I am building a custom Splunk application. The app leverages custom python scripts to query an external API and present data in a dashboard directly in the Splunk UI. Using the setup.xml, I am able to successfully store the external API credentials in a passwords.conf file.
When I invoke the scripts and API calls with the admin user, everything works perfectly without any issues. However, when I try to do the same with a non-admin user, I get the following error:
Error: [HTTP 403] Client is not authorized to perform requested action; https://127.0.0.1:8089/servicesNS/nobody/my-app/admin/passwords
How can I successfully pull out the credentials from passwords.conf with a user that isn't an admin?
My getCredentials() method is as follows:
def getCredentials(sessionKey, targetUsername, logger): try: # list all credentials entities = entity.getEntities(['admin', 'passwords'], namespace=myapp, owner='nobody', sessionKey=sessionKey) except Exception, e: logger.error("Could not get %s credentials from splunk. Error: %s" % (myapp, str(e))) raise Exception("Could not get %s credentials from splunk. Error: %s" % (myapp, str(e))) credentials =  # return credentials for i, c in entities.items(): if c['username'] == targetUsername: credentials.append((c['username'], c['clear_password'])) return credentials logger.error("No credentials have been found") raise Exception("No credentials have been found")
My password.conf file looks like this (encrypted password string obfuscated):
[credential::api_user:] password = $1234abcd=
Interesting, however would not list_storage_passwords allow the REST API to be used to obtain the clear text password if the user had the knowledge and the ability (rest_properties_get) to use the REST API?
Wouldn't this then potentially allow the user to see the real password (assuming they had access to port 8089, had the required authorize.conf setting and found the passwords endpoint)...
Try https://mysplunkserver:8089/servicesNS/nobody/storage/passwords in a browser, as per Storing Encrypted Credentials or Splunk Alert Scripts
Where using a default app such as search you may see the passwords from every other application, if you have many you may need to append ?count=-1 to the URL.