Aqua SaaS Authentication via Python

Here is how I authenticate to the Aqua SaaS platform. They introduced the concept of a "hub" to tie all the Aqua products together. When you create an API key, it's actually for the hub. You will use the API key to generate a token for the product (in this case runtime security).

Set a variable for the key and secret:

api_key = os.environ['AQUA_SAAS_API_KEY']
api_secret = os.environ['AQUA_SAAS_API_SECRET']

Use this function to get the token that you can use on the products:

def get_saas_token(api_key, api_secret) -> str:

    # Aqua SaaS has a very unique way of getting a token...
    timestamp = str(int(time.time() * 1000))

    auth_url = "https://api.cloudsploit.com/v2/tokens"
    path = urlparse(auth_url).path

    # I had to flatten this down for the sig stuff below.
    body = '{"validity":240,"allowed_endpoints":["ANY"]}'

    string = timestamp + "POST" + path + str(body)

    secret_bytes = bytes(api_secret, "utf-8")
    string_bytes = bytes(string, "utf-8")

    sig = hmac.new(secret_bytes, msg=string_bytes, digestmod=hashlib.sha256).hexdigest()

    # Per Aqua docs, we need all these elements in the request header.
    headers = {
            "accept": "application/json",
            "x-api-key": api_key,
            "x-signature": sig,
            "x-timestamp": timestamp,
            "content-type": "application/json",
        }

    response = requests.post(auth_url, headers=headers, data=str(body))

    # Returns the token
    return(json.loads(response.text)["data"])

Now that you have the token, you must also note each sub product has a tenant id and a separate URL For example:

https://" + tenant_number + ".cloud.aquasec.com

 Authorization then is just through the bearer token method:

auth_headers = {
        'Authorization': 'Bearer ' + auth_token
    }