API Reference

Last modified on January 19, 2024

The StrongDM API allows users of StrongDM to programmatically interact with their organization in StrongDM in order to create, remove, or manage users, roles, permissions, gateways, relays, resources, and more. The amount of API access afforded to an API key depends entirely on what was granted to the key by the organization’s administrators when the key was created.

The StrongDM API is constructed with gRPC and a request signature model that requires the use of one of the StrongDM SDKs to interface with the API. The SDKs were designed with REST principles in mind. They are built around a set of domain objects, as well as the basic set of Create, Read, Update, and Delete (CRUD) operations.

Moreover, the StrongDM API provides advanced auditing and logging capabilities that simplify how data is extracted from StrongDM for programmatic integration into other parts of your organization, such as SIEM, log aggregators, compliance and/or security reports, or end-to-end IAM workflows. You can additionally use the StrongDM API to do the following:

  • Get the history of what happened in your organization.
  • View full snapshots.
  • Look at shells for all replays.
  • View SSH session data as it comes in, and watch sessions play live.
  • Actively look at queries as they come in.
  • Suspend users by ID.

The destination for requests directly to the StrongDM API is api.strongdm.com.

You can interact with the API via any of StrongDM’s SDKs or Terraform.

StrongDM SDKs

The StrongDM API allows for the programmatic management of StrongDM features as well as the resources attached to the organization. StrongDM supports the following SDK options: Go, Java, Python, and Ruby.

LanguageReferenceGitHubExamples
Gopkg.go.devstrongdm-sdk-goGo SDK Examples
Javajavadocstrongdm-sdk-javaJava SDK Examples
Pythonpdocsstrongdm-sdk-pythonPython SDK Examples
RubyRubyDocstrongdm-sdk-rubyRuby SDK Examples

Feel free to use the SDKs to interact with StrongDM from your own software.

StrongDM Terraform Provider

StrongDM’s Terraform provider makes use of the StrongDM API and has a set of Terraform provider examples.

How It Works

The StrongDM API does not rely on bearer tokens alone to protect your requests (and thus your infrastructure). Instead, the StrongDM API requires the use of request signatures modeled on the AWS V4 signing process. This methodology never sends a secret key over the network. If the key isn’t sent, the key cannot be intercepted. Furthermore, this methodology allows StrongDM to validate the time and payload of each API call, protecting against replay attacks or Manipulator in the Middle (MitM) message tampering. The StrongDM SDKs handle the gRPC calls and signing process to ensure a consistent and convenient experience.

Authentication

Each SDK provides a client that must be constructed with an API ID and Secret (also referred to as your API key). This key also sets the client’s permission to manage objects within StrongDM. For instructions on creating your API key, see the API Keys page.

For example, in Python:

def main():
    client = strongdm.Client(<YOUR-ID>,<YOUR-SECRET>)

Domain objects

Domain objects are present in all of the StrongDM SDKs. These domain objects are, in a way, the glossary of the API. Once you’re familiar with them, you’ll better understand what you can do with the API.

Modifiable domain objects

The domain objects in the following table may be modified.

Domain objectDescription
AccountAttachmentsAssigns an account to a role
AccountGrantsAssigns a resource directly to an account, giving the account the permission to connect to that resource
AccountPermissionsRecords the granular permissions accounts have, allowing them to execute relevant commands via StrongDM’s APIs
AccountsUser accounts or service accounts that have access to StrongDM; a user account is for humans who are authenticated through username and password or SSO; a service account is for machines that are authenticated using a service token
NodesThe gateway(s) and relay(s) that make up your StrongDM network and allow your users to connect securely to your resources. Gateways, the entry points into the network, listen for connections from the StrongDM client and provide access to databases and servers. Relays are used to extend the StrongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections.
PeeringGroupNodesProvides the building blocks necessary to attach a node to a peering group
PeeringGroupPeersProvides the building blocks necessary to link two peering groups
PeeringGroupResourcesProvides the building blocks necessary to attach a resource to a peering group
PeeringGroupsProvides the building blocks necessary to obtain explicit network topology and routing
RemoteIdentitiesAssigns a Remote Identity-enabled resource directly to an account, giving the account the permission to connect to that resource using a Remote Identity instead of a leased credential
RemoteIdentityGroupsA named grouping of Remote Identities for accounts; an account’s relationship to a RemoteIdentityGroup is defined via RemoteIdentity objects
ResourcesDatabases, servers, clusters, websites, or clouds to which StrongDM delegates access
RolesA collection of of access rules that determine which Resources the members of the role can access; an account can be a member of multiple roles via AccountAttachments
SecretStoresServers where resource secrets (for example, passwords and keys) are stored
WorkflowApproversA listing of users assigned to the workflow as approvers
WorkflowRolesA listing of the roles assigned to a workflow, which indicate which users may make requests via that workflow
WorkflowsA collection of rules that define the resources to which access can be requested, the roles that allow their members to request access to those resources, and the mechanism for approving those requests

Read-only domain objects

The domain objects in the following table are read-only. They primarily allow you to view logs, administrative activities, and historical changes.

