, your scope and your test secret as noted during the stages above, try a test pull of your secret. If you secret has spaces in the name surround them with quotes. EG 'My Secret'
Use the -diags switch to get verbose output
Example:
PS C:\Users\kevsmith> .\cgetsecret.ps1 -tenant lph.my.centrify.com -credentials xxxxx -app OAuth2CIPS -scope CIPSscope -secret cipsecret a-test-secret
Troubleshooting
ERROR: failed to get OAuth2 token The remote server returned an error: (500) Internal Server Error.
There is an issue with your base64 credentials string or OAuth2 application definition. Check the application name and scope parameter. Double check the configuration of your application in the tenant
ERROR: unsupported secret type [file]
Only text-based secrets can be obtained by cgetsecret
ERROR: You are not authorized to perform this operation. Please contact your IT helpdesk.
The associated service account for the application does not have retrieve permissions for the secret