Splunk Add-on for Google Cloud Platform: Update cr...

jypyking · ‎11-20-2018

Hi,

We have implemented key rotation on GCP and we need to be able to set the new credentials via command line.
Does anyone know how?
We've found the password file, but credentials are encrypted and I'm not sure how I can encrypt the new creds and update the .conf file via command line.

Thanks.

tyron_ · ‎11-20-2019

So I think I found a way of doing this. You can just update the file google_cloud_credentials.conf on
$SPLUNK_HOME/etc/apps/Splunk_TA_google-cloudplatform/local with the new value according to the docs, such as:

[<name>]
google_credentials={"type": "service_account","project_id": "my-project","private_key_id": "32a3be8f2f0dcfe967ea558e486deaereacfas0c2497e"}

After you do that, the passwords.conf file will be automatically updated with the new values as soon as you go into the Configuration page on the Splunk Console. Restarting Splunk service also works if you wanna keep in the command line.

Another option you have is forget about passwords altogether and use the GCE service account. Take a look at this post: https://answers.splunk.com/answers/774312/use-gce-service-account.html

tyron_ · ‎09-28-2019

Were you able to sort this? I noticed if you populate the google_cloud_credentials.conf file with the contents of your JSON file, it will automatically repopulate the passwords.conf file as soon as you go to the Credentials page on UI. Not sure how can you trigger this process from the command line tho.

Splunk Add-on for Google Cloud Platform: Update credentials via command line

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?