Secure PAT Client Secret for use in script

I’m working with a customer to try to schedule PowerShell Scripts to run on a periodic basis and hoping to use the PowerShell SDK. The customer has asked how the Client Secret is stored as they need to ensure that it is secure.
I did a bit of digging and can’t find information about how / where the information is stored and I can’t find the information stored on my own machine to verify whether it is encrypted.
Any pointers here would be greatly appreciated.

Also, if there are other mechanisms that people have used to secure the client secret to be used for external scripts, that would be very helpful too.

If you are using SailPoint to CLI to configure then you should be able to find the configuration file in C:\Users\<User Name>\.sailpoint\config.yaml

Command:- sail sdk init config --env devrel
2024/03/01 20:39:43 INFO config file created path=C:\Users\Administrator/config.json

Hi @KevinHarrington,

2 methods for storing credentials securely come to mind:

  • Using environment variables for a specific user
    Storing the value in a user environment variable only for that user account to run the PowerShell script. Make sure to protect these variables.
    The value can be accessed in PowerShell:
    $clientSecret = $env:CLIENT_SECRET

  • Using Windows Credential Manager
    This seems like a solid solution as well. I found a great article that highlights its functionality.

    To get started, you can create a credential with the following command:

    New-StoredCredential -Target "YourTarget" -UserName "YourUsername" -Password $securePassword
    

    To get the values from your stored credential:

    $credentials = Get-StoredCredential -Target "YourTarget"
    

Hope this helps!

2 Likes

The CLI method and the environment variable methods above both store the credentials in plain text, which is unacceptable in this instance.

The PowerShell Module includes a Save-IdentityNowConfiguration command which the documentation says: “Saves default IdentityNow configuration to a file in the current users Profile.”

I can’t find where that is saved. Does anybody know where that is or if that is encrypted?

Hi Kevin,
Does it include Get-IdentityNowConfigurationPath command? It might give you the exact path where the configuration file is saved for your environment.

There is no “Get-IdentityNowConfigurationPath” command.

Windows credential manager is the best option for securing your keys. The CLI and SDK don’t support credential manager directly, but there may be a way to use credential manager with the SDK today. I don’t know enough about PowerShell to figure out how to do it though.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.