Using Splunk Cloud Platform ACS API
Splunk Cloud Platform recently introduced a new feature which empowers administrators to make changes in their Splunk Cloud Platform environment that previously required support tickets. This feature, the Admin Config Service (ACS) API, will be a great addition to your toolkit as a Splunk Cloud Platform administrator.
In this tutorial, I’ll cover how to get started with the ACS API, and then provide some examples of how to use this to make a change to the IP whitelists in a Splunk Cloud Platform environment.
How to get started with the ACS API
Submit an Onboarding Request
In order to use the ACS API, you’ll need to request that this be enabled for your stack. At the time of this writing, the ACS API is not a feature enabled by default. I’ve used the following template for the tickets I’ve opened:
Subject: ACS API onboarding
Deployment: Splunk Cloud
I need help with: Authentication & Security – Splunk Cloud
Feature/Component/App: Admin Config Service
Please onboard the stack for using the ACS API.
Please use the following maintenance window for any required restarts:
Splunk Cloud Platform support will update you once this change has been made to your environment. Getting this part completed is generally a pretty quick process.
To create a token, navigate to Settings -> Tokens, and click New Token.
In the New Token dialog, specify the username associated with the token, the description/purpose of the token, and the expiration time for the token.
Upon clicking Create, the token will be displayed in the Token box shown above. Be sure to copy this, as it’s not possible to retrieve the token after the window has been closed.
Now that you have the ACS API enabled and a token, we can start using it.
Example: Add Host to REST API
Now, let’s walk through an example of adding a host to the IP allow list for the REST API on the search heads (TCP/8089). This isn’t allowed by default in Splunk Cloud, but is often desired for monitoring Splunk or integrating other products.
Note: in all of these examples, replace <stack> with your Splunk Cloud stack name (the part in front of .splunkcloud.com in the URL) and the <token> with the token generated above.
Start by getting a current list of subnets which have access to the REST API:
In this example, nothing is currently allowed, which is what you would expect to see by default.
Now, let’s try to add two addresses to the allow list.
For this example, I’m going to add the IP addresses 192.0.2.1 and 192.0.2.50. Since these are individual IP addresses, I’ll specify the subnet mask as a /32.
Upon submitting this request, wait a few minutes, and re-run the first command to view the subnets that are now in the allow list:
At this point, these IP addresses should now have access to the Splunk search REST API.
Updating Other ACLs
The ACS API isn’t just limited to updating access to the REST API on the search heads–there are a number of other options that are outlined in the Splunk Documentation. These include access to the HTTP event collector endpoint, Search Head WebUI, and IDM (inputs data manager) WebUI, and REST API.
To configure a different ACL, replace “search-api” in the request above with another feature, as mentioned in the linked documentation.
The addition of the ACS API has been incredibly helpful for speeding up the process of making changes to ACLs in Splunk Cloud Platform environments–taking a process that would typically take a support case and a few days turnaround into something that can be completed in just a few minutes. If you’re a current or new Splunk Cloud Platform administrator, I’d highly recommend checking out this API and adding it to your toolbelt.
About Hurricane Labs
Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.
For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.