How to retrieve password from storage/passwords en...

vaibhavagg2006 · ‎03-28-2018

Hi Experts
I am trying to retrieve the password which is stored in passwords.conf but it is returning blank. Below is the code which is being triggered by an alert. The alert is setup using the admin account. I have not set any realm while taking input from users in the setup page.

# Modify to fit your environment
CREDENTIAL_USER="user123"
# Set realm if entered with password
CREDENTIAL_REALM=""
# Update App Name
APP="app123"
# Search needs to be owned by someone with admin rights to access passwords
ALERT_OWNER="admin"
# Splunk Host
SPLUNK_HOST="localhost"

# Splunk Python
SPLUNK_PYTHON="$SPLUNK_HOME/bin/splunk cmd python"
# Read sessionKey from STDIN
read sessionKey
key=`echo $sessionKey | sed s/sessionKey=//g`
decoded_key=`$SPLUNK_PYTHON -c "import sys, urllib as ul; print ul.unquote_plus('$key')"`

clear_password=`curl -s -k -H "Authorization: Splunk $decoded_key" https://$SPLUNK_HOST:8089/servicesNS/$ALERT_OWNER/$APP/storage/passwords/$CREDENTIAL_REALM:$CREDENTI... | grep clear_password | sed -re 's/^\s+<s:.*?>(.*?)<.*?>$/\1/g'`

The passwords.conf is below

[credential::user123:]
password = $1$7EScd0o=

Any inputs on this are appreciated.

starcher · ‎03-28-2018

You are significantly better off doing alert actions in python.

http://www.georgestarcher.com/splunk-slides-addon-builder-and-alert-actions/

http://www.georgestarcher.com/splunk-stored-encrypted-credentials/

vaibhavagg2006 · ‎03-28-2018

I want to call the storage endpoint to get the clear password for a service now user and use that password. The script is being called by an alert. Which section from the blog can be used?

How to retrieve password from storage/passwords endpoint?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life