Upload
others
View
13
Download
0
Embed Size (px)
Citation preview
PowerBroker Password Safe
Amazon AWS - Rotate Access Key
Amazon AWS – Rotate Access Key 2 © 2017. BeyondTrust Software, Inc
Revision/Update Information: November 2017
Software Version: NA
Revision Number: 0
Corporate Headquarters
5090 N. 40th Street Phoenix, AZ 85018
Phone: 1 818-575-4000
COPYRIGHT NOTICE
Copyright © 2017 BeyondTrust Software, Inc. All rights reserved.
The information contained in this document is subject to change without notice.
No part of this document may be photocopied, reproduced or copied or translated in any manner to another language without the prior written consent of BeyondTrust Software.
BeyondTrust Software is not l iable for errors contained herein or for any direct, indirect, special, incidental or consequential damages, including lost profit or lost data, whether based on warranty, contract, tort, or any other legal theory in connection with the furnishing, performance, or use of this material.
All brand names and product names used in this document are trademarks, registered trademarks, or trade names of their respective holders. BeyondTrust Software is not associated with any other vendors or products mentioned in this document.
Amazon AWS – Rotate Access Key 3 © 2017. BeyondTrust Software, Inc
Contents
Introduction......................................................................................................................................4
Contacting Support.........................................................................................................................4
Download and Configure Amazon AWS ............................................................................................5
Configure API Users in BeyondInsight ...............................................................................................6
Create an Asset for AWS ...................................................................................................................8
.NET Using CSharp Example .......................................................................................................... 19
ServiceNow Example .................................................................................................................... 22
Amazon AWS – Rotate Access Key 4 © 2017. BeyondTrust Software, Inc
Introduction
This guide provides information on rotating the access key with Amazon AWS and PowerBroker Password Safe. The information includes configuring AWS and Password Safe.
Contacting Support
For support, go to our Customer Portal then follow the link to the product you need assistance with.
The Customer Portal contains information regarding contacting Technical Support by telephone and chat, along with product downloads, product installers, license management, latest product releases, product documentation, webcasts and product demos.
Telephone
Privileged Account Management Support
Within Continental United States: 800.234.9072
Outside Continental United States: 818.575.4040
Vulnerability Management Support
North/South America: 866.529.2201 | 949.333.1997
+ enter access code
All other Regions
Standard Support: 949.333.1995
+ enter access code
Platinum Support: 949.333.1996
+ enter access code
Online
http://www.beyondtrust.com/Resources/Support/
Amazon AWS – Rotate Access Key 5 © 2017. BeyondTrust Software, Inc
Download and Configure Amazon AWS
1. Get a free instance of Amazon AWS and create a user in IAM. You can get your instance here:
https://aws.amazon.com/free/
2. Add some permissions specific to API access for the user.
3. Create an Access Key for the user.
4. Download AWS CLI Bundled Installer. See http://docs.aws.amazon.com/cli/latest/userguide/awscli-
install-bundle.html
Amazon AWS – Rotate Access Key 6 © 2017. BeyondTrust Software, Inc
5. Once AWS CLI is installed, execute aws configure.
For example:
[root@lserver01 aws]# aws configure
AWS Access Key ID [****************74EA]:
AWS Secret Access Key [****************iMO8]:
Default region name [us-west-2]:
Default output format [json]:
You can check https://aws.amazon.com/cli/
Configure API Users in BeyondInsight
1. In BeyondInsight configure API Registration. You will need the Key for the upcoming script to rotate
the Access Key.
2. Create a group(API Users) and add Smart Rule roles. Check Enable Application API for your
Integration.
Amazon AWS – Rotate Access Key 7 © 2017. BeyondTrust Software, Inc
3. For All Managed Accounts Smart Rule, select Credentials Manager role (required).
4. Create a service account for API access.
Amazon AWS – Rotate Access Key 8 © 2017. BeyondTrust Software, Inc
Create an Asset for AWS
1. Manually create an Asset for AWS. You can select Windows server for the type.
2. Click the arrow on the right, and select Add to Password Safe.
Amazon AWS – Rotate Access Key 9 © 2017. BeyondTrust Software, Inc
3. Select the Platform type Windows.
4. Save and click the Local Accounts tab.
5. Create a Managed Account. This account is the account you created in AWS for AWS API access. It is
a container for the Access Key.
