Application using API and best practices

General Discussions
1

Greeting everyone,

We are currently using Mender Professional plan with a server hosted on mender.
On our side we have a tool hosted on AWS that will perform API calls to mender server for things such as monitoring and data confirmation between what Mender see and what we have in our own database.

For now everything work as we are using the API which use a user email/password to get a token to use for the requests.
My question can be split in multiple parts:

  • Is there any way to use something that would not be related to an user? To avoid problem if the person related to the account left the company and his account was deactivated/removed.
  • If the option above is not possible and creating an account for the tool is the best solution. Is there a way via API to implement password change? To ensure that the password often rotate to avoid possible security risks?
  • Maybe there is already something in the pipes using AWS technology? (Secret manager, etc..) as I’ve seen other possible connections to services like IOT-core.

Thank you for your attention and assistance.

2

Hi @Cinso32,

Glad to hear things are working well for you! In general, you would solve this through a dedicated user for personal access tokens.

For example, you could create a user for an email alias such as menderapi@mycompany.org, and then issue a PAT as described at Using the APIs | Mender documentation. This way nobody would need access to user/pw credentials, and you can rotate the PAT whenever needed.

Greetz,
Josef

3

Hi YoctorJester!

This sound like a perfect solution, if I read the documentation correctly it seem like I can create them with an API request and set an expiration date and just revoke it whenever I need, allowing me to create a new one.

I will apply this to my tool. Thank you for your help.
Best regards,

1 Like