I am in the process of writing a Splunk script that is going to overwrite the contents of a lookup file using REST. However, the issue I am hitting is how to authenticate against the REST endpoint.
I am planning on having Splunk running the script ( probably through inputs.conf). It would every x hours and update the lookup using a python script that calls an outside source. I can successfully call the outside source and parse the data, however I am stuck on how to overwrite the lookup table via REST. All examples of REST calls show passing credentials. I dont want to hardcode any admin creds on the script itself.
I found this article from splunk, but the REST section clearly shows they are passing creds. Are there any other ways to do this?
https://www.splunk.com/en_us/blog/tips-and-tricks/store-encrypted-secrets-in-a-splunk-app.html
Any suggestions?
You can't use REST without authentication.
https://docs.splunk.com/Documentation/Splunk/8.2.5/RESTUM/RESTusing#Authentication_and_authorization
You can fiddle with token-based authentication to reduce user's privileges as much as you can and store credentials for that user only.
So that is what I thought. But there are apps that will overwrite lookup tables or fetch credentials from Splunk's password store. How do those apps do that if they are not authenticating? Typically these apps are doing this via script so how are they able to overwrite files or use secretes without calling the password store? I didnt noticee any hardcoding of creds in their scripts. Also Splunk Cloud will scan these apps for creds so if they are Splunk Cloud certified, then that means they are somehow storing the creds in the secret store and calling it back whenever the script runs
OK. There are two sides to this story.
One is that if you call REST API you must authenticate (unless perhaps you're calling some public endpoints; I'm not sure if there are any).
But the other thing is that if you're using splunk SDK and run your script as modular input (in context of splunk process), splunk lib is able to authenticate itself and you don't have to worry about it.
At least that's what I understand from the docs - I did some fiddling with other people's scripts but I haven't created any from scratch yet.
See for example https://github.com/splunk/splunk-sdk-python/blob/master/examples/kvstore.py
In general, you manipulate kvstore with splunk.kvstore class.