API Reference
The StrongDM API allows users of StrongDM to programmatically interact with their organization in StrongDM in order to create, remove, or manage users, roles, permissions, gateways, relays, resources, and more. The amount of API access afforded to an API key depends entirely on what was granted to the key by the organization's administrators when the key was created.
The StrongDM API is constructed with gRPC and a request signature model that requires the use of one of the StrongDM SDKs to interface with the API. The SDKs were designed with REST principles in mind. They are built around a set of domain objects, as well as the basic set of Create, Read, Update, and Delete (CRUD) operations.
Moreover, the StrongDM API provides advanced auditing and logging capabilities that simplify how data is extracted from StrongDM for programmatic integration into other parts of your organization, such as SIEM, log aggregators, compliance and/or security reports, or end-to-end IAM workflows. You can additionally use the StrongDM API to do the following:
Get the history of what happened in your organization.
View full snapshots.
Look at shells for all replays.
View SSH session data as it comes in, and watch sessions play live.
Actively look at queries as they come in.
Suspend users by ID.
Follow instructions in the tab for your organization's StrongDM region, not your location.
You can interact with the API via any of StrongDM's SDKs or Terraform. The destination for requests directly to the StrongDM API is: app.strongdm.com. If you are using Terraform, this value needs to be set for the host.
StrongDM SDKs
The StrongDM API allows for the programmatic management of StrongDM features as well as the resources attached to the organization. StrongDM supports the following SDK options: Go, Java, Python, and Ruby.
Feel free to use the SDKs to interact with StrongDM from your own software.
StrongDM Terraform Provider
StrongDM's Terraform provider makes use of the StrongDM API and has a set of Terraform provider examples.
How It Works
The StrongDM API does not rely on bearer tokens alone to protect your requests (and thus your infrastructure). Instead, the StrongDM API requires the use of request signatures modeled on the AWS V4 signing process. This methodology never sends a secret key over the network. If the key isn't sent, the key cannot be intercepted. Furthermore, this methodology allows StrongDM to validate the time and payload of each API call, protecting against replay attacks or Manipulator in the Middle (MitM) message tampering. The StrongDM SDKs handle the gRPC calls and signing process to ensure a consistent and convenient experience.
Authentication
Each SDK provides a client that must be constructed with an API ID and Secret (also referred to as your API key). This key also sets the client's permission to manage objects within StrongDM. For instructions on creating your API key, see the API Keys page.
For example, in Python:
def main():
client = strongdm.Client(<YOUR-ID>,<YOUR-SECRET>)Domain objects
Domain objects are present in all of the StrongDM SDKs. These domain objects are, in a way, the glossary of the API. Once you're familiar with them, you'll better understand what you can do with the API.
Modifiable domain objects
The domain objects in the following table may be modified.
AccountAttachments
Assigns an account to a role
AccountGrants
Assigns a resource directly to an account, giving the account the permission to connect to that resource
AccountPermissions
Records the granular permissions accounts have, allowing them to execute relevant commands via StrongDM's APIs
Accounts
User accounts or service accounts that have access to StrongDM; a user account is for humans who are authenticated through username and password or SSO; a service account is for machines that are authenticated using a service token
Nodes
The gateway(s) and relay(s) that make up your StrongDM network and allow your users to connect securely to your resources. Gateways, the entry points into the network, listen for connections from the StrongDM client and provide access to databases and servers. Relays are used to extend the StrongDM network into segmented subnets. They provide access to databases and servers but do not listen for incoming connections.
PeeringGroupNodes
Provides the building blocks necessary to attach a node to a peering group
PeeringGroupPeers
Provides the building blocks necessary to link two peering groups
PeeringGroupResources
Provides the building blocks necessary to attach a resource to a peering group
PeeringGroups
Provides the building blocks necessary to obtain explicit network topology and routing
Policies
Policies are a collection of zero or more policy statements written in the Cedar policy language that enforce fine-grained action control for the users of an organization.
IdentityAliases
Assigns an Identity Alias-enabled resource directly to an account, giving the account the permission to connect to that resource using an Identity Alias instead of a leased credential
IdentitySets
A named grouping of Identity Aliases for accounts; an account's relationship to a IdentitySet is defined via IdentityAlias objects
Resources
Databases, servers, clusters, websites, or clouds to which StrongDM delegates access
Roles
A collection of of access rules that determine which Resources the members of the role can access; an account can be a member of multiple roles via AccountAttachments
SecretStores
Servers where resource secrets (for example, passwords and keys) are stored
WorkflowApprovers
A listing of users assigned to the workflow as approvers
WorkflowRoles
A listing of the roles assigned to a workflow, which indicate which users may make requests via that workflow
Workflows
A collection of rules that define the resources to which access can be requested, the roles that allow their members to request access to those resources, and the mechanism for approving those requests
Read-only domain objects
The domain objects in the following table are read-only. They primarily allow you to view logs, administrative activities, and historical changes.
