Software Development Kit for DevSecOps - Python
Once a PAM360 user in an organization is provided with the SDK access and a registered token, they can further proceed in using the SDK by registering the relevant PAM360 SDK in their application/services. To do so, follow the below documentation.
1. Python SDK Prerequisites
- Python SDK requires Python application of version 3.12 or higher.
- Unzip the downloaded Python SDK zip file and use the following command to install the Python SDK package: pip install
<sdk-folder-path>
Notes:
Once you are granted SDK access in PAM360, an email containing the authentication token and a link to download the Python SDK will be sent to your registered email address.
Alternatively, you can reach out to your administrator for the Python SDK file. - If the PAM360 web server uses a self-signed certificate, download and deploy it in the desired system directory and update the respective certificate path while creating the service configurations.
2. Registering a Python Application with PAM360
Before you start developing your Python application, it is essential to configure and establish a connection between the PAM360 server and the Python SDK. This process involves certain steps to register your application and enable it to utilize PAM360 functionalities.
You can use the following sample code, which involves the ClientRegistrationManager and ServiceConfiguration objects, to perform the registration of your Python application with the PAM360 server. This registration ensures that your application is recognized within the PAM360 interface, allowing you to access data from the PAM360 repository through available API methods. Remember, this registration is a one-time operation on the machine where you're using the PAM360 SDK.
import logging from src.com.manageengine.pam360.sdk.services.registration_utility import ClientRegistrationManager from src.com.manageengine.pam360.sdk.services.service_configuration import ServiceConfiguration app_logger = logging.getLogger(__name__) # Configuration Steps sdk_registration_token = "#######-####-####-####-############" host_name = "CH-TEN-53D07" port_no = 8282 certificate_path = "D:\2024\Python\Secure Vault\SDK" # SSL Certificate file Path in .pem format service_config = ServiceConfiguration(host_name, port_no, certificate_path) # Registration Steps try: sdk_client_name = "Sample Python Application Name" registration_manager = ClientRegistrationManager(service_config) registration_manager.register(sdk_registration_token, sdk_client_name) except SDKRegistrationError as ex: app_logger.error(ex)
- sdk_registration_token - Unique identifier associated with a SDK policy received via an email or from administrator.
- host_name - Specific host from where the PAM360 application operates.
- port_no - Port number for the communication with the PAM360 server.
Upon running this code, your Python application will be registered with the PAM360 server, enabling it to interact with PAM360 functionalities via API calls.
2.1 How Does the User Registration Work?
Executing the provided sample code with the designated ClientRegistrationManager and ServiceConfiguration SDK Python objects will result in the registration of the Python application with the PAM360 application. Following registration, an SDK config file will be generated and stored in a folder named sdk_config.
Notes: Make sure to securely store the generated config file. This config file serves as the primary authentication method between the Python application and PAM360 when making API calls from the Python application.
Upon successful completion, the registered application utilizing the deployed PAM360 SDK will be visible in the PAM360 web interface. Details such as Policy Name, Application Type, Accessed Information, and audit logs of actions performed within the application relevant to PAM360 will be accessible. Administrators retain the capability to monitor the specifics of SDK-deployed applications directly from the PAM360 interface.
3. Invoking a PAM360 API via SDK Deployed Application
Below is a sample code for initializing an API via PAM360 SDK from the Python application/services.
E.g., To Fetch a Password of an Account
import logging from com.manageengine.pam360.sdk.exception.pam_exception import SDKError from com.manageengine.pam360.sdk.services.pam_service import PAMService from com.manageengine.pam360.sdk.services.service_configuration import ServiceConfiguration app_logger = logging.getLogger(__name__) try: pam_host_name = "CHEST11F-H07" pam_server_port = 8282 config = ServiceConfiguration( host=pam_host_name, port=pam_server_port, certificate_path=r"path\to\certificate.pem" # Provide the certificate path while using a self-signed certificate for the PAM360 web server ) user_api_token = "########-####-####-####-############" # PAMService is the entry point to all entities service = PAMService(service_config=config, user_token=user_api_token, org_name="Client Organisation") # Entity is the entry point to all entity-related operations # In this case, Password Entity password_entity = service.get_password_instance() # Get Password of an Account under a Resource resource = "ad-services2k19" account = "sysadmin" password = password_entity.get_password_account(resource_name=resource, account_name=account) print(f"Password of {account} Account under {resource} Resource is {password}") except SDKError as ex: app_logger.error(ex)
Refer to this help documentation for the remaining SDK-supported API sample codes. You can also refer to this Python Documentation to learn about the available classes, objects, and functions.
4. Python SDK Best Practices
Virtual Environments - It is recommended to use virtual environments in Python while creating an application. This is for isolating dependencies, simplifying management, ensuring reproducibility, providing sandboxing for testing, enhancing security, and facilitating easy cleanup, making them a best practice for application development, especially when incorporating SDK packages.
SDK Logs - The PAMSDKLogger is responsible for logging all internal errors and activities within the PAM360 SDK. This class records any internal errors that occur within an entity, registration, etc. By default, logs related to the SDK are saved in a folder named sdk_logs within the deployed Python application of the PAM360 SDK. However, for security purposes, you have the option to specify an absolute file path in a preferred directory using the below steps while invoking an API. This is a one-time process; once defined, the same path will be used for logs in the subsequent API calls.
from com.manageengine.pam360.sdk.services.pam_sdk_logger import PAMSDKLogger
PAMSDKLogger.set_log_file_path(r"D:\2024\Python\Secure Vault\SDK")
SDK Config -The config file value serves as the primary authentication mechanism between the Python application and PAM360 when making API calls. By default, during application registration, the config file is stored in a folder named sdk_config within the Python application. Yet, for security considerations, you can define a desired path in a preferred directory using the below steps while invoking an API. This allows you to store the SDK config file in a location of your choice.
from com.manageengine.pam360.sdk.services.service_configuration import ServiceConfiguration
config = ServiceConfiguration(
host=pam_host_name,
port=pam_server_port,
certificate_path=r"path\to\certificate.pem"
config_folder_path=r"D:\2024\Python\Secure Vault\SDK"
}