Python
This article provides a small example of Python script calling PAM REST API.
The example access PAM REST API to retrieve current user information and XSRF REST API token.
Then the example demonstrates the functions to access secret data of a specified record and to create a new record in the specified folder.
The article also contains an example of accessing PAM REST API using API authentication token.
PAM
In addition to this detailed guide you can also view the list of other functions you can call using REST API by navigating to Administration > Settings > Application Nodes > API Documentation.
Looking for REST API examples using other scripts? Click PowerShell examples, Shell examples or VBScript examples for additional information.
Below is the script demonstrating accessing records secret data and creating a new record. Details of the API calls are outlined in the comments.
Note the use of the XSRF token to call data modification functions. The script intention is to illustrate details of the protocol. As a result, the script does not process network errors leaving it to the implementation.
# ------------------------------------------------------------------------------------
# PAM REST API access script example for Python
#
# The script will demonstrate the following functions
# * to access secret fields of the existing record
# * to create a new record
# ------------------------------------------------------------------------------------
import requests
import json
from http.cookies import SimpleCookie
# ------------------------------------------------------------------------------------
# Script parameters define PAM objects used in the script
# ------------------------------------------------------------------------------------
# Authentication parameters
url = 'https://pam.company.com/xtam' # PAM REST API URL
login = 'pam_login'
password = 'pam_password'
# XTAM Object IDs and names used in the script
rid = 'i-2qhyGh2UB0V' # Record ID to retrieve
fid = 'i-2Zh30SUCq7c' # Folder ID to create a new record in
tid = 'i-83XfwpNvCHy' # Record Type ID for the new record creation
recordName = 'New Record' # Name for the new record
recordDescription = 'New record description' # Description of the new record
recordCustom = '{"Host":"host", "Port":24, "User":"user", "Password":"password"}' # Custom data for the new record
# ------------------------------------------------------------------------------------
# Call to /user/whoami function returns current user data.
# In addition, this call returns an REST API token for cross site scripting protection.
# ------------------------------------------------------------------------------------
r = requests.get(url + '/rest/user/whoami', auth=(login, password))
user = r.json()
# Print user information retrieved from the PAM server
print('Hello ' + user['firstName'] + ' ' + user['lastName'])
# Access REST API token for cross-site scripting protection and save it in the xsrf variable
cookie = SimpleCookie()
cookie.load(r.headers['Set-Cookie'])
xsrf = cookie['XSRF-TOKEN'].value
#print(xsrf)
# ------------------------------------------------------------------------------------
# Example call /record/unlock to retrieve secret data of a record
# ------------------------------------------------------------------------------------
r = requests.get(url + '/rest/record/unlock/' + rid, auth=(login, password))
record = r.json()
custom = json.loads(record['custom'])
print('{0}: {1} ({2}/{3})'.format(record['name'], custom['Host'], custom['User'], custom['Password']))
# ------------------------------------------------------------------------------------
# Example call to /record/new to create a new record
# Note that calls that modify PAM data must include REST API token
# ------------------------------------------------------------------------------------
resp = requests.post(url + '/rest/record/new/' + fid + '/' + tid,
data={'name':recordName,'description':recordDescription, 'custom':recordCustom},
headers={'Content-Type':'application/x-www-form-urlencoded', 'Accept':'application/json', 'X-XSRF-TOKEN':xsrf},
auth=(login, password))
print(resp)
# ------------------------------------------------------------------------------------
# Example call to /folder/create to create a new folder to demonstrate json payload
# Note that calls that modify PAM data must include REST API token
# ------------------------------------------------------------------------------------
resp = requests.post(url + '/rest/folder/create/' + fid,
json={'name':'Py Folder','description':'Py Description'},
headers={'Content-Type':'application/json', 'Accept':'application/json', 'X-XSRF-TOKEN':xsrf},
auth=(login, password))
print(resp.text)
The next example demonstrates the technique of connecting to PAM REST API using API authentication tokens. As before, details of the script use are outlined in the comments.
