Improve Security: Track API Keys Using IAM and LogDNA

1 min read

Learn how to find unused API keys by combining Identity Services and LogDNA.

Recently, I blogged about tracking account activity from the command line. I showed you how to search IBM Cloud Activity Tracker with LogDNA records using a Python script. 

Today, I'm going to discuss how to combine the IAM Identity Services API with the LogDNA search to track usage of API keys. The goal is to find out whether API keys for a user or service ID were recently used. If they have not been used for a while, they might be up for deletion.

IBM Cloud APIs

IBM Cloud offers many APIs for its services as well as for the core platform. One of the APIs offered for the core Cloud platform is the IAM (Identity and Access Management) Identity Services API. Using that REST interface, it is possible to create, list, or delete API keys for users and service IDs and to create or delete service IDs.

The same interface can also be used to generate an access token based on a valid API key. In short, managing API keys starts with an API key.

From API key to usage report

To get to the usage report, the script starts by turning an API key into an IBM Cloud access token. The token needs to be provided for all calls to the IAM API. Next, the script retrieves details about the provided key. This is necessary in order to have the account ID as a parameter to other calls.

With the token and account information in place, the next step is to obtain the list of API keys for the current user—the result is then turned into LogDNA searches. 

For each API key, the script produces the number of found activity records and the timestamp of the most recent usage. All the results are turned into a single JSON document.

With the same approach, the list of service IDs is requested, and for each ID, the related service ID API keys. Similar to the user API keys, the script composes a LogDNA search for each item and adds the result to the JSON report. A sample run of the script and its output might look like this:

A sample run of the script and its output

Get started  

With an understanding of the overall flow, check out the KeyTracker script available in the LogDNA search repository on GitHub. 

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn

Be the first to hear about news, product updates, and innovation from IBM Cloud