Creating and Managing API Tokens in Tanium Gateway
1. Introduction
API tokens are used to authenticate requests to the Tanium Gateway's GraphQL API. Proper management of these tokens ensures secure access to the API and helps maintain the integrity of your system.
2. Prerequisites
Before you begin, ensure you have:
- Access to the Tanium Console
- Administrator privileges
3. Creating API Tokens
Step 1: Access the Tanium UI Console
- Log in to your Tanium Console instance with administrative privileges.
Step 2: Create a Custom Role with Minimal Permissions
- Go to the Administration > Permissions > Roles section where roles can be managed.
- Create a role for the API token by providing Role Name and Description with the Allow permission type.
- In the Permissions table, locate the Gateway permissions, expand the section, and then select the Execute permissions for Gateway API. This step is essential for the integration to function properly.
- In the Permissions table, select Platform Content Permissions by checking the Read option, which will then display an icon with a number (n+). Click this icon to select the Content Sets: Reserved, Base, Core Content & Comply Reporting.
- Save the new role.
Step 3: Create a Persona with the Custom Role
- Go to the Administration > Permissions > Personas section where personas can be managed.
- Create a new persona for the API token.
- Provide a persona name and a related description.
- Assign the newly created role to this persona.
- Open Computer Groups and check the Unrestricted Management Rights checkbox.
- Open Users and assign one or more users to this persona. Note: To avoid disruptions when a user leaves, use a dedicated service account for integrations instead of tokens tied to individual user accounts.
- Save the new persona.
Step 4: Generate a New Token
- Login into the Service Account and go to the Administration > Permissions > API Tokens section where API tokens can be managed.
- Select the option to create a new API token.
- Provide Notes for the token to easily identify its purpose.
- Assign an expiration period. We recommend 14 days; the UI defaults to 7 days, with a maximum possible value of 365 days.
- Assign the previously created persona to set the scope and permissions for the token.
- Add Trusted IP Addresses, using Synqly's IP addresses for production environments. If Synqly's IP addresses are not known, add
0.0.0.0/0for sandbox testing. - Click Create to generate the API token.
Step 5: Save the API Token
- After generating the token, save it securely. You will not be able to retrieve the token again, so store it in a secure location such as a password manager.
4. Using the API Token
Step 1: Create an Integration Record in Synqly
- Create an integration record with the generated API token and your Tanium sandbox or production tenants.
5. Rotating an Existing API Token
Step 1: Rotate an API Token in Tanium
- Select your API token and rotate it using the rotation feature in the Tanium UI console under Administration > Permissions > API Tokens.
Step 2: Update the API Token in Synqly
- Use the patch API on the credentials endpoint to update the existing token with the rotated token.
6. Important Links in Tanium Documentation
- Authentication Methods
- Tanium RBAC For Integrations
- Tanium Sensor Inventory
- Synqly uses default sensors to check for vulnerabilities. You don’t need to add any new sensors yourself. However, if you want to know how to add or remove sensors, you can refer to the Register or unregister sensors for collection guide.
- Watch the second video about Breakout Session: RBAC for Integrations on the Developer Summit 2024 page.