# TT24: API key to Oauth lab ## Lab intro: This lab gives a made-up example of a PowerShell script that was written years ago using API key based authentication. The Bank has upgraded production to 24.1.1 and the script stopped working! It must be fixed in the next 30min, or heads will roll. ## Lab objectives: 1. Identify API key use. 2. Identify API calls used. 3. Determine required scope for API calls. 4. Update script to use Bearer token instead of API key 5. Successfully execute the script ## Scenario: The Bank upgraded to 24.1.1 a month ago. The CEO of The Bank needs a certificate for a new lightning strike marketing campaign. The certificate must be created in the next 30 minutes, or the launch will fail! The Bank is upset because no one told them about the change with API key being deprecated and there was no warning anywhere! Unacceptable! The Bank has procedures and policies in place that were written by high paid lawyers and non-technical decision makers. The certificate must be enrolled with the PowerShell script provided. Requesting the certificate in any other means would require change control which would take minimum 8 weeks with sev1 priority. You can make any changes we wish to the PowerShell script. ## Ready? Let’s do it live! We know from a collegue that the customer already has an API Integration setup in prod from 3 years ago when this was initally discussed. The integration name is `techtraininglab` and it should be ready to go! Each objective will expand and show more detailed steps to help you along the 30 min rush to fix it! <details> <summary>1. Identify API key use. </summary> <details> <summary>1.1 View the script. Search for indicators of API key use.</summary> <details> <summary>1.1.1 API keys were passed as “X-Venafi-API-Key” header. Do we find this string in the script? </summary> </details> </details> </details> <details> <summary>2. Identify API calls used.</summary> <details> <summary>2.1 Look for indication of API endpoints the script is calling.</summary> <details> <summary>2.1.1 The script uses Invoke-RestMethod to post the API call. </summary> </details> There is a -URI parameter passed. What are the URIs that indicate the API endpoints? </details> </details> <details> <summary>3. Determine required scope for API calls.</summary> <details> <summary>3.1 Find the API calls in the documentation (https://docs.venafi.com/) </summary> REST APIs (24.1 - Old format) documentation makes this much easier to do. <details> <summary>3.1.1 Note the required token scope </summary> <details> <summary>3.1.1.1 Search for API docs for “Certificates/Request” and “Config/Write” </summary> </details> </details> </details> </details> <details> <summary>4. Update script to use Bearer token instead of API key</summary> <details> <summary>4.1 Figure out how to get the auth token </summary> 4.2 We could have the script just call vedauth/authorize/oauth endpoint with credentials it prompts for <br> 4.3 We could get the token from TPP using url/vedsdk and have the script prompt for the token as input <details> <summary>4.1.1 Update the header for authorization to use token instead of API key </summary> </details> </details> </details> <br> <br> ## That’s a wrap! Good work fixing it in a pinch! The account team agrees with the customer concern about not being notified about the API key deprecation. There is a call scheduled for next week to discuss what happened and how we could better notify them of changes like this in the future.