Now you can call the Password Safe REST API and retrieve the password. You can try with the Linux scripts below(getManagedAccounts.sh). I created the scripts under /root/aws in my lab.
---------------------------
/usr/bin/curl -i -c /root/aws/pbpscookie.txt -X POST
https://172.16.0.111/BeyondTrust/api/public/v3/auth/SignAppin -H "Content-Type:
application/json" -H "Authorization: PS-Auth key=
0f9f0b3a6ece800f22052febfba51ceef13393255dc2a138b5129e106bc88c3555c67c
0b0aa486a7bc527b9874cfa86aab1038a0b2778380fae3c053ea60d446; runas=snowAPI;" -d "" -
k;
/usr/bin/curl -i -b /root/aws/pbpscookie.txt -X GET
https://172.16.0.111/BeyondTrust/api/public/v3/ManagedAccounts -H "Content-Type:
application/json" -H "Authorization: PS-Auth key=
0f9f0b3a6ece800f22052febfba51ceef13393255dc2a138b5129e106bc88c3555c67c
0b0aa486a7bc527b9874cfa86aab1038a0b2778380fae3c053ea60d446;
runas=snowAPI;" -d "" -k -o ManagedAccounts.json;
/usr/bin/curl -i -b /root/aws/pbpscookie.txt -X POST
https://172.16.0.111/BeyondTrust/api/public/v3/auth/Signout -H "Content-Type:
application/json" -H "Authorization: PS-Auth key=
0f9f0b3a6ece800f22052febfba51ceef13393255dc2a138b5129e106bc88c3555c67c
0b0aa486a7bc527b9874cfa86aab1038a0b2778380fae3c053ea60d446; runas=snowAPI;" -d "" -
k;
---------------------------
Amazon AWS – Rotate Access Key 10 © 2017. BeyondTrust Software, Inc
6. Replace the key with your key value, and the IP address with the one for your
BeyondInsight/Password Safe server.
The output will look similar to the following:
---------------------------
HTTP/1.1 200 OK
Cache-Control: no-cache Pragma: no-cache
Content-Type: application/json; charset=utf-8 Expires: -1
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Content-Type-Options: nosniff X-Frame-Options: DENY
x-xss-protection: 1; mode=block
Date: Sat, 19 Aug 2017 18:16:02 GMT
Content-Length: 3269
[{"PlatformID":1,"SystemId":1,"SystemName":"app01","DomainName":null,"
AccountId":2,"AccountName":"administrator","AccountNameFull":"administ
rator","MaximumReleaseDuration":10065,"MaxReleaseDurationDays":6,"MaxR
eleaseDurationHours":23,"MaxReleaseDurationMinutes":45,"InstanceName":
"","DefaultReleaseDuration":120,"DefaultReleaseDurationDays":0,"Defaul
tReleaseDurationHours":2,"DefaultReleaseDurationMinutes":0,"LastChange Date":"2017-
06-23T22:39:11.387","NextChangeDate":"2017-08-03T07:00:00"
,"IsChanging":false,"IsISAAccess":true},{"PlatformID":1,"SystemId":15,
"SystemName":"AWS
(Amazon)","DomainName":null,"AccountId":18,"AccountName":"btuapi","Acc
ountNameFull":"btuapi","MaximumReleaseDuration":10079,"MaxReleaseDurat
ionDays":6,"MaxReleaseDurationHours":23,"MaxReleaseDurationMinutes":59
,"InstanceName":"","DefaultReleaseDuration":120,"DefaultReleaseDuratio
nDays":0,"DefaultReleaseDurationHours":2,"DefaultReleaseDurationMinute
s":0,"LastChangeDate":"2017-08-19T18:14:34.77","NextChangeDate":"2017- 09-
01T04:00:00","IsChanging":false,"IsISAAccess":true},
...