# ------------------------------------------------------------------------------------
# PAM REST API access script example for Python
#
# The script will demonstrate API access using API tokens
# ------------------------------------------------------------------------------------
import requests
import json
from http.cookies import SimpleCookie
# ------------------------------------------------------------------------------------
# Script parameters define PAM objects used in the script
# ------------------------------------------------------------------------------------
# Authentication parameters
url = 'https://pam.company.com/xtam' # PAM URL
cas = 'https://pam.company.com/cas' # PAM Federated Sign-In URL
token = 'yourPAMtoken' # PAM Token
# ------------------------------------------------------------------------------------
# Authentication using the token
# ------------------------------------------------------------------------------------
# Exchange REST API Token for a service ticket in Federated Sign-In Service.
# Note that a service ticket is short lived so it should be quickly exchanged to more permanent session cookie
# Also note disabling of redirects to catch service ticket in the Location header.
r = requests.get('{0}/login?service={1}/'.format(cas,url), headers={'token':token}, allow_redirects=False)
location = r.headers['Location']
# Exchange service ticket for a session cookie in PAM.
# Save the session cookie to use in consecutive calls
r = requests.get(location, allow_redirects=False)
jar = r.cookies
# ------------------------------------------------------------------------------------
# Call to /user/whoami function returns current user data.
# In addition, this call returns an REST API token for cross site scripting protection.
# ------------------------------------------------------------------------------------
# Note the use of cookies parameter replacing auth parameter used for basic authentication
r = requests.get(url + '/rest/user/whoami', cookies=jar)
user = r.json()
# Print user information retrieved from the PAM server
print('Hello ' + user['firstName'] + ' ' + user['lastName'])
# Access REST API token for cross-site scripting protection and save it in the xsrf variable
cookie = SimpleCookie()
cookie.load(r.headers['Set-Cookie'])
xsrf = cookie['XSRF-TOKEN'].value
print('XSRF Token: ' + xsrf)
Out next example demonstrates the technique of connecting to PAM REST API using user and password when logging in to PAM server with enabled Federated Sign-In (CAS) component.
As before, details of the script use are outlined in the comments.
# ------------------------------------------------------------------------------------
# PAM REST API access script example for Python
#
# The script will demonstrate API access using API tokens
# ------------------------------------------------------------------------------------
import requests
import json
from http.cookies import SimpleCookie
# ------------------------------------------------------------------------------------
# Script parameters define PAM objects used in the script
# ------------------------------------------------------------------------------------
# Authentication parameters
url = 'https://pam.company.com/xtam' # PAM URL
cas = 'https://pam.company.com/cas' # PAM Federated Sign-In URL
username = 'PAM-user-name' # PAM Account
password = 'PAM-user-password' # PAM Account Password
# ------------------------------------------------------------------------------------
# Authentication using user / password for Federated Sign-In component
# ------------------------------------------------------------------------------------
# Get TGT ticket granting ticket from user and password.
# Note that a TGT ticket is short lived so it should be quickly exchanged to more permanent session cookie
# Also note disabling of redirects to catch service ticket in the Location header.
r = requests.post('{0}/v1/tickets'.format(cas), data={'username':username,'password':password}, headers={'Content-Type':'application/x-www-form-urlencoded'}, allow_redirects=False)
location = r.headers['Location']
# get service ticket (ST) from TGT.
r = requests.post(location, data={'service':'{0}/'.format(url)}, allow_redirects=False)
st=r.text
# Exchange service ticket for a session cookie in PAM.
# Save the session cookie to use in consecutive calls
r = requests.get('{0}/?ticket={1}'.format(url,st),allow_redirects=False)
jar = r.cookies
# ------------------------------------------------------------------------------------
# Call to /user/whoami function returns current user data.
# In addition, this call returns an REST API token for cross site scripting protection.
# ------------------------------------------------------------------------------------
# Note the use of cookies parameter replacing auth parameter used for basic authentication
r = requests.get(url + '/rest/user/whoami', cookies=jar)
user = r.json()
# Print user information retrieved from the PAM server
print('Hello ' + user['firstName'] + ' ' + user['lastName'])
# Access REST API token for cross-site scripting protection and save it in the xsrf variable
cookie = SimpleCookie()
cookie.load(r.headers['Set-Cookie'])
xsrf = cookie['XSRF-TOKEN'].value
print('XSRF Token: ' + xsrf)