ApiKeyFilePath Option(s) for Authentication (feature request)

[ivacuna]

Hello,

This is a feature request, not a bug. For authentication, we must specify a file path (i.e. C:\documents\secretkey.txt) for ApiKeyFilePath parameter. It would be nice if we also had the option to pass the contents of the key file itself (i.e. secretkey.txt contents) as a valid parameter.

We use CyberArk Personal Privileged Account (PPA) safes to store user API IDs and API certificate contents and can retrieve both as PSObject properties. Passing the API ID object property into ApiKeyID works fine, but passing the API certificate contents into ApiKeyFilePath will not work since file path is required.

With this option, when user authenticates to Intersight, they can retrieve API ID and certificate from CyberArk and pass those into Set-IntersightConfiguration. Benefit is user does not need to remember API ID or store certificate file on local/remote machine.

Thank you,

[vvb]

This already exists, there is a way to do this via Set-IntersightConfiguration. You can use ApiKeyPassPhrase instead. Feel free to reopen this issue, if this is not what you were looking for.

[ivacuna]

Thanks, I was unaware of ApiKeyPassPhrase. However, since ApiKeyFilePath parameter is set to "Required? True", we would always be prompted for a file path, which would still be a problem.

[ivacuna]

I'm not seeing an option to Re-Open this ticket, please re-open it, thanks

[ivacuna]

[vvb]

What version of the intersight-powershell module are you using? You would need 1.0.11-13010 or later.

[ivacuna]

We are running 1.0.11.11765. Does ApiKeyFilePath become a non-mandatory parameter in later version, if so, which? A few months back, we tried updating to 1.0.11.13515, but ran into some unrelated bugs with that version. I can try your latest 1.0.11.14628 and report back.

[vvb]

Yes, try the latest version and it would work. Comment here again if you see issues. Closing this issue for now.

[ivacuna]

I downloaded the latest version, 1.0.11.14628, and the ApiKeyFilePath is still a required parameter for authentication. So unfortunately what you're saying is wrong. And you closed this ticket with no option to re-open, so I am forced to create another issue to have this issue reopened.

This is the second time you closed this issue without waiting for user input and validation that the solution you're providing actually works.

[vvb]

Sorry about that, reopened the issue again.

[vvb]

@ivacuna Can you share a secret/key redacted version of your invocation of Set-IntersightConfiguration

[Ghufz]

There is parameter named "ApiKeyString" which accepts string you can pass the APIKey file content into it.

# For example here I am reading it from file, you can fetch it from other source and pass it as string
$ApiKeyString = Get-Content -Path <file/path> -Raw

$config = @{
    BasePath = "https://Intersight.com"
    ApiKeyId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
   ApiKeyString = $ApiKeyString
    HttpSigningHeader =  @("(request-target)", "Host", "Date", "Digest")
    SkipCertificateCheck = $true
}

 Set-IntersightConfiguration @config

Please try with above configuration,

[ivacuna]

Hi Ghufran,

Thanks, I was unaware of ApiKeyString. I just tried using that and cmdlet errors out with "key file path does not exist." See snippet below (which is using a fake API ID/key string).

PS C:\Users\user> $onprem

Name                           Value
----                           -----
BasePath                       https://intersight.domain.com
ApiKeyId                       532490497564612d3019861d/657079886756461301el141c2/657078b5756461301da141e5
ApiKeyString                   -----BEGIN EC PRIVATE KEY----- MIGLAgEAMBMGByqHSM49AgEGCCqGSM49AwEHBG0wawIBAQQgi6UY0F39ZFmw26R0 LBw4nB+B3zPECX8ucGDPV6kSAh+hRANCAAR/3JUZf6xBenbGXmE4oDgByARZe6up sibUcIBJxUoS6OMhNxLrKFDFQp33PJkS0uzan5yW…
HttpSigningHeader              {(request-target), Host, Date, Digest}
SkipCertificateCheck             True

PS C:\Users\user> Set-IntersightConfiguration @onprem
Set-IntersightConfiguration: key file path does not exist.

It seems like the cmdlet still wants a key file path? Looking at the source code, ApiKeyFilePath is set to Mandatory = true. I am using latest version, 1.0.11.14628. Should we just modify on our end to set Mandatory = false?

I'll add that my ApiKeyString input is valid because if I change it to an invalid string, I get a different error, "The key file path does not exist or key is invalid or key is not supported".

[vvb]

@ivacuna - I tried with both v2 and v3 keys using the ApiKeyString. I do see an issue specific to using an ECDSA key. I get an error - Set-IntersightConfiguration: key file path does not exist. The RSA (v2 key) works for me. Could you also help confirm that RSA(v2 key) works for you using the ApiKeyString method.

We will look into the fix for the ECDSA key usage.

[ivacuna]

Hi Vikrant,

Using the RSA (v2) key with ApiKeyString parameter works for our purposes. Thanks for the assistance!

Ivan

[vvb]

Thanks @ivacuna for confirming it. I have submitted https://github.com/CiscoDevNet/intersight-powershell/issues/133 to track the issue with the ECDSA key