Fetching Credentials

As seen here, it is possible to integrate with 3rd party credential vaults for Demisto to use when authenticating with integrations. This article provides an example of such integration.

Requirements

In order to fetch credentials to the Demisto credentials store, the integration needs to be able to retrieve credential objects in the format of a username and password (key:value).

Implementation

isFetchCredentials Parameter

For this example we are going to look at the HasiCorp Vault integration. The first thing you need to do is add a boolean parameter with the name: isFetchCredentials(You can give it a different display name). When this parameter is set to true, Demisto will fetch credentials from the integration. It would look like something like this: image
image

fetch-credentials Command

When Demisto tries to fetch credentials from the integrations, it will call a command called fetch-credentials. This is where you should implement the credentials retrieving logic:

if demisto.command() == 'fetch-credentials':
fetch_credentials()

Creating credentials objects

In the fetch_credentials function, you should retrieve the credentials from the vault and create new JSON objects in the format:

{
"user": "username",
"password": "password",
"name": "name"
}

In the end you should have a credentials list that contains the above objects.

When you're done creating the credentials objects, send them to the credentials store by using: demisto.credentials(credentials).

Runtime

When an integration instance is configured with credentials from a vault, each time credentials are needed Demisto will query the vault integration with an identifier for the relevant integration as an argument to the fetch_credentials command (accessible via the args object). identifier reflects the name property of the credentials object. It is important to use it to return only one set of credentials for the relevant integration, because in this case, if multiple credentials sets are returned, the process will fail and an error will be thrown.

Result

If everything went well you should be able to see the credentials in the Demisto credentials store: image Note that these credentials cannot be edited or deleted, they reflect what's in the vault. You can stop fetching credentials by unticking the Fetch Credentials checkbox in the integration settings.

Troubleshooting

In case of an error during the process, you can debug your code by adding a test command that calls the fetch_credentials function. Make sure you send a credentials list in the right format and as a valid JSON.

Last updated on