Automate Temporary Access with PagerDuty Schedules

This is a guide for manually setting up a script to integrate an on-call schedule in PagerDuty with StrongDM. However, a first-party integration with PagerDuty is now available and is the recommended option for most use cases. See the PagerDuty Integration section for details.

If you use PagerDuty, then you already have on-call schedules mapped out for critical roles. But when someone is on-call, they may need more resource access than they would at other times. This is where StrongDM temporary grants come in. You can integrate your PagerDuty on-call schedule with StrongDM to automatically grant StrongDM users access to additional resources during their on-call shifts. This Python example shows a simple way of managing the process.

Requirements

To get this script working in your environment, you'll need the following:

A StrongDM API key with Resources > List, Grants > Read, and Grants > Write permissions.
A StrongDM resource name
A PagerDuty API token with read-only rights
The schedule ID of a PagerDuty schedule you wish to use as the basis of the temporary grants (If your schedule is https://example.pagerduty.com/schedules/A123BCD the last portion of the path, A123BCD , is the ID.

Setup

In order for this automation to work, your users will need to be identified by the same email addresses in PagerDuty and in StrongDM.

The script has two major portions:

First, look up who is on call for a specific schedule over a certain time period
Second, parse these assignments with the StrongDM SDK to grant temporary access to a datasource or server.

Two API calls are necessary to PagerDuty:

Get the list of who is on call will give a list of users and user IDs, but not email addresses.
Conduct specific user lookups to get us the email addresses of the person(s) who are on call.

To set up your PagerDuty automation, add this script to your crontab to run on a regular schedule. Modify the UNTIL calculation to match the interval you are running it at. For instance, if you're running it weekly, that line would look like this:

UNTIL = (datetime.timedelta(days=7) + datetime.datetime.utcnow()).isoformat() + 'Z'

The Python Script

#!/usr/bin/env python

import requests,json,datetime,subprocess,strongdm,re
from datetime import timezone

# PagerDuty API key
API_KEY = 'PD_API_KEY'

# StrongDM API keys: requires datasource list,grant and user list,assign
access_key = "SDM_ACCESS_KEY"
secret_key = "SDM_SECREY_KEY"

# name of StrongDM Datasource to which you are granting access
DATASOURCE = 'DATASOURCE_NAME'

# Set your time zone
TIME_ZONE = 'UTC'
# Get this ID from the PagerDuty admin UI, or via their 'schedules' API endpoint
SCHEDULE_IDS = ['PD_SCHEDULE_ID']
# for the PD API requests. Modify UNTIL with the proper time offset
UNTIL = (datetime.timedelta(days=1) + datetime.datetime.utcnow()).isoformat() + 'Z'

def get_oncalls():
  url = 'https://api.pagerduty.com/oncalls'
  headers = {
    'Accept': 'application/vnd.pagerduty+json;version=2',
    'Authorization': 'Token token={token}'.format(token=API_KEY)
  }
  payload = {
    'time_zone': TIME_ZONE,
    'schedule_ids[]': SCHEDULE_IDS,
    'until': UNTIL,
  }
  
  r = requests.get(url, headers=headers, params=payload)
  struct = r.json()
  output = []

  for record in struct["oncalls"]:
  # get user's email address
    r = requests.get(record["user"]["self"], headers=headers)
    output.append({"email" : r.json()["user"]["email"],
            "from" : record["start"],
            "to" : record["end"]})
  return output

def grant_access(access_list):

  client = strongdm.Client(access_key, secret_key)

  # Get Datasource(s)
  resources = list(client.resources.list('name:"{}"'.format(DATASOURCE)))
  resourceID = resources[0].id

  # Cycle through the output from PagerDuty
  for item in access_list:
    # Use the email address to get the user.id from SDM
    print('Current PD user is: ' + item["email"])
    users = list(client.accounts.list('email:{}'.format(item["email"])))
    if len(users) > 0:
      print('SDM user found!')
      myUserID = users[0].id
      # Convert the date strings from PD into a datetime object
      s = datetime.datetime.strptime(item["from"], '%Y-%m-%dT%H:%M:%SZ')
      e = datetime.datetime.strptime(item["to"], '%Y-%m-%dT%H:%M:%SZ')
      # Make both objects 'aware' (with TZ) as required by the StrongDM SDK
      start = s.replace(tzinfo=timezone.utc)
      end = e.replace(tzinfo=timezone.utc)
      # Create the grant object
      myGrant = strongdm.AccountGrant(resource_id='{}'.format(resourceID),account_id='{}'.format(myUserID), 
        start_from=start, valid_until=end)
      # Perform the grant
      try:
        respGrant = client.account_grants.create(myGrant)
      except Exception as ex:
        print("\nSkipping user " + item["email"] + " on account of error: " + str(ex))
      else:
        print("\nGrant succeeded for user " + item["email"] + " to resource " + DATASOURCE + " from {} to {}".format(start,end))
    print('---\n')

def main():
  access = get_oncalls()
  grant_access(access)

main()

Last updated 1 day ago

Was this helpful?

hashtagRequirements

hashtagSetup

hashtagThe Python Script

Requirements

Setup

The Python Script