Conceal API key used in PowerShell script

powershell

#1

Currently using Gabriel Sroka’s Okat PowerShell module:

Everything is working fine. I’ve incorporated it into an existing PowerShell script I have. In the script, the Okta portion looks like this:

Import-Module OktaAPI
Connect-Okta “MY_API_KEY” “https://my-org.okta.com
$user = *User running the script enters user info here.

Disable-OktaUser $user

This successfully deactivates the user in Okta (which I want it to do). The PowerShell script exists on a server in which different colleagues can & have to run it. The only issue is, the API key is open to anyone that opens the script. Is there a recommended way in that anyone can run the script, but the API key is concealed?


#2

Do those people have root access to the machine? If so, it will be impossible to prevent them from finding the API key.

It’s common to store things like API keys in environment variables, so you could do this in PowerShell:

$Env:OKTA_API_KEY = "foobar..."

Connect-Okta $Env:OKTA_API_KEY "https://my-org.okta.com"

That keeps the API key out of the script, which is important if you ever share the script itself. But anyone with access to the machine could do echo $Env:OKTA_API_KEY to see it.


#3

Yes, the people have root access to the machine. They can log in wi/ highest privileges. So in short, am I out of luck in completely concealing the API key? & if so, there’s no other workaround in what I’m trying to accomplish wi/ this? Let me know. Thanks.


#4

Whoever has root access to the machine will be able to see the key. You could use a tool like Hashicorp Vault to securely store it somewhere else, but even in that case, retrieving it to make the PowerShell call will reveal it in plaintext.

To completely keep it concealed, you need to build a different way to execute the command that runs only on a machine you control. For example, you could:

  • Create an automated task (Slack bot, Jenkins task) that accepts the user ID and calls Okta
  • Build a small web app that accepts the user ID and calls Okta (you could use one of our SDKs)

The machine that runs the task (or hosts the web app) can store the API key in environment variables as long as only people you trust have access to the machine.