Hello, we are currently running IIQ 8.3 soon to be upgraded to 8.4p2 and we want to know if it is possible to invoke/execute a bash script in a Task Server in IIQ from a Workflow?, our idea is to execute a bash script and send the parameters introduced by a user from IIQ’s Workflow.
Example: the user introduce a value such as “MyCustomText” in a form, then the workflow invoke a bash such as “processdata.sh MyCustomText”.
Thanks in advance,
Could you share more details about your use case?
Specifically, how you plan to process that value and how it will be used further.
I’m trying to understand whether this approach might be over-engineering a relatively simple need.
We have several custom connectors that include hardcoded variables such as API keys and secrets. These values need to be rotated and encrypted regularly. For example:
Custom_APIKEY=“API KEY”
Custom_Secret=“Custom Secret”
To enable administrators to update these values without modifying the code directly, we propose the following approach:
have you explored credential cycling in IIQ? are you using CyberArk or any other PAM solution to store these keys and secrets.
Thanks for your response Sunny,
We are implementing your suggested solution with another customer, but for this customer there is no PAM to work with.
So, I’m assuming the customer doesn’t have Entra, AWS Secrets Manager, or any other off-the-shelf secrets-management tool, which led you to choose this custom approach.
I’ve seen few posts on compass where people have ran PowerShell scripts from a rule or workflow—I’ll try to dig up a reference for you.
Another option: Assuming you are doing this via admin quick-link that launches a form (e.g., the admin picks a source/app, enters the new values), you could skip the external script altogether. Instead, call a rule from that workflow which takes those values and let the rule update the application configuration directly.
If you manage to get any reference for that it would be really helpful. We may have found a rule from within our proyect that could help us, so we will investigate this case
I would rather say that use the plugin to expose the API to modify these values . these API can be shared with app owners and they can leverage to update the secrets .
I’m interested in the ability to launch a bash script as well. Launching an scp script to upload a file to a server that you don’t have a share to would be a great option. While I know that you can use PowerShell that means I have to get the file to the IQService server.
Do you need to use a bash script to do that? Assuming you already know how IIQ is going to get the new secret, something like this would probably work (I typed this directly into this editor without testing, so it’ll need some modification first):
SailPointContext ctx = SailPointFactory.createPrivateContext();
String value = ctx.encrypt("yourNewSecret");
// Could probably just clone the Application object instead of using a file for this
String xml = Util.readFile(new File("/path/to/your/xml"));
XMLObjectFactory factory = XMLObjectFactory.getInstance();
Application app = (Application) factory.parseXml(ctx , xml, true);
Attributes attr = app.getAttributes();
MapUtil.put(attr, "passwordAttributeName", value);
ctx.saveObject(app);
ctx.commitTransaction();
SailPointFactory.releasePrivateContext(ctx);
If for some reason, you absolutely need to do this as a bash script instead, I imagine ProcessBuilder (Java SE 11 & JDK 11 ) would work.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.