Jump to content

User APIKey


enigmatic
 Share

Recommended Posts

We have multiple password lists.

Lists are grouped in folders.

Folders have access control enabled with different people assigned to each one.

Each list can be accessed by API using per list APIKey.

 

If we use the same APIKey then everyone who needs to have automated access to one of them has access to all of them.

If we use different APIKeys for each list then we preserve per folder access, but automatic access gets more complicated since we have to juggle both Passwordlist ID and APIKey (that should be secret and can't be stored in repo - like "hey before running this, set these 5 different apikey secret variables and don't write it down or check it in")

 

What would be nice if there was a per user APIKey that would allow access to API like "/api/passwords/${LIST_ID}?QueryAll".

This way everyone could run automated scripts and have access to all the password lists that they are assigned access to in Passwordstate by setting a single UserAPIKey environment/Header variable, and let Passwordstate to handle access control.

Link to comment
Share on other sites

That could solve it as all people involved have windows workstations, but scripts that need to fetch from passwordstate are often run remotely on linux boxes or automatically in response to some defined trigger...

Would it be possible to extract  some sort of auth header created by "Invoke-Restmethod -Method Get -Uri $PasswordstateUrl -UseDefaultCredentials" and reuse it on a different box (for example in curl as a request header)?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...