AccessRequestEventsHistory
A record of all changes to the state of an AccessRequestEvent
AccessRequests
Requests for access to a resource via a workflow
AccessRequestsHistory
A record of all changes to the state of an AccessRequest
AccountAttachmentsHistory
A record of all changes to the state of an AccountAttachment
AccountGrantsHistory
A record of all changes to the state of an AccountGrant
AccountResources
Enumerates the resources to which accounts have access
AccountResourcesHistory
A record of all changes to the state of an AccountResource
AccountsHistory
A record of all changes to the state of an account
Activities
A record of an action taken against a StrongDM deployment, such as user creation, resource deletion, or SSO configuration change
ControlPanel
A record of all administrative controls
NodesHistory
A record of all changes to the state of a node
OrganizationHistory
A record of all changes to the state of an organization
PoliciesHistory
A record all changes to the state of a Policy
Queries
A record of single client request to a resource (for example, a SQL query); SSH, RDP, or Kubernetes interactive sessions also count as queries
IdentityAliasesHistory
A record of all changes to the state of an IdentityAlias
IdentitySetsHistory
A record of all changes to the state of an IdentitySet
Replays
Captures the data transferred over a long-running SSH, RDP, or Kubernetes interactive session/query
ResourcesHistory
A record of all changes to the state of a resource
RoleResources
Enumerates the resources to which roles have access
RoleResourcesHistory
A record of all changes to the state of a RoleResource
RolesHistory
A record of all changes to the state of a role
SecretStoresHistory
A record of all changes to the state of a SecretStore
WorkflowApproversHistory
A record of all changes to the state of a WorkflowApprover
WorkflowAssignments
A listing of the resources assigned to a workflow
WorkflowAssignmentsHistory
A record of all changes to the state of a WorkflowAssignment
WorkflowRolesHistory
A record of all changes to the state of a WorkflowRole
WorkflowsHistory
A record of all changes to the state of a workflow
Requests
Each domain object is accessible via functions or methods provided by the client.
For example, in Ruby:
users = client.accounts.list("")Filters
Many domain objects provide a common filtering language. You can use filters to narrow results from most Read operations when making requests.
For example, in Go:
users, err := client.Accounts().List(ctx, "firstName:Alice")
if err != nil {
log.Fatal("failed to query accounts:", err)
}In the Go example shown, only users matching the first name "Alice" are returned.
Paginate results
When making a request with a Read operation that returns many results, the SDK automatically paginates the results. Depending on the language, pagination may be modeled as a transparent iterator, as in Ruby:
users.each do |user|
p user
endAlternatively, pagination may be modeled as an explicit call to receive the next result, as in Go:
for users.Next() {
user := users.Value()
fmt.Println(user)
}Audit API
History
History domain objects (such as AccountsHistory) offer a time range to show the history of what was changed over time. For example, Accounts provides information about users and service accounts, whereas AccountsHistory provides a historical record of all the changes that have been made to the state of those accounts.
If the Enterprise plan is enabled for your organization, you can query the domain objects and get history for the last 13 months. If the Enterprise plan is not enabled, you can query back 30 days by default and results may be truncated to 20 rows returned.
Snapshots
Typical calls to the API return the state of a domain object at the time of the request. Snapshots, however, allow you to view the state of one or more domain objects at a specified time in the past. Snapshots let you programmatically extract the history of what happened in your organization at a certain time regarding access grants, gateways and relays, roles, resources, and so forth.
Let's say, for example, that within the last hour there was a security incident related to a role granting access to all Redis resources. You can use a snapshot to see the state of the role an hour ago. In the following example, the desired time is specified in client.SnapshotAt(<TIME>).
For example, in Go:
client.SnapshotAt(time.Now().Add(-1*time.Hour)).Roles().Get(ctx, "r-123456")Snapshots are supported for the following domain objects:
AccessRequestsAccountAttachmentsAccountGrantsAccountPermissionsAccountResourcesAccountsNodesIdentityAliasesIdentitySetsPoliciesResourcesRoleResourcesRolesSecretStoresWorkflowApproversWorkflowAssignmentsWorkflowRolesWorkflows
If the Enterprise plan is enabled for your organization, you can use snapshots for any time in the last 13 months. If the Enterprise plan is not enabled, you can use snapshots for the last 30 days by default and results may be truncated to 20 rows returned.
Rate Limits
Requests are subject to rate limits. Default rate limits are generous, and you're unlikely to reach rate limits during normal operations.
Additional Information
Generate API KeysLast updated
Was this helpful?