---------------------------
Note the SystemId(15) and AccountId(18) in the example.
Then you can retrieve the password with this script(getPassword.sh):
---------------------------
/usr/bin/curl -i -c /root/aws/pbpscookie.txt -X POST
https://172.16.0.111/BeyondTrust/api/public/v3/auth/SignAppin -H "Content-Type:
application/json" -H "Authorization: PS-Auth key=
0f9f0b3a6ece800f22052febfba51ceef13393255dc2a138b5129e106bc88c3555c67c
0b0aa486a7bc527b9874cfa86aab1038a0b2778380fae3c053ea60d446; runas=snowAPI;" -d "" -
k;
MyResponse=$(/usr/bin/curl -i -b /root/aws/pbpscookie.txt -X POST
https://172.16.0.111/BeyondTrust/api/public/v3/ISARequests -H "Content-Type:
application/json" -H "Authorization: PS-Auth key=
Amazon AWS – Rotate Access Key 11 © 2017. BeyondTrust Software, Inc
0f9f0b3a6ece800f22052febfba51ceef13393255dc2a138b5129e106bc88c3555c67c
0b0aa486a7bc527b9874cfa86aab1038a0b2778380fae3c053ea60d446; runas=snowAPI;" -d
'{"SystemID":"15","AccountID":"18","DurationMinutes":"1","Reason":"tes t"}' -k);
MyPassword=$(/bin/echo $MyResponse | /usr/bin/sed -n 's:.*"\(.*\)".*:
\1:p');
/usr/bin/curl -i -b /root/aws/pbpscookie.txt -X POST
https://172.16.0.111/BeyondTrust/api/public/v3/auth/Signout -H "Content-Type:
application/json" -H "Authorization: PS-Auth key=
0f9f0b3a6ece800f22052febfba51ceef13393255dc2a138b5129e106bc88c3555c67c
0b0aa486a7bc527b9874cfa86aab1038a0b2778380fae3c053ea60d446; runas=snowAPI;" -d "" -
k;
/bin/echo $MyPassword > MyPassword.txt
---------------------------
Again, replace Key and IP address.
Open MyPassword.txt, you should see the current password for btuapi account. Then you can use the main script(rotateKey.sh). This script does 2 things:
1 Rotates the Access Key in AWS;
2 Updates the Managed Account password in Password Safe.
---------------------------
#!/usr/bin/env bash
echo "Verifying that AWS CLI is installed ..."
command -v aws >/dev/null 2>&1 || { echo >&2 "AWS CLI tools are required, but
couldn't be found. Please install from https://aws.amazon.com/cli/. Aborting.";
exit 1; }
echo "Verifying that AWS CLI has configured credentials ..."
ORIGINAL_ACCESS_KEY_ID=$(aws configure get aws_access_key_id)
ORIGINAL_SECRET_ACCESS_KEY=$(aws configure get aws_secret_access_key) if [ -z
"$ORIGINAL_ACCESS_KEY_ID" ]; then
>&2 echo "ERROR: No aws_access_key_id/aws_secret_access_key configured for AWS CLI.
Run 'aws configure' with your current keys."
exit 1
fi
EXISTING_KEYS_CREATEDATES=0
EXISTING_KEYS_CREATEDATES=($(aws iam list-access-keys --query
'AccessKeyMetadata[].CreateDate' --output text))
NUM_EXISTING_KEYS=${#EXISTING_KEYS_CREATEDATES[@]}
if [ ${NUM_EXISTING_KEYS} -lt 2 ]; then
echo "You have only one existing key. Now proceeding with new key creation."
else
echo "You have two keys (maximum number). We must make space ..."
IFS=$'\n' sorted_createdates=($(sort
<<<"${EXISTING_KEYS_CREATEDATES[*]}"))
unset IFS
Amazon AWS – Rotate Access Key 12 © 2017. BeyondTrust Software, Inc
echo "Now aqcuiring data for the older key ..."
