Closed citnadxela closed 5 years ago
The API Key is only transmitted to Okta through an established SSL session so it isn't open to the public in transit.
If you are concerned about the API Key at rest (stored in the config) I would highly recommend you ensure the host computer is trusted, the permissions of the file and access to the computer are known and take careful measures to protect the config file.
At the end of the day the API Key is a secret, much like that of a password and should be treated as such.
There is a routine in the module that you can use to encrypt the API Key and store it in the config file as a secure string, this provides some level of protection but anyone with access to the system would also have access to the encryption key so the process of decrypting the string is trivial.
Convert API Key to SecureString
PS > oktaConverttoSecureString -insecureString YourAPIKeyHere
<LongSecureStringasOutput>
Update Config File
Take the output from that command and use it to update your Okta_org.ps1
file, remove the secToken property and associated API Key value. Add an encToken property and set the value as the long protected string you received above.
Example
[Hashtable]$oktaOrgs = @{
prod1 = [Hashtable]@{
baseUrl = [String]"https://yourdomain.okta.com"
encToken = [String]"yourSecureString"
enablePagination = [boolean]$true
pageSize = [int]500
}
Hopefully this helps to address the question.
-Matt
Tested this. Everything seems to be working fine. However, is there any way the API key can be concealed in the script so that it's not open to the public?