API Reference
Last modified on April 17, 2023
The StrongDM API allows users of StrongDM to programmatically interact with their organization in StrongDM in order to create, remove, or manage users, roles, permissions, gateways, relays, resources, and more. The amount of API access afforded to an API key depends entirely on what was granted to the key by the organization’s administrators when the key was created.
The StrongDM API is constructed with gRPC and a request signature model that requires the use of one of the StrongDM SDKs to interface with the API. The SDKs were designed with REST principles in mind. They are built around a set of domain objects, as well as the basic set of REST verbs: Create, Read, Update, and Delete.
Moreover, the StrongDM API provides advanced auditing and logging capabilities that simplify how data is extracted from StrongDM for programmatic integration into other parts of your organization, such as SIEM, log aggregators, compliance and/or security reports, or end-to-end IAM workflows. You can additionally use the StrongDM API to do the following:
- Get the history of what happened in your organization.
- View full snapshots.
- Look at shells for all replays.
- View SSH session data as it comes in, and watch sessions play live.
- Actively look at queries as they come in.
- Suspend users by ID.
The destination for requests directly to the StrongDM API is api.strongdm.com
.
You can interact with the API via any of StrongDM’s SDKs or Terraform.
StrongDM SDKs
The StrongDM API allows for the programmatic management of StrongDM features as well as the resources attached to the organization. StrongDM supports the following SDK options: Go, Java, Python, and Ruby.
Language | Reference | GitHub | Examples |
---|---|---|---|
Go | pkg.go.dev | strongdm-sdk-go | Go SDK Examples |
Java | javadoc | strongdm-sdk-java | Java SDK Examples |
Python | pdocs | strongdm-sdk-python | Python SDK Examples |
Ruby | RubyDoc | strongdm-sdk-ruby | Ruby SDK Examples |
Feel free to use the SDKs to interact with StrongDM from your own software, and contact support@strongdm.com if you have any questions or concerns.
StrongDM Terraform Provider
StrongDM’s Terraform provider makes use of the StrongDM API and has a set of Terraform provider examples.
How It Works
The StrongDM API does not rely on bearer tokens alone to protect your requests (and thus your infrastructure). Instead, the StrongDM API requires the use of request signatures modeled on the AWS V4 signing process. This methodology never sends a secret key over the network. If the key isn’t sent, the key cannot be intercepted. Furthermore, this methodology allows StrongDM to validate the time and payload of each API call, protecting against replay attacks or Manipulator in the Middle (MitM) message tampering. The StrongDM SDKs handle the gRPC calls and signing process to ensure a consistent and convenient experience.
Authentication
Each SDK provides a client that must be constructed with an API ID
and Secret
(also referred to as your API key). This key also sets the client’s permission to manage objects within StrongDM. For instructions on creating your API key, see the API Keys page.
For example, in Python:
def main():
client = strongdm.Client(<YOUR-ID>,<YOUR-SECRET>)
Domain objects
Domain objects are present in all of the StrongDM SDKs. These domain objects are, in a way, the glossary of the API. Once you’re familiar with them, you’ll better understand what you can do with the API.
Domain object | Description |
---|---|
AccountAttachments | Assigns an Account to a Role |
AccountAttachmentsHistory | Records all changes to the state of an AccountAttachment |
AccountGrants | Assigns a resource directly to an Account, giving the account the permission to connect to that resource |
AccountGrantsHistory | Records all changes to the state of an AccountGrant |
AccountPermissions | Records the granular permissions accounts have, allowing them to execute relevant commands via StrongDM’s APIs |
AccountResources | Enumerates the resources to which accounts have access; AccountResources service is read-only |
Accounts | User accounts or service accounts that have access to StrongDM; a user account is for humans who are authenticated through username and password or SSO; a service account is for machines that are authenticated using a service token |
AccountsHistory | Records all changes to the state of an Account |
Activities | An Activity is a record of an action taken against a StrongDM deployment (for example, user creation, resource deletion, SSO configuration change, and so forth); Activities service is read-only |
Nodes | The gateway(s) and relay(s) that make up your StrongDM network and allow your users to connect securely to your resources. Gateways, the entry points into the network, listen for connections from the StrongDM client and provide access to databases and servers. Relays are used to extend the StrongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections. |
NodesHistory | Records all changes to the state of a Node |
OrganizationHistory | Records all changes to the state of an Organization |
Queries | A Query is a record of single client request to a resource (for example, a SQL query); SSH, RDP, or Kubernetes interactive sessions also count as queries; Queries service is read-only |
RemoteIdentities | Assigns a Remote Identity-enabled Resource directly to an Account, giving the Account the permission to connect to that Resource using a Remote Identity instead of a leased credential |
RemoteIdentitiesHistory | Records all changes to the state of a RemoteIdentity |
RemoteIdentityGroups | A RemoteIdentityGroup is a named grouping of Remote Identities for Accounts; an Account’s relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects |
RemoteIdentityGroupsHistory | Records all changes to the state of a RemoteIdentityGroup |
Replays | A Replay captures the data transferred over a long-running SSH, RDP, or Kubernetes interactive session (otherwise referred to as a query); Replays service is read-only |
Resources | Databases, servers, clusters, websites, or clouds to which StrongDM delegates access |
ResourcesHistory | Records all changes to the state of a Resource |
RoleResources | Enumerates the resources to which roles have access; RoleResources service is read-only |
RoleResourcesHistory | Records all changes to the state of a RoleResource |
Roles | A Role has a list of access rules that determine which Resources the members of the Role can access; an Account can be a member of multiple Roles via AccountAttachments |
RolesHistory | Records all changes to the state of a Role |
SecretStores | Servers where resource secrets (for example, passwords and keys) are stored |
SecretStoresHistory | Records all changes to the state of a SecretStore |
Requests
Each domain object is accessible via functions or methods provided by the client.
For example, in Ruby:
users = client.accounts.list("")
Filters
Many domain objects provide a common filtering language. You can use filters to narrow results from most Read operations when making requests.
For example, in Go:
users, err := client.Accounts().List(ctx, "firstName:Alice")
if err != nil {
log.Fatal("failed to query accounts:", err)
}
In the Go example shown, only users matching the first name “Alice” are returned.
Paginate results
When making a request with a Read operation that returns many results, the SDK automatically paginates the results. Depending on the language, pagination may be modeled as a transparent iterator, as in Ruby:
users.each do |user|
p user
end
Alternatively, pagination may be modeled as an explicit call to receive the next result, as in Go:
for users.Next() {
user := users.Value()
fmt.Println(user)
}
Audit API
History
History domain objects (such as AccountsHistory
) offer a time range to show the history of what was changed over time. For example, Accounts
provides information about users and service accounts, whereas AccountsHistory
provides a historical record of all the changes that have been made to the state of those accounts.
If the Advanced Insights reporting and auditing bundle is enabled for your organization, you can query the domain objects and get history for the last 13 months. If Advanced Insights is not enabled, you can query back 30 days by default and results may be truncated to 20 rows returned.
Snapshots
Typical calls to the API return the state of a domain object at the time of the request. Snapshots, however, allow you to view the state of one or more domain objects at a specified time in the past. Snapshots let you programmatically extract the history of what happened in your organization at a certain time regarding access grants, gateways and relays, roles, resources, and so forth.
Let’s say, for example, that within the last hour there was a security incident related to a role granting access to all Redis resources. You can use a snapshot to see the state of the role an hour ago. In the following example, the desired time is specified in client.SnapshotAt(<TIME>)
.
For example, in Go:
client.SnapshotAt(time.Now().Add(-1*time.Hour)).Roles().Get(ctx, "r-123456")
Snapshots are supported for the following domain objects:
AccountAttachments
AccountGrants
AccountPermissions
Accounts
Nodes
RemoteIdentities
RemoteIdentityGroups
Resources
RoleResources
Roles
SecretStores
If the Advanced Insights reporting and auditing bundle is enabled for your organization, you can use snapshots for any time in the last 13 months. If Advanced Insights is not enabled, you can use snapshots for the last 30 days by default and results may be truncated to 20 rows returned.
Rate Limits
Requests are subject to rate limits. Default rate limits are generous, and you’re unlikely to reach rate limits during normal operations. If you do, however, encounter a rate limit for a valid use case, please notify support@strongdm.com to have your rate limit increased.
The following Python snippet illustrates the expected behavior for a rate-limited call. Note the remaining
attribute on the returned RateLimitError
, which quantifies the remaining call budget for this time period (in this case, 0
):
try:
self.client.roles.get(role.id)
except sdm.errors.RateLimitError as ex:
self.assertEqual(ex.rate_limit.limit, 1)
self.assertEqual(ex.rate_limit.remaining, 0)
Additional Information
You can find resources and information about the following StrongDM topics in this section: