Skip to main content
Solved

API Token Authentication

  • 28 December 2022
  • 13 replies
  • 582 views

Is there any way we access Rest API without token ? because we just run the script on the local commvault computer and we don't want user + password in the plaintext ?

Thank you

Hello in Commvault Platform Release 2023 you have option to generate Tokens in CommandCenter. Im using this with my Postman ;)

 

https://documentation.commvault.com/2023/essential/153483_creating_access_token_01.html

Well hello there. I like this, that said it retains the original problem that OP is referring to.

Essentially you should not be embedding credentials or tokens in your scripts. 

There are several instances of companies being breached due to someone getting access to a script from the script being shared or pushlished to GitHub or something like that.

 

The token may not be as powerfull as actual credentials, but it still creates the problem of someone being able to for example browse internal data and restoring to an arbitrary place.

Script should not have embedded credentials, they should be stored in a secret store.

Secret stores are not a commvault thing, I would assume that at this point all script languages should have a native secret store. Microsoft has their secrets module which is actually extensible so you connect to third party password managers such as lastpass 😂.

 

Seriously though, use Azure secrets or Python secrets. 

Don’t distribute secrets in your scripts.


Hello in Commvault Platform Release 2023 you have option to generate Tokens in CommandCenter. Im using this with my Postman ;)

 

https://documentation.commvault.com/2023/essential/153483_creating_access_token_01.html

Hopefully we'll see support being added to both the Powershell and Python SDKs!


Hello in Commvault Platform Release 2023 you have option to generate Tokens in CommandCenter. Im using this with my Postman ;)

 

https://documentation.commvault.com/2023/essential/153483_creating_access_token_01.html


Thank you all for kindly help. 

The method “GetCredential” seem the best choice.

Indeed it just migrates the problem to securing the credential store and making sure that whoever is running the scripts has the proper rights to the credential store.


@christopherlecky to the rescue! thanks for sharing this in so much detail! 

No problem.


@christopherlecky to the rescue! thanks for sharing this in so much detail! 


Thank you all for kindly help. 

The method “GetCredential” seem the best choice.


Just for chits and giggles I stuck your question into chatgpt and here is the result:

 

PowerScript is a language and runtime environment used to develop and execute scripts for the PowerCenter data integration platform developed by Informatica. It is similar to other scripting languages, such as Python or PowerShell, but is specifically designed for use in the PowerCenter environment.

To retrieve credentials from a credential store in PowerScript, you can use the GetCredential function. This function takes a credential name as an input and returns a Credential object containing the username and password for the specified credential.

Here is an example of how you could use the GetCredential function in a PowerScript script to retrieve credentials from a credential store:

 
# Define the credential name
$credentialName = "MyCredential"

# Retrieve the credentials from the credential store
$credential = GetCredential($credentialName)

# Extract the username and password from the credential object
$username = $credential.Username
$password = $credential.Password

This script retrieves the credentials for the credential with the name "MyCredential" from the credential store, and stores the username and password in the $username and $password variables, respectively.

You can then use these variables to authenticate with a remote system or service using the appropriate API or protocol. For example, you might use the $username and $password variables to construct an HTTP basic authentication header to authenticate with an HTTP API.

 

Looks pretty comparable to Microsoft secrets modules, so all you have to do is create a credential store populate it and boom. You are done.


Microsoft has a solution for this when using powershell, called secrets.

I would assume that power script has something analogous. 

This way you don't have to store credentials in the script itself, but rather the script credentials are retrieved at runtime.

 

This strictly speaking isn’t a commvault issue.


Unfortunately there is no way that I am aware. You might be able to do something like login using command-line qlogin with SSO and get a token to use with REST - but not entirely sure if that is possible.


Is there any way we access Rest API without token ? because we just run the script on the local commvault computer and we don't want user + password in the plaintext ?

Thank you

Not sure why you are thinking your credentials are send in plain text to the API endpoint, because when you have put in place a certificate, which by default is self-signed, than you can point your scripting to the SSL endpoint. 

But if you still insist of running it locally on the system than you have to look into qscripts → https://documentation.commvault.com/2022e/expert/45429_qscripts_on_command_line.html

Sorry, because we using the powerscript so we don’t want put the username with password on the script. may be the best solution is create a new user with enough permmission to generate a token and get a report.

Curious to understand the problem, because there are many solutions available which allow you to securely store the credentials. Even running scripts locally on the system using for example qscripts require some form of authentication using username and password or you have to use the local credentials. 


Is there any way we access Rest API without token ? because we just run the script on the local commvault computer and we don't want user + password in the plaintext ?

Thank you

Not sure why you are thinking your credentials are send in plain text to the API endpoint, because when you have put in place a certificate, which by default is self-signed, than you can point your scripting to the SSL endpoint. 

But if you still insist of running it locally on the system than you have to look into qscripts → https://documentation.commvault.com/2022e/expert/45429_qscripts_on_command_line.html

Sorry, because we using the powerscript so we don’t want put the username with password on the script. may be the best solution is create a new user with enough permmission to generate a token and get a report.


Is there any way we access Rest API without token ? because we just run the script on the local commvault computer and we don't want user + password in the plaintext ?

Thank you

Not sure why you are thinking your credentials are send in plain text to the API endpoint, because when you have put in place a certificate, which by default is self-signed, than you can point your scripting to the SSL endpoint. 

But if you still insist of running it locally on the system than you have to look into qscripts → https://documentation.commvault.com/2022e/expert/45429_qscripts_on_command_line.html


Reply