Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to call rest endpoint without authenticating?

amat
Explorer
‎03-24-2022 08:21 PM

I am in the process of writing a Splunk script that is going to overwrite the contents of a lookup file using REST. However, the issue I am hitting is how to authenticate against the REST endpoint.

I am planning on having Splunk running the script ( probably through inputs.conf). It would every x hours and update the lookup using a python script that calls an outside source. I can successfully call the outside source and parse the data, however I am stuck on how to overwrite the lookup table via REST. All examples of REST calls show passing credentials. I dont want to hardcode any admin creds on the script itself.

I found this article from splunk, but the REST section clearly shows they are passing creds. Are there any other ways to do this? 

https://www.splunk.com/en_us/blog/tips-and-tricks/store-encrypted-secrets-in-a-splunk-app.html

Any suggestions?

Labels (3)
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-25-2022 03:23 AM

You can't use REST without authentication.

https://docs.splunk.com/Documentation/Splunk/8.2.5/RESTUM/RESTusing#Authentication_and_authorization

You can fiddle with token-based authentication to reduce user's privileges as much as you can and store credentials for that user only.

0 Karma
Reply

amat
Explorer
‎03-25-2022 06:23 PM

So that is what I thought. But there are apps that will overwrite lookup tables or fetch credentials from Splunk's password store. How do those apps do that if they are not authenticating? Typically these apps are doing this via script so how are they able to overwrite files or use secretes without calling the password store? I didnt noticee any hardcoding of creds in their scripts. Also Splunk Cloud will scan these apps for creds so if they are Splunk Cloud certified, then that means they are somehow storing the creds in the secret store and calling it back whenever the script runs

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-26-2022 01:11 AM

OK. There are two sides to this story.

One is that if you call REST API you must authenticate (unless perhaps you're calling some public endpoints; I'm not sure if there are any).

But the other thing is that if you're using splunk SDK and run your script as modular input (in context of splunk process), splunk lib is able to authenticate itself and you don't have to worry about it.

At least that's what I understand from the docs - I did some fiddling with other people's scripts but I haven't created any from scratch yet.

See for example https://github.com/splunk/splunk-sdk-python/blob/master/examples/kvstore.py

In general, you manipulate kvstore with splunk.kvstore class.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...