🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Authentication With the Taegis™ XDR Python SDK

Client Credentials with the Python SDK

The Python SDK authenticates with your Taegis account with client credentials when you install it. This requires a password and MFA token, unless your organization has registered your organization with SSO authentication. If SSO is enabled, you will be presented with a device code authentication link.

Note

To generate and set tokens as needed in these examples, see Generate a Token below.

Example Usage

from taegis_sdk_python import GraphQLService
from pprint import pprint as pp

service = GraphQLService(environment="US1")

results = service.clients.mutation.create_client(name="my_awesome_app", roles=None)

print(f"CLIENT_ID: {results.client.client_id}")
print(f"CLIENT_SECRET: {results.client_secret}")
pp(results)

Note

Change your environment as appropriate.

Partner Credentials

If you need to make tenant specific client credentials, add tenant_id to your service constructor.

from taegis_sdk_python import GraphQLService
from pprint import pprint as pp

service = GraphQLService(environment="US1", tenant_id="<tenant_id>")

results = service.clients.mutation.create_client(name="my_awesome_app", roles=None)

print(f"CLIENT_ID: {results.client.client_id}")
print(f"CLIENT_SECRET: {results.client_secret}")
pp(results)

Or if you need to make multiple tenant credentials at the same time:

from taegis_sdk_python import GraphQLService
from pprint import pprint as pp

service = GraphQLService()

# service context let's you change out values per call!
with service(environment="US1", tenant_id="<tenant_id>"):
    results = service.clients.mutation.create_client(name="my_awesome_tenant_app", roles=None)

with service(environment="US1", tenant_id="<another_tenant_id>"):
    results2 = service.clients.mutation.create_client(name="my_awesome_another_tenant_app", roles=None)

print(f"CLIENT_ID: {results.client.client_id}")
print(f"CLIENT_SECRET: {results.client_secret}")
pp(results)

Privileged Credentials

from taegis_sdk_python import GraphQLService
from pprint import pprint as pp

service = GraphQLService(environment="US1")

results = service.clients.mutation.create_client(name="my_awesome_app", roles=['ba0fdcbd-e87d-4bdd-ae7d-ca6118b25068'])

print(f"CLIENT_ID: {results.client.client_id}")
print(f"CLIENT_SECRET: {results.client_secret}")
pp(results)

Generate a Token

You can place the CLIENT_ID and CLIENT_SECRET in environment variables for authentication. You don’t need to pre-provide authentication for user interactive scripts. The Python SDK checks for a valid token when you call an API, and requests credentials at runtime if not found.

Python Script Example

from taegis_sdk_python import GraphQLService
service = GraphQLService()
print(service.access_token)

Command Line Example

export CLIENT_ID="you_client_id"
export CLIENT_SECRET="your_client_secret"
python script.py

More on Using Tokens with the Taegis™ XDR Python SDK

The authentication flow for the Taegis™ XDR Python SDK is Cached Token→Authenticate via OAuth→Authenticate via SSO or Username/Password/MFA. Tokens are cached in the ~/.taegis_sdk_python/config file.

OAuth

OAuth tokens from CLIENT_ID and CLIENT_SECRET are used by default.

To generate a CLIENT_ID and CLIENT_SECRET:

from taegis_sdk_python.services import GraphQLService
from pprint import pprint as pp
service = GraphQLService(environment="US1")
result = service.clients.mutation.create_client(name="my_awesome_app", roles=None)
print(f"CLIENT_ID: {result.client.client_id}")
print(f"CLIENT_SECRET: {result.client_secret}")
pp(result)

Important

Store your CLIENT_ID and CLIENT_SECRET results in an encrypted vault.

Replace <client_id> and <client_secret> in the following example with your values:

CLIENT_ID=<client_id> CLIENT_SECRET=<client_secret> python script.py

Customize Environment Variables

You can use write_to_config to set custom environment variables for your environment. This is useful if you are automating and you have to access different environments from the same script:

from taegis_sdk_python import GraphQLService
from taegis_sdk_python.config import write_to_config

# write_to_config(environment, default_reference, custom_reference)
write_to_config("US1", "CLIENT_ID", "US1_CLIENT_ID")
write_to_config("US1", "CLIENT_SECRET", "US1_CLIENT_SECRET")

service = GraphQLService()
US1_CLIENT_ID=<client_id> US1_CLIENT_SECRET=<client_secret> python script.py

Username

If you don't provide OAuth tokens in the environment, you will be prompted for a username. If your organization has enabled single sign-on, then you will prompted with a link. Otherwise, you will be asked for a password and MFA token.

Clearing Authorization Tokens

If you need to manually clear the authentication tokens, use:

from taegis_sdk_python.config import write_to_config

write_to_config("US1", "access_token", "")

Search Client Credentials

from taegis_sdk_python import GraphQLService

service = GraphQLService()
search_results = service.clients.query.clients(client_ids=["<CLIENT_ID>"])
print(search_results)

Search for Named Credentials

You can use % for wildcard matching.

from taegis_sdk_python import GraphQLService

service = GraphQLService()
results = service.clients.query.clients(name="%docs-test-client%")
print(results)

Search for Administrator Credentials

from taegis_sdk_python import GraphQLService

service = GraphQLService()
results = service.clients.query.clients(role_ids=["c373d68a-fdca-476f-5b48-92ed5804dc53"])
print(results)

Reset a Client Secret

If you need to reset a client secret, but want to retain the same client id, you can use the rotateClientSecret mutation to generate a new client secret. The ID input can either be the UUID or the client_id.

from taegis_sdk_python import GraphQLService

service = GraphQLService()
update_results = service.clients.mutation.rotate_client_secret('c373d68a-fdca-476f-5b48-92ed5804dc53')
print(update_results)
from taegis_sdk_python import GraphQLService

service = GraphQLService()
update_results = service.clients.mutation.rotate_client_secret('b42USvw1jm5fk3Y2VqoAWSyG4CF47Ek5')
print(update_results)

Delete a Client

When you are finished with client credentials, you can use the deleteClient mutation to revoke credentials. The ID input can either be the UUID or the client_id.

from taegis_sdk_python import GraphQLService

service = GraphQLService()
delete_results = service.clients.mutation.delete_client('c373d68a-fdca-476f-5b48-92ed5804dc53')
print(delete_results)
from taegis_sdk_python import GraphQLService

service = GraphQLService()
delete_results = service.clients.mutation.delete_client('b42USvw1jm5fk3Y2VqoAWSyG4CF47Ek5')
print(delete_results)

 

On this page: