Newbie question - interacting with API that requires auth first

Hello, I have I think probably a very basic question so apologises if it should be apparent.

I’m working on a custom pack that will integrate with some tools that we use internally. I’d like st2 to interact with the tools API and pull data down from the tool in order to then perform other tasks on.

Firstly in order to use the API, you first must send a POST request with a username and password to authenticate to the API, then you receive a token to use in subsequent API calls.

I’m unsure how to handle that in my st2 instance, do I create an action for the authentication request and then another action for the subsequent API calls then chain them together or use the token as a variable for the next API calls.

The tool I’m using is Tenable.sc (Nessus Security Centre). Perhaps there is another pack that does a similar thing that I could refer to modify for my needs.

Couple of options:

1/ Use a workflow as you described. Use core.http to make a request to get a token, use that token in subsequent steps

2/ Write a Tenable pack that includes that code to handle that token authentication. Easiest way is probably to build it on top of GitHub - tenable/pyTenable: Tenable API Library for Tenable.io and TenableSC, like many other packs do. That handles the authentication pieces for you, as well as simplifying action development in general.

3/ You might be able to use an API key instead - e.g. https://docs.tenable.com/cloud/Content/Settings/GenerateAPIKey.htm. Have not used this myself, but have done it with lots of other system

Thanks Lindsay for your response, it gives me some things to think of. Some follow up questions to your points.

  1. Could you point me in the direction of how to use the token from the response in subsequent requests? Happy to dig through the documentation, just not sure what I’m looking for.

  2. I probably will use pyTenable for the final product, I just want to test the manual way to solidify my understanding of how the platform works.

  3. I’d love to use API keys instead of authenticating to get a token, however we’re using Tenable.sc (not tenable.io) and I don’t think we can use API keys.

An additional follow up question, I’d like to not store the username and password in clear text within a script or action file, would I be correct in assuming that storing those ‘secrets’ into the datastore and then querying when needed would be the correct way to go?

Thanks.

You can refer to the auth documentation at Authentication — StackStorm 3.0.1 documentation. This page shows how to set the auth token into further requests.

Yes, you can set the username and password as encrypted in the datastore and then use those. Refer to Datastore — StackStorm 3.0.1 documentation to see how to store them as encrypted

1 Like

@jezk you’ll be looking for “workflows” in ST2 terminology.

Main docs start point is Workflows — StackStorm 3.0.1 documentation

There are options, but you’ll want to write your workflow using Orquesta.

This one here is an example showing running an action, and then using that value in the next step in the workflow st2/orquesta-data-flow.yaml at master · StackStorm/st2 · GitHub

You should double-check about using an API key with Tenable.sc. They probably support it, might just be a matter of rummaging around in docs.

@vijain is right about using Datastore for storing user/pass. Then you can refer to them with Jinja

1 Like

Your links are quite helpful, thanks.

Great, thanks for the suggestions. :+1: