Hi ! Just wanted to understand how you are handling the initial API keys /OAuth secret required to authenticate to BI PS itself.
e.g. we have BI-managed service account used by few Linux endpoints . This service account is used to map a network drive. We want to fetch the latest credentials via a script from BI PS at user log on and map the network drive.
To secure the api key , we are planning to put it on a network share where a Group of users will have access. But this means if the machine is compromised or the internal user wants to get the access , they can fetch the key and service account credentials. We are thinking of rotating this key in BI PS config + network share from a secure server , but this introduces another high privileged account with config access to API + possibly one more account with network share access (Though in a more secured environment). This increases complexity but the key/password is still has same level of security (when compared to keeping the key static)
Also we are planning to enable cert based authentication to BI PS API so that only known end-points can access the API.
Just wanted to check what other admins are doing to manage the initial API key handling. I see packaging the script and hardcoding the key is an option to make it little bit difficult to find. But rotation will be difficult too.
How do you handle API keys?
+4
Second, you can use the Password Safe CLI Application to rotate the API key in a more controlled environment:
Password Safe CLI Application
Alternatively, you could install the Password Safe Cache service and configure your users to retrieve passwords from that service. This way, your internal IP would be used to log into the service, eliminating the need to rotate the API key. You would only need to add or remove IPs from the allowlist in Password Safe.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.