Domain objectDescription
AccessRequestEventsHistoryA record of all changes to the state of an AccessRequestEvent
AccessRequestsRequests for access to a resource via a workflow
AccessRequestsHistoryA record of all changes to the state of an AccessRequest
AccountAttachmentsHistoryA record of all changes to the state of an AccountAttachment
AccountGrantsHistoryA record of all changes to the state of an AccountGrant
AccountResourcesEnumerates the resources to which accounts have access
AccountResourcesHistoryA record of all changes to the state of an AccountResource
AccountsHistoryA record of all changes to the state of an account
ActivitiesA record of an action taken against a StrongDM deployment, such as user creation, resource deletion, or SSO configuration change
ControlPanelA record of all administrative controls
NodesHistoryA record of all changes to the state of a node
OrganizationHistoryA record of all changes to the state of an organization
QueriesA record of single client request to a resource (for example, a SQL query); SSH, RDP, or Kubernetes interactive sessions also count as queries
RemoteIdentitiesHistoryA record of all changes to the state of a RemoteIdentity
RemoteIdentityGroupsHistoryA record of all changes to the state of a RemoteIdentityGroup
ReplaysCaptures the data transferred over a long-running SSH, RDP, or Kubernetes interactive session/query
ResourcesHistoryA record of all changes to the state of a resource
RoleResourcesEnumerates the resources to which roles have access
RoleResourcesHistoryA record of all changes to the state of a RoleResource
RolesHistoryA record of all changes to the state of a role
SecretStoresHistoryA record of all changes to the state of a SecretStore
WorkflowApproversHistoryA record of all changes to the state of a WorkflowApprover
WorkflowAssignmentsA listing of the resources assigned to a workflow
WorkflowAssignmentsHistoryA record of all changes to the state of a WorkflowAssignment
WorkflowRolesHistoryA record of all changes to the state of a WorkflowRole
WorkflowsHistoryA record of all changes to the state of a workflow

Requests

Each domain object is accessible via functions or methods provided by the client.

For example, in Ruby:

users = client.accounts.list("")

Filters

Many domain objects provide a common filtering language. You can use filters to narrow results from most Read operations when making requests.

For example, in Go:

users, err := client.Accounts().List(ctx, "firstName:Alice")
if err != nil {
  log.Fatal("failed to query accounts:", err)
}

In the Go example shown, only users matching the first name “Alice” are returned.

Paginate results

When making a request with a Read operation that returns many results, the SDK automatically paginates the results. Depending on the language, pagination may be modeled as a transparent iterator, as in Ruby:

users.each do |user|
    p user
end

Alternatively, pagination may be modeled as an explicit call to receive the next result, as in Go:

for users.Next() {
    user := users.Value()
    fmt.Println(user)
}

Audit API

History

History domain objects (such as AccountsHistory) offer a time range to show the history of what was changed over time. For example, Accounts provides information about users and service accounts, whereas AccountsHistory provides a historical record of all the changes that have been made to the state of those accounts.

If the Enterprise bundle is enabled for your organization, you can query the domain objects and get history for the last 13 months. If the Enterprise bundle is not enabled, you can query back 30 days by default and results may be truncated to 20 rows returned.

Snapshots

Typical calls to the API return the state of a domain object at the time of the request. Snapshots, however, allow you to view the state of one or more domain objects at a specified time in the past. Snapshots let you programmatically extract the history of what happened in your organization at a certain time regarding access grants, gateways and relays, roles, resources, and so forth.

Let’s say, for example, that within the last hour there was a security incident related to a role granting access to all Redis resources. You can use a snapshot to see the state of the role an hour ago. In the following example, the desired time is specified in client.SnapshotAt(<TIME>).

For example, in Go:

client.SnapshotAt(time.Now().Add(-1*time.Hour)).Roles().Get(ctx, "r-123456")

Snapshots are supported for the following domain objects:

  • AccessRequests
  • AccountAttachments
  • AccountGrants
  • AccountPermissions
  • AccountResources
  • Accounts
  • Nodes
  • RemoteIdentities
  • RemoteIdentityGroups
  • Resources
  • RoleResources
  • Roles
  • SecretStores
  • WorkflowApprovers
  • WorkflowAssignments
  • WorkflowRoles
  • Workflows

If the Enterprise bundle is enabled for your organization, you can use snapshots for any time in the last 13 months. If the Enterprise bundle is not enabled, you can use snapshots for the last 30 days by default and results may be truncated to 20 rows returned.

Rate Limits

Requests are subject to rate limits. Default rate limits are generous, and you’re unlikely to reach rate limits during normal operations. For more information, see the Rate Limits section.

Additional Information

You can find resources and information about the following StrongDM topics in this section: