[Fastly Create Users + API tokens for Auditing purposes] #fastly #cli #auth #api

Example.md

Create a new user (using an API token that has 'superuser' permissions):

curl -v -H "Fastly-Key: $FASTLY_API_TOKEN_SUPERUSER" -X POST -d "name=Foo Bar&login=foo.bar%40example.com" https://api.fastly.com/user

Response (notice no 2FA, no password, no force password reset etc):

{
  "id":"001",
  "created_at":"2019-04-16T13:32:41Z",
  "updated_at":"2019-04-16T13:32:41Z",
  "name":"Foo Bar",
  "customer_id":"123",
  "require_new_password":false,
  "role":"user",
  "login":"foo.bar@example.com",
  "deleted_at":null,
  "locked":false,
  "two_factor_auth_enabled":false,
  "limit_services":false,
  "email_hash":"456",
  "two_factor_setup_required":true
}

Set our own initial password for the user:

curl -v -H "Fastly-Key: $FASTLY_API_TOKEN_SUPERUSER" -X POST -d "new_password=foobar" https://api.fastly.com/user/<id>/password

Response (notice require_new_password is set to true now we've set a password for the user):

{
  "id":"001",
  "created_at":"2019-04-16T13:32:41Z",
  "updated_at":"2019-04-16T13:51:38Z",
  "name":"Foo Bar",
  "customer_id":"123",
  "require_new_password":true,
  "role":"user",
  "login":"foo.bar@example.com",
  "deleted_at":null,
  "locked":false,
  "two_factor_auth_enabled":false,
  "limit_services":false,
  "email_hash":"456",
  "two_factor_setup_required":true
}

When signing in with this user, they are forced to setup 2FA. The concern at this point, is that this user is able to log into the Fastly UI and start creating both READ and WRITE API tokens for any service. Meaning, we should probably create the user but never set a password and see if we can still create API tokens for that user's account and have them be usable to query the Fastly API.

In order to create a new token for a user account, we first need to call a /sudo endpoint:

# don't forget to escape any special characters with a backslash \
export ADMIN_PASS=123456

curl -v -H "Fastly-Key: $FASTLY_API_TOKEN_SUPERUSER" -H "Fastly-OTP: 123456" -X POST -d "username=admin@example.com&password=$ADMIN_PASS" https://api.fastly.com/sudo

You can then request the token creation:

curl -H "Fastly-Key: $FASTLY_API_TOKEN_SUPERUSER" -X POST -d "username=<user>&password=<pass>&services[]=<service>" https://api.fastly.com/tokens

Response:

{
  "id":"000",
  "name":"Fastly API Token",
  "user_id":"123",
  "service_id":"456",
  "expires_at":null,
  "created_at":"2019-04-16T15:10:16Z",
  "updated_at":"2019-04-16T15:10:16Z",
  "scope":"global",
  "services":["<service_id>"],
  "access_token":"<a_new_token>"
}

Note: this token is generated for the superuser, and unfortunately not the specified username in the post formdata (which is what we wanted). Doesn't matter what creds you provide at this point. As you used the superuser account for /sudo it means the token will be setup for that user. This means as don't know anything about our user's or their creds (or OTP codes), we won't be able to create API tokens on their behalf.

Fastly Create Users + API tokens for Auditing purposes.md

Note: the following was a brief 'step-by-step' provided by Fastly.

First, we create the user:

https://docs.fastly.com/api/account#user_00b606002596bac1c652614de98bd260

Because we can’t create the user with an specific password, we manually update the recently created user’s password with this API call:

POST /user/<user-id>/password
Authentication: Using the API key of a superuser. Send that API key using the Fastly-Key header.
Content-Type: application/x-www-form-urlencoded
Payload: The new password should be sent as formdata within the field new_password

Then, knowing the user and password, we can create a personal token:

https://docs.fastly.com/api/auth#tokens_db4655a45a0107448eb0676577446e40

I’d also finish by requesting a password reset for the user, so they can set whatever they want:

https://docs.fastly.com/api/account#user_cee4dbb44c07d9ed078424cbbd353e1a