OLDER_KEY_CREATEDATE="${sorted_createdates[0]}"
OLDER_KEY_ID=$(aws iam list-access-keys --query "AccessKeyMetadata[?
CreateDate=='${OLDER_KEY_CREATEDATE}'].AccessKeyId" --output text)
OLDER_KEY_STATUS=$(aws iam list-access-keys --query
"AccessKeyMetadata[?CreateDate=='${OLDER_KEY_CREATEDATE}'].Status" -- output text)
echo "Now aqcuiring data for the newer key ..."
NEWER_KEY_CREATEDATE="${sorted_createdates[1]}"
NEWER_KEY_ID=$(aws iam list-access-keys --query "AccessKeyMetadata[?
CreateDate=='${NEWER_KEY_CREATEDATE}'].AccessKeyId" --output text)
NEWER_KEY_STATUS=$(aws iam list-access-keys --query
"AccessKeyMetadata[?CreateDate=='${NEWER_KEY_CREATEDATE}'].Status" -- output text)
key_in_use="" allow_older_key_delete=false allow_newer_key_delete=false
if [ ${OLDER_KEY_STATUS} = "Active" ] && [ ${NEWER_KEY_STATUS} = "Active" ] &&
[ "${NEWER_KEY_ID}" = "${ORIGINAL_ACCESS_KEY_ID}" ]; then
# both keys are active, newer key is in use key_in_use="newer"
allow_older_key_delete=true key_id_can_delete=$OLDER_KEY_ID
key_id_remaining=$NEWER_KEY_ID
elif [ ${OLDER_KEY_STATUS} = "Active" ] && [ ${NEWER_KEY_STATUS} = "Active" ] &&
[ "${OLDER_KEY_ID}" = "${ORIGINAL_ACCESS_KEY_ID}" ]; then
# both keys are active, older key is in use key_in_use="older"
allow_newer_key_delete=true key_id_can_delete=$NEWER_KEY_ID
key_id_remaining=$OLDER_KEY_ID
elif [ ${OLDER_KEY_STATUS} = "Inactive" ] &&
[ ${NEWER_KEY_STATUS} = "Active" ]; then
# newer key is active and in use key_in_use="newer" allow_older_key_delete=true
key_id_can_delete=$OLDER_KEY_ID key_id_remaining=$NEWER_KEY_ID
elif [ ${OLDER_KEY_STATUS} = "Active" ] &&
[ ${NEWER_KEY_STATUS} = "Inactive" ]; then
# older key is active and in use key_in_use="older" allow_newer_key_delete=true
key_id_can_delete=$NEWER_KEY_ID
else
echo "You don't have keys I can delete to make space for the new key. Please delete
a key manually and then try again."
echo "Aborting." exit 1
fi
fi
if [ "${allow_older_key_delete}" = "true" ] ||
[ "${allow_newer_key_delete}" = "true" ]; then
echo "To proceed you must delete one of your two existing keys; they are listed
below:"
echo
echo "OLDER EXISTING KEY (${OLDER_KEY_STATUS}, created on
Amazon AWS – Rotate Access Key 13 © 2017. BeyondTrust Software, Inc
${OLDER_KEY_CREATEDATE}):"
echo -n "Key Access ID: ${OLDER_KEY_ID} "
if [ "${allow_older_key_delete}" = "true" ]; then echo "(this key can be deleted)"
elif [ "${key_in_use}" = "older" ]; then
echo "(this key is currently your active key)"
fi echo
echo "NEWER EXISTING KEY (${NEWER_KEY_STATUS}, created on
${NEWER_KEY_CREATEDATE}):"
echo -n "Key Access ID: ${NEWER_KEY_ID} "
if [ "${allow_newer_key_delete}" = "true" ]; then echo "(this key can be deleted)"
elif [ "${key_in_use}" = "newer" ]; then
echo "(this key is currently your active key)"
fi echo echo
echo "Enter below the Access Key ID of the key to delete, or leave empty to cancel,
then press enter."
read key_in
if [ "${key_in}" = "${key_id_can_delete}" ]; then echo "Now deleting the key
${key_id_can_delete}"
aws iam delete-access-key --access-key-id "${key_id_can_delete}" if [ $? -ne 0 ];
then
echo "Could not delete the access keyID ${key_id_can_delete}.
