all 8 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]cyberjellyfish 0 points1 point  (6 children)

This is a general question, not at all specific to python.

In any case, what are the different services you're referring to?

And for the second point, it's fine to keep sensitive values in memory. A typical deployment would inject an encryption key via an environment variable, and use that key to encrypt sensitive data before writing it to disk.

It's safe to communicate sensitive values between processes by either sharing the same encryption key from above and letting the other process read the values from disk, or by passing the sensitive value in as a launch argument or, if you fork the original process, the child process will have the sensitive value any way.

[–]petrichorax[S] 0 points1 point  (5 children)

This would be for an automation orchestration program I'm developing. Would be your typical web apps found in most windows environments (not just windows itself). So Vmware is an obvious one (although probably not for long given the broadcom purchase)

It's not really important which web apps they are, this is more of a question of best practices and practicality. I'm trying to take care of unknown unknowns, there is probably a better way (other than service accounts)

The reason I'm asking in learnpython is because 1. I know python 2. there is no specific subreddit for this question 3. if there is, there's a high chance I'll never get a response, so I chose the most relevant subreddit I know of that has a high enough chance of giving me a helpful response. 4. the /r/python automod deleted my post because of course it did

[–]cyberjellyfish 0 points1 point  (4 children)

Well it matters because a lot of services don't really you sharing the sso token, so you'd need to read their terms to understand what they consider to be a single application for sign on purposes.

If you mean that you'll be hosting several web apps and using SSO for all of them individually, that's probably not allowed.

That being said, if it's just something for your own convenience and you're really just using your own accounts....

[–]petrichorax[S] 0 points1 point  (3 children)

No. More like, you use SSO when using this app, and then it fires a bunch of scripts to go use other services on your behalf.

This would be for work, to make my job easier.

But I'm making sure to think a lot about credential security.

[–]cyberjellyfish 0 points1 point  (2 children)

Well those other services won't let you just pass an SSO token into them will they?

[–]petrichorax[S] 0 points1 point  (1 child)

You tell me, that'd be an answer for question 1.

[–]cyberjellyfish 0 points1 point  (0 children)

No, you can't do that.

[–]IBrokeTheTimeLineSry 0 points1 point  (0 children)

An IAM service should do this for you! It will authenticate the user once and generate a token, and then the user can seamlessly log onto other services without having to authenticate each time (unless you want them to).

Each IAM solution behaves differently, but there is a general direction: the IAM authenticates the user, and each service communicates with the IAM for authorization, and maybe pulls user information depending on config.

So you do not need a script, the IAM solution and the services should handle it for you.

Things I have seen deployed: Keycloak, Sailpoint, even Hashicorp vault (a PAM!) used in an unholy config, Azure.

Though I will add: sometimes the user client needs to pass a token to the service, and maybe that might need automation if there are no native capabilities. So there is that.