Get full dict of information about a secret (Python 3 API v0.1.1)

danh · January 20, 2021, 3:35pm

Hey folks–

I am a bit stuck on getting the information I need from the python API. In some cases, there are going to be instances where the current version of a secret password is not what I want due to the timing of a password being changed. In this case, if the latest password fails, I want to be able to grab the previous version of the password. I have been told that this is done via the secrets version value. The problem, however, is I cannot ever get this value from the python API because the returned resource_list is filtered down to just the id entry.

This in turn means that a call to get or get_many cannot return the information in the secrets value of the dictionary.

Is there a way in the python API to get this full dictionary for each ID instead of just the limited list of IDs?

Thanks,

Dan

danh · January 20, 2021, 7:24pm

I’m thinking maybe I have to use the python requests package directly but I’m struggling there as well. I can’t even get past authenticating with an api key Always end up with 401s.

sigals · January 21, 2021, 12:42pm

Hi Dan,

Thanks for reaching out!

If I am understanding correctly, you would like to get password metadata and the previous version value for a Conjur variable. What you will need to achieve this is not available in v.0.1.1 unfortunately but we are planning on releasing this capability in the upcoming months.

You are correct that the client.list() only filters down to a list of IDs but with the next release, list will be expanded to allow you to inspect your Conjur resources. This will allow you to get the metadata of a secret (when it was created, its owner and specially see how many versions of that secret there are). With this addition, you use inspect to fetch the versions and identify what the previous version number is that you require.

Once you have the version of the secret, you will be able to make a ‘get variable’ call passing in the version of the secret you require. For example client.get(“somesecret”, 4) will fetch the 4th value version of ‘somesecret’.

We just finished our work with VARIABLE which implements these changes but as mentioned previously haven’t released so stay tuned!

You can certainly use Python requests to directly send RESTs to Conjur. If you would like help there, feel free to forward me the errors you are getting and would be happy to take a look. Let me know!

Thanks,
Sigal

danh · January 22, 2021, 5:11pm

Thanks Sigal. I think for now I’m sticking with the conjur-client library and just going to watch the first case where the password gets rotated to see if we actually have major issues. The REST requests were erroring out with 404s when adding ?version=2 (as an example) for things that did have multiple versions. A colleague found that the versions in conjur and cyberark can actually differ so it probably explains the 404s.

I appreciate the confirmation that there isnt a way to get the metadata right now.