Cannot proceed."
echo "Aborting." exit 1
fi
elif [ "${key_in}" = "" ]; then echo Aborting.
exit 1 else
echo "The input did not match the Access Key ID of the key that can be deleted. Run
the script again to retry."
echo "Aborting." exit 1
fi
fi
echo
echo "Creating a new access key for the current IAM user ..."
NEW_KEY_RAW_OUTPUT=$(aws iam create-access-key --output text)
NEW_KEY_DATA=($(printf '%s' "${NEW_KEY_RAW_OUTPUT}" | awk {'printf ("% 5s\t%s", $2,
$4)'}))
NEW_AWS_ACCESS_KEY_ID="${NEW_KEY_DATA[0]}"
NEW_AWS_SECRET_ACCESS_KEY="${NEW_KEY_DATA[1]}"
echo "Verifying that the new key was created ..." EXISTING_KEYS_ACCESS_IDS=($(aws
iam list-access-keys --query 'AccessKeyMetadata[].AccessKeyId' --output text))
NUM_EXISTING_KEYS=${#EXISTING_KEYS_ACCESS_IDS[@]}
if [ ${NUM_EXISTING_KEYS} -lt 2 ]; then
>&2 echo "Something went wrong; the new key was not created." echo "Aborting"
Amazon AWS – Rotate Access Key 14 © 2017. BeyondTrust Software, Inc
exit 1
fi
echo "Pausing to wait for the IAM changes to propagate ..." COUNT=0
MAX_COUNT=20
SUCCESS=false
while [ "$SUCCESS" = false ] && [ "$COUNT" -lt "$MAX_COUNT" ]; do sleep 10
aws iam list-access-keys > /dev/null && RETURN_CODE=$? || RETURN_CODE=$?
if [ "$RETURN_CODE" -eq 0 ]; then SUCCESS=true
else
COUNT=$((COUNT+1))
echo "(Still waiting for the key propagation to complete ...)"
fi done
if [ "$SUCCESS" = "true" ]; then echo "Key propagation complete."
echo "Configuring new access key for AWS CLI ..."
aws configure set aws_access_key_id "$NEW_AWS_ACCESS_KEY_ID"
aws configure set aws_secret_access_key "$NEW_AWS_SECRET_ACCESS_KEY"
echo "Verifying the new key is in place, and that IAM access still works ..."
revert=false
CONFIGURED_ACCESS_KEY=$(aws configure get aws_access_key_id)
if [ "$CONFIGURED_ACCESS_KEY" != "$NEW_AWS_ACCESS_KEY_ID" ]; then
>&2 echo "Something went wrong; the new key could not be taken into use."
revert=true
fi
# this is just to test access via AWS CLI; the content here doesn't matter (other
than that we get a result)
EXISTING_KEYS_ACCESS_IDS=($(aws iam list-access-keys --query
'AccessKeyMetadata[].AccessKeyId' --output text))
NUM_EXISTING_KEYS=${#EXISTING_KEYS_ACCESS_IDS[@]}
if [ ${NUM_EXISTING_KEYS} -ne 2 ]; then
>&2 echo "Something went wrong; the new key could not access AWS CLI."
revert=true
fi
if [ "${revert}" = "true" ]; then
echo "Reverting configuration to use the old keys."
aws configure set aws_access_key_id "$ORIGINAL_ACCESS_KEY_ID" aws configure set
aws_secret_access_key
"$ORIGINAL_SECRET_ACCESS_KEY"
echo "Original configuration restored." echo "Aborting."
exit 1
fi
Amazon AWS – Rotate Access Key 15 © 2017. BeyondTrust Software, Inc
echo "Deleting the previously active access key ..."
aws iam delete-access-key --access-key-id "$ORIGINAL_ACCESS_KEY_ID"
echo "Verifying old access key got deleted ..."
