SLK-103546 - Add Token Authentication Fallback Support

idanchAqua · idanchAqua · commit 6d49dac931e5 · 2026-02-26T12:16:11.000+02:00
- Add X-Tokens-Signature header to all API key-authenticated requests
- Calculate tokens signature using existing get_signature function with /v2/tokens endpoint
- Update trigger-aws.py: add header to get_cspm_key_id(), trigger_discovery(), and update_credentials() functions
- Update create_cspm_key.py: add header to get_cspm_key_id() and create_cspm_key() functions
- Update generate_external_id.py: add header to generate_external_id() function
- Enable backend fallback to Bearer token authentication when API key authentication fails
diff --git a/modules/single/modules/lambda/functions/create_cspm_key.py b/modules/single/modules/lambda/functions/create_cspm_key.py
@@ -57,7 +57,8 @@ def http_request(url, headers, method, body=None):
 def get_cspm_key_id(aqua_api_key, aqua_secret, cspm_url, role_arn):
     tstmp = str(int(time.time() * 1000))
     sig = get_signature(aqua_secret, tstmp, "/v2/keys", "GET", '')
-    headers = {"X-API-Key": aqua_api_key, "X-Signature": sig, "X-Timestamp": tstmp}
+    tokens_signature = get_signature(aqua_secret, tstmp, "/v2/tokens", "POST", '{"validity":1,"allowed_endpoints":["ANY"]}')
+    headers = {"X-API-Key": aqua_api_key, "X-Signature": sig, "X-Tokens-Signature": tokens_signature, "X-Timestamp": tstmp}
 
     response = http_request(cspm_url + "/v2/keys", headers, "GET")
     json_object = json.loads(response.data)
@@ -87,9 +88,11 @@ def create_cspm_key(cspm_url, aqua_api_key, aqua_secret, role_arn, external_id,
     tstmp = str(int(time.time() * 1000))
     jsonbody = json.dumps(body, separators=(',', ':'))
     sig = get_signature(aqua_secret, tstmp, "/v2/keys", "POST", jsonbody)
+    tokens_signature = get_signature(aqua_secret, tstmp, "/v2/tokens", "POST", '{"validity":1,"allowed_endpoints":["ANY"]}')
     headers = {
         "X-API-Key": aqua_api_key,
         "X-Signature": sig,
+        "X-Tokens-Signature": tokens_signature,
         "X-Timestamp": tstmp
     }
 
diff --git a/modules/single/modules/lambda/functions/generate_external_id.py b/modules/single/modules/lambda/functions/generate_external_id.py
@@ -53,7 +53,8 @@ def generate_external_id(cspm_url, ac_url, aqua_api_key, aqua_secret, aws_accoun
     tstmp = str(int(time.time() * 1000))
     method = "POST"
     sig = get_signature(aqua_secret, tstmp, '/v2/generatedids', method, '')
-    headers = {"X-API-Key": aqua_api_key, "X-Signature": sig, "X-Timestamp": tstmp}
+    tokens_signature = get_signature(aqua_secret, tstmp, "/v2/tokens", "POST", '{"validity":1,"allowed_endpoints":["ANY"]}')
+    headers = {"X-API-Key": aqua_api_key, "X-Signature": sig, "X-Tokens-Signature": tokens_signature, "X-Timestamp": tstmp}
 
     response = http_request(u, headers, method)
     if response.get('status', 0) != 200 and response.get('status', 0) != 201 or not response.get('data'):
diff --git a/modules/single/modules/trigger/trigger-aws.py b/modules/single/modules/trigger/trigger-aws.py
@@ -72,9 +72,11 @@ def get_cspm_key_id(aqua_api_key, aqua_secret, cspm_url, role_arn):
     """Fetch the CSPM key ID for the given IAM role ARN"""
 
     sig = get_signature(aqua_secret, tstmp, "/v2/keys", "GET", '')
+    tokens_signature = get_signature(aqua_secret, tstmp, "/v2/tokens", "POST", '{"validity":1,"allowed_endpoints":["ANY"]}')
     headers = {
         "X-API-Key": aqua_api_key,
         "X-Signature": sig,
+        "X-Tokens-Signature": tokens_signature,
         "X-Timestamp": tstmp
     }
 
@@ -130,10 +132,12 @@ def trigger_discovery():
         )
 
     cspm_sig = get_signature(aqua_secret, tstmp, "/v2/keys", "POST", body_cspm)
+    tokens_signature = get_signature(aqua_secret, tstmp, "/v2/tokens", "POST", '{"validity":1,"allowed_endpoints":["ANY"]}')
     headers = {
         "X-API-Key": aqua_api_key,
         "X-Authenticate-Api-Key-Signature": sig,
         "X-Register-New-Cspm-Signature": cspm_sig,
+        "X-Tokens-Signature": tokens_signature,
         "X-Timestamp": tstmp
     }
 
@@ -154,8 +158,9 @@ def update_credentials():
     cspm_key_id = get_cspm_key_id(aqua_api_key, aqua_secret, cspm_url, cspm_role_arn)
 
     cspm_sig = get_signature(aqua_secret, tstmp, f"/v2/keys/{cspm_key_id}", "PUT", cspm_body)
+    tokens_signature = get_signature(aqua_secret, tstmp, "/v2/tokens", "POST", '{"validity":1,"allowed_endpoints":["ANY"]}')
 
-    cspm_headers = {"X-API-Key": aqua_api_key, "X-Signature": cspm_sig, "X-Timestamp": tstmp}
+    cspm_headers = {"X-API-Key": aqua_api_key, "X-Signature": cspm_sig, "X-Tokens-Signature": tokens_signature, "X-Timestamp": tstmp}
 
     cspm_response = http_request(cspm_url + f"/v2/keys/{cspm_key_id}", cspm_headers, "PUT", cspm_body)
 
@@ -170,8 +175,9 @@ def update_credentials():
     })
 
     ac_sig = get_signature(aqua_secret, tstmp, "/v2/internal_apikeys", method="GET")
+    tokens_signature = get_signature(aqua_secret, tstmp, "/v2/tokens", "POST", '{"validity":1,"allowed_endpoints":["ANY"]}')
 
-    ac_headers = {"X-API-Key": aqua_api_key, "X-Authenticate-Api-Key-Signature": ac_sig, "X-Timestamp": tstmp}
+    ac_headers = {"X-API-Key": aqua_api_key, "X-Authenticate-Api-Key-Signature": ac_sig, "X-Tokens-Signature": tokens_signature, "X-Timestamp": tstmp}
 
     ac_response = http_request(ac_url + f"/discover/update-credentials/{cloud}", ac_headers, "PUT", ac_body)
 
