Access denied in ansible inventory

[Gianlu]

Hi,
I'm trying to use the ansible inventory but I reveive a

Unable to query hosts: [{'code': 403, 'message': 'access denied, authorization failed'}]

I'm pretty sure that client_id and client_secret are right because via curl I'm authenticated.
My token is associated to a policy with read grant on all entities.

May you help me?

Thanks

[carlosmmatos]

Hello @Gianlu - apologies as I noticed that I did not add the API Scope to the dynamic inventory in order to use it. Can you try adding the following API Scope to your credentials?

• assets [READ]

[Gianlu]

Hello,
Sorry, where I have to define the scope? In crowdstryke console, I have full read for every single scope and I can't see the asset scope.
Moreover, with same credentials the falconpy samples work (es get_dups.py).

Thanks

[carlosmmatos]

Which falconpy sample are you referring to? Also, would you mind sharing your dynamic inventory file configuration?

[Gianlu]

Hello,
my inventory file is:

# filename: 20_my_inventory.falcon_discover.yml
plugin: crowdstrike.falcon.falcon_discover

client_id: '*****************'
client_secret: '************************'
cloud: eu-1

The duplicate finder is duplicate_sensors.py

Thanks

[carlosmmatos]

Cool thanks.. So yeah, that FalconPy sample is for the Hosts collection service, not to be confused with the Discover service collection which is what this inventory file uses.

This would be the equivalent to trying this FalconPy sample. Can you let me know if that sample works for you?

[romankis95]

Hi @carlosmmatos I'm a colleague of @Gianlu and the one that manages the API keys and tokens. Nope, that sample doesn't work for me. I was wondering which scope I'm missing, as I've allowed (for debugging purpose obviously) every single scope in READ mode on my Falcon console. Is it possible that we may not have a specific subscription?

[carlosmmatos]

Hey @romankis95 - It is possible you might not have the subscription needed for this. This is part of Exposure Management. This is what the subs needed would be:

And this is what the API scope would be:

If you are simply looking to take advantage of the Falcon Hosts API to use as an inventory, I have that as an action item todo.

[Gianlu]

Hello @carlosmmatos.
It seems we don't have the right subscription but we are glad to read that an inventory version using the Hosts API is planned.
May I ask when do you plan to release it? I would be happy to be an "early adopter"; I hope the new version will have a similar input interface (eg. the fql filter) and will inherit cacheable and constructable (it's mandatory for us in order to modify inventory_hostname).
I have just a couple of questions:

• Does the inventory via Hosts API return in ouput the same (or similar) set of metadata?
• May I ask if you plan to release the inventory with Jinja2 templating support in parameters?

Thanks

[carlosmmatos]

As for timeline, I'm trying to play catchup this week on this project. Have a few minor changes/updates, but then I plan on starting to add new modules + inventory plugin. It shouldn't take to long to do the inventory plugin since it will be very similar to the existing one.

With regards to your questions - the answer is yes, it will have the same feel as the existing dynamic inventory file - it will inherit cacheable and constructible and use fql to query the api. The output of the Hosts API is different than the Discover API, but if you wanted to get an idea of what to expect, you can do the following:

import json
from falconpy import Hosts

# Do not hardcode API credentials!
falcon = Hosts(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )

# Pass in an AID of an existing host
response = falcon.GetDeviceDetails(ids='AID')

print(json.dumps(response, indent=4))

As for Jinja2 support, this is part of constructable class in dynamic inventories, so since we will be using it should support jinja2 templating. (I assume this is what you are asking for).

[carlosmmatos]

@Gianlu | @romankis95 - new PR is in place right now: #470