# this is just to test access via AWS CLI; the content here doesn't matter (other
than that we get a result)
EXISTING_KEYS_ACCESS_IDS=($(aws iam list-access-keys --query
'AccessKeyMetadata[].AccessKeyId' --output text))
NUM_EXISTING_KEYS=${#EXISTING_KEYS_ACCESS_IDS[@]}
if [ ${NUM_EXISTING_KEYS} -ne 1 ]; then
>&2 echo "Something went wrong deleting the old key, however your new key is now in
use."
fi echo
echo "switched from the old access key ${ORIGINAL_ACCESS_KEY_ID} to
${NEW_AWS_ACCESS_KEY_ID}"
echo "${NEW_AWS_ACCESS_KEY_ID}" > /root/aws/newKeyID.txt
echo "${NEW_AWS_SECRET_ACCESS_KEY}" > /root/aws/newKeySecret.txt echo
\{\"Password\":
\""${NEW_AWS_ACCESS_KEY_ID}"\;"${NEW_AWS_SECRET_ACCESS_KEY}"\"\,
\"UpdateSystem\":\"false\"\} > /root/aws/newKeyID.json
echo "Calling Password Safe to update Credentials"
/usr/bin/curl -i -c /root/aws/pbpscookie.txt -X POST
https://172.16.0.111/BeyondTrust/api/public/v3/auth/SignAppin -H "Content-Type:
application/json" -H "Authorization: PS-Auth key=
0f9f0b3a6ece800f22052febfba51ceef13393255dc2a138b5129e106bc88c3555c67c
0b0aa486a7bc527b9874cfa86aab1038a0b2778380fae3c053ea60d446; runas=snowAPI;" -d "" -
k;
/usr/bin/curl -i -b /root/aws/pbpscookie.txt -X PUT
https://172.16.0.111/BeyondTrust/api/public/v3/ManagedAccounts/18/Cred entials -H
"Content-type: application/json" -H "Authorization: PS-Auth key=
0f9f0b3a6ece800f22052febfba51ceef13393255dc2a138b5129e106bc88c3555c67c
0b0aa486a7bc527b9874cfa86aab1038a0b2778380fae3c053ea60d446; runas=snowAPI;" -d
@/root/aws/newKeyID.json -k -o UpdateManagedAccounts.json;
/usr/bin/curl -i -b /root/aws/pbpscookie.txt -X POST
https://172.16.0.111/BeyondTrust/api/public/v3/auth/Signout -H
"Content-Type: application/json" -H "Authorization: PS-Auth key=
0f9f0b3a6ece800f22052febfba51ceef13393255dc2a138b5129e106bc88c3555c67c
0b0aa486a7bc527b9874cfa86aab1038a0b2778380fae3c053ea60d446; runas=snowAPI;" -d "" -
k;
echo "Done Calling Password Safe to update Credentials"
echo "Process complete." exit 0
else
echo "Key propagation did not complete within the allotted time.
This delay is caused by AWS, and does \
not necessarily indicate an error. However, the newly generated key cannot be
safely taken into use before \
Amazon AWS – Rotate Access Key 16 © 2017. BeyondTrust Software, Inc
the propagation has completed. Please wait for some time, and try to temporarily
replace the Access Key ID \
and the Secret Access Key in your ~/.aws/config file with the new key details
(below). Keep the old keys safe \
until you have confirmed that the new key works." echo
echo "PLEASE MAKE NOTE OF THE NEW KEY DETAILS BELOW; IT HAS NOT BEEN SAVED
ELSEWHERE YET!"
