Developing for Splunk Enterprise

I've created a custom Splunk App that has passwords.conf file for external API credentials. How can I get a non-admin user to pull the credentials out of passwords.conf?


I am building a custom Splunk application. The app leverages custom python scripts to query an external API and present data in a dashboard directly in the Splunk UI. Using the setup.xml, I am able to successfully store the external API credentials in a passwords.conf file.

When I invoke the scripts and API calls with the admin user, everything works perfectly without any issues. However, when I try to do the same with a non-admin user, I get the following error:

Error: [HTTP 403] Client is not authorized to perform requested action;

How can I successfully pull out the credentials from passwords.conf with a user that isn't an admin?

My getCredentials() method is as follows:

def getCredentials(sessionKey, targetUsername, logger):
        # list all credentials
        entities = entity.getEntities(['admin', 'passwords'], namespace=myapp, owner='nobody', sessionKey=sessionKey)
    except Exception, e:
        logger.error("Could not get %s credentials from splunk. Error: %s" % (myapp, str(e)))
        raise Exception("Could not get %s credentials from splunk. Error: %s" % (myapp, str(e)))
    credentials = []
    # return credentials
    for i, c in entities.items():
        if c['username'] == targetUsername:
            credentials.append((c['username'], c['clear_password']))
    return credentials
    logger.error("No credentials have been found")
    raise Exception("No credentials have been found") 

My password.conf file looks like this (encrypted password string obfuscated):

password = $1234abcd=


Anyone you needs to hit the endpoint for stored creds needs to have the role capability 'list_storage_passwords' in v6.5+. Prior to 6.5 it has to be 'admin_all_objects'.


Interesting, however would not list_storage_passwords allow the REST API to be used to obtain the clear text password if the user had the knowledge and the ability (rest_properties_get) to use the REST API?

Wouldn't this then potentially allow the user to see the real password (assuming they had access to port 8089, had the required authorize.conf setting and found the passwords endpoint)...

Path Finder

Gareth, how do you reverse engineer the password from the crypt. Do you not also need the splunk.secret ? (and that means splunk host access) ?

0 Karma


Try https://mysplunkserver:8089/servicesNS/nobody/storage/passwords in a browser, as per Storing Encrypted Credentials or Splunk Alert Scripts

Where using a default app such as search you may see the passwords from every other application, if you have many you may need to append ?count=-1 to the URL.

0 Karma