Skip to main content

Use dynamically rotated passwords in an integration

  • May 23, 2025
  • 3 replies
  • 26 views
donkos
Forum|alt.badge.img+8

Hello all,

I know that typically integrations are built with the use of a secret that is static and is saved in an integration instance's parameters. 

How would one handle feeding a secret for one SaaS' API that gets rotated and stored in the key vault of a different product (which would be available via that product's API) - so e.g. getting password from AWS KMS to use in an API call to Tenable? The only way that comes to mind is creating a custom action that does both steps within the one action.

    3 replies

    ylandovskyy
    Staff
    Forum|alt.badge.img+16

    Hey @donkos

    We do have a similar use case implemented for Azure integrations. Inside of those integrations, there is a Job that will update the Integration Configuration. My suggestion would be to check, how it's done there and then create a job that will scan the AWS KMS and if needed, update the configuration of the integration.

    In my opinion, this would be the most straightforward way of solving your use case. 

      donkos
      Forum|alt.badge.img+8
      • donkos
      • Author
      • New Member
      • May 28, 2025

      Hey @donkos

      We do have a similar use case implemented for Azure integrations. Inside of those integrations, there is a Job that will update the Integration Configuration. My suggestion would be to check, how it's done there and then create a job that will scan the AWS KMS and if needed, update the configuration of the integration.

      In my opinion, this would be the most straightforward way of solving your use case. 


      Are you referring to the Refresh Token job? I would appreciate a more detailed explanation on how that type of job works in SOAR.

      ylandovskyy
      Staff
      Forum|alt.badge.img+16

      Are you referring to the Refresh Token job? I would appreciate a more detailed explanation on how that type of job works in SOAR.


      @donkos Yes, this is the job. The most important methods:

      _build_manager_for_instance - fetches current configuration and builds the integration instance that needs to be updated.
      _refresh_integration_token - updates the integration instance configuration. In this case, it updates the "Refresh Token" parameter.

      _refresh_connector_token - updates the connector configurations (integration and connector configurations are not shared)
      Terms & ConditionsCookie settingsAccessibility statement
      Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

      © 2025 Google. All rights reserved.