echo
echo "New AWS Access Key ID: ${NEW_AWS_ACCESS_KEY_ID}"
echo "New AWS Secret Access Key: ${NEW_AWS_SECRET_ACCESS_KEY}" echo
"${NEW_AWS_SECRET_ACCESS_KEY}" > /root/aws/newKey.txt
echo exit 1
fi
------------------------------------
You will need to replace key and IP address, and AccountId(18). The script output looks like this:
------------------------------------ [root@lserver01 aws]# cat MyPassword.txt
AKIAIDNXY3GJQBQQW5JA;xqiS5mAW91IXU7FkE4A0tHHci5SRcAP3u9cX+fxV
[root@lserver01 aws]# clear [root@lserver01 aws]# ./rotateKey_PBPS.sh Verifying
that AWS CLI is installed ...
Verifying that AWS CLI has configured credentials ...
You have only one existing key. Now proceeding with new key creation.
Creating a new access key for the current IAM user ... Verifying that the new key
was created ...
Pausing to wait for the IAM changes to propagate ... Key propagation complete.
Configuring new access key for AWS CLI ...
Verifying the new key is in place, and that IAM access still works ... Deleting the
previously active access key ...
Verifying old access key got deleted ...
switched from the old access key AKIAIDNXY3GJQBQQW5JA to AKIAIHSIV4MQTE66T3OQ
Calling Password Safe to update Credentials
HTTP/1.1 200 OK
Cache-Control: no-cache Pragma: no-cache
Content-Type: application/json; charset=utf-8 Expires: -1
Server: Microsoft-IIS/8.5
Amazon AWS – Rotate Access Key 17 © 2017. BeyondTrust Software, Inc
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=lpoy14aqar03a3oehoiruo2s; path=/; HttpOnly X-Content-
Type-Options: nosniff
X-Frame-Options: DENY
x-xss-protection: 1; mode=block
Date: Sat, 19 Aug 2017 18:40:34 GMT
Content-Length: 101
{"UserId":10,"SID":null,"EmailAddress":"[email protected]","UserName":"snowAPI","Name"
:"API ServiceNow"} % Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left Speed 100 99 0 0 100 99 0
141 --:--:-- --:--:-- --: 141
HTTP/1.1 200 OK
Cache-Control: no-cache Pragma: no-cache Content-Length: 0 Expires: -1
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Content-Type-Options: nosniff X-Frame-Options: DENY
x-xss-protection: 1; mode=block
Date: Sat, 19 Aug 2017 18:40:34 GMT
Done Calling Password Safe to update Credentials Process complete.
[root@lserver01 aws]#
-------------------------------------------------
After the script executes, you will find the json document used to update Password Safe:
-------------------------------------------------
[root@lserver01 aws]# cat newKeyID.json
{"Password":"AKIAIHSIV4MQTE66T3OQ;yBkD/7h9mrM2OPw91e/Qzorxd98GTLWvEb3ezifc","U
pdateSystem":"false"}
[root@lserver01 aws]#
Amazon AWS – Rotate Access Key 18 © 2017. BeyondTrust Software, Inc
-------------------------------------------------
Now if you execute getPassword.sh again can cat MyPassword.txt, you will find the new Access Key ID and Secret concatenated with ; separator.
-------------------------------------------------
[root@lserver01 aws]# ./getPassword.sh HTTP/1.1 200 OK
Cache-Control: no-cache Pragma: no-cache
Content-Type: application/json; charset=utf-8 Expires: -1
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ASP.NET_SessionId=j4rq4c0gx5t2rgpkjrbk0bu1; path=/; HttpOnly X-Content-
Type-Options: nosniff
X-Frame-Options: DENY
x-xss-protection: 1; mode=block
Date: Sat, 19 Aug 2017 18:46:17 GMT
Content-Length: 101
{"UserId":10,"SID":null,"EmailAddress":"[email protected]","UserName":"snowAPI","Name"
:"API ServiceNow"} % Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left Speed
100 135 100 63 100 72 96 110 --:--:-- --:--:-- --:--:-- 110
HTTP/1.1 200 OK
Cache-Control: no-cache Pragma: no-cache
Content-Length: 0 Expires: -1
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Content-Type-Options: nosniff X-Frame-Options: DENY
x-xss-protection: 1; mode=block
Amazon AWS – Rotate Access Key 19 © 2017. BeyondTrust Software, Inc
Date: Sat, 19 Aug 2017 18:46:17 GMT
[root@lserver01 aws]# cat MyPassword.txt
AKIAIHSIV4MQTE66T3OQ;yBkD/7h9mrM2OPw91e/Qzorxd98GTLWvEb3ezifc [root@lserver01 aws]#
-------------------------------------------------
The Key Access ID should match the new key for the user in AWS IAM(refresh browser).
So we obtained the key programmatically using scripts based on curl. You can enable other types of scripts, including Python, VB, etc. You will need to use basic substring before/after logic around the ; separator and follow AWS instructions to generate authentication header with signature.
.NET Using CSharp Example
It is also interesting to look at A2A, or Application to Application, examples. The first one is based on .NET using CSharp.
-------------------------------------------------
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks; using
Amazon AWS – Rotate Access Key 20 © 2017. BeyondTrust Software, Inc
System.Net;
using System.Net.Http;
using System.Security.Cryptography.X509Certificates; using
System.IO;
namespace ConsoleApp1
{
class Program
{
static void Main(string[] args)
{
HttpClient client = new HttpClient();
client.DefaultRequestHeaders.Add("Authorization", "PS-Auth key=
0f9f0b3a6ece800f22052febfba51ceef13393255dc2a138b5129e106bc88c3555c67c0b0aa486a7bc5
27b9874cfa86aab1038a0b2778380fae3c053ea60d446; runas=snowAPI;");
string json = Newtonsoft.Json.JsonConvert.SerializeObject(null);
System.Net.Http.StringContent content = new StringContent(json);
content.Headers.ContentType = new
System.Net.Http.Headers.MediaTypeHeaderValue("application/json");
ServicePointManager.ServerCertificateValidationCallback += (sender,cert,
chain, sslPolicyErrors) => true;
HttpResponseMessage signInResponse =
client.PostAsync("https://172.16.0.111/BeyondTrust/api/public/v3/auth/SignAppin",
content).Result;
HttpResponseMessage ManagedAccountsResponse =
client.GetAsync("https://172.16.0.111/BeyondTrust/api/public/v3/ManagedAccounts").R
esult;
var MyPayload = "{ \"SystemID\":\"15\",\"AccountID\":\"18\",
\"DurationMinutes\":\"1\",\"Reason\":\"Test C Sharp\"}"; StringContent
MyContent = new StringContent(MyPayload);
MyContent.Headers.ContentType = new
Amazon AWS – Rotate Access Key 21 © 2017. BeyondTrust Software, Inc
System.Net.Http.Headers.MediaTypeHeaderValue("application/json");
HttpResponseMessage getResponse =
client.PostAsync("https://172.16.0.111/BeyondTrust/api/public/v3/ISARequests",
MyContent).Result;
Console.WriteLine("signInResponse = " + signInResponse);
Console.WriteLine("ManagedAccounts = " + ManagedAccountsResponse);
Console.WriteLine("ManagedAccounts String = " +
ManagedAccountsResponse.Content.ReadAsStringAsync().Result);
Console.WriteLine("getResponse = " + getResponse);
String myPassword = getResponse.Content.ReadAsStringAsync().Result;
Console.WriteLine("And the password is = ");
Console.WriteLine(myPassword);
Console.ReadKey();
}
}
}
-------------------------------------------------
Again you need to replace key, IP Address and AccountId.
Visual Studio .NET example CSharp Console App. This app is fully documented separately.
Amazon AWS – Rotate Access Key 22 © 2017. BeyondTrust Software, Inc
ServiceNow Example
This example uses ServiceNow.
ServiceNow application, fully documented separately.
Amazon AWS – Rotate Access Key 23 © 2017. BeyondTrust Software, Inc
ServiceNow application in action, based on Catalog Item.