Self-service API keys for CLI scans - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation
Product
Cortex XSIAM
Creation date
2025-07-15
Last date published
2026-06-04
Category
Administrator Guide

This self-service model allows developers to programmatically generate task-specific keys for CLI and IDE scans via the Public API. By using a Primary API key as a master credential, developers can provision restricted-access keys, such as read-only for local scans, without requiring administrative permissions in the UI. This approach maintains tenant security by ensuring all scans follow the principle of least privilege.

Prerequisite: You must have sufficient administrative permissions within your tenant to create new roles and manage API keys.

IMPORTANT: When generating an API key, ensure you select the Standard security level. CLI scans will fail if the security level of the API key is set to Advanced.

If the user creating the Primary Key is an Instance Admin or Account Admin, follow the simplified workflow (Path A). Otherwise, follow the full flow (Path B).

Path A: Admin flow

Follow this procedure if you have Instance Admin or Account Admin privileges. Because you already hold tenant-wide permissions, you do not need to assign CLI roles to your user account via User Groups. You can skip those steps (required for non-admins) and attach the default CLI roles directly to the API key.

  1. Create a Public API (PAPI) Edit role (no default exists for this). Refer to the Public API (PAPI) Edit row in Create custom roles below for more information.

  2. Proceed directly to the Generate and use API keys section below to provision your Primary Key.

Path B: Non-admin flow

The following procedure is required for non-admin users, because the built-in CLI and CLI Read Only roles are not visible in the API Keys screen for non-admins.

Create custom roles

Navigate to your role management settings in the tenant to generate the following three roles with these exact permission sets.

Role name

Required permission and description

CLI Read-Only Custom

CLI Tools View: Grants permission to run CLI scans and view output locally without uploading results to the tenant

CLI Write Custom

CLI Tools View/Edit: Grants permission to run CLI scans and upload/manage results within the tenant

Public API (PAPI) Edit

Public API View/Edit: Grants the administrative permission required to programmatically generate and manage new API keys

Assign roles to a privileged user

To establish a Primary key holder, you must grant a specific privileged user the permissions from all three custom roles. Because the UI allows only one role to be assigned directly to a user, you must use User Groups to grant multiple roles simultaneously.

  1. Create user groups: Create three separate User Groups in your tenant, assigning one of the custom roles to each group.

  2. Add user to groups: Add the designated privileged user to all three of these User Groups.

  3. Verify accumulated permissions: Edit the primary user and ensure that the User Groups field includes the three User Groups.

This user now has the combined authority to generate the Primary API Key required to set up programmatic key generation.

Generate and use API keys

Now that you have the required permissions (from either Path A or Path B), you must manually generate a Primary API Key through the console. This primary key acts as the master credential for subsequent automation.

  • If you followed Path A (Admin): Associate the key with the CLI Read Only (default), CLI (default), and Public API (PAPI) Edit roles.

  • If you followed Path B (Non-admin): Associate the key with the CLI Read-Only Custom, CLI Write Custom, and Public API (PAPI) Edit roles.

Using the Primary Key, developers can now make calls to the Public API to generate subsequent keys as needed for IDE or CLI scans:

  • To run scans without uploading the results to the platform: Generate a key and associate it only with the CLI Read-Only Custom (or default CLI Read Only) role.

  • To run scans and upload the results to the platform: Generate a key and associate it only with the CLI Write Custom (or default CLI) role.

The following curl command demonstrates how developers can use the Primary Key to generate a new API key assigned with the CLI Read-Only role:

curl --request POST \
  --url https://api-<YOUR_TENANT>.xdr.<REGION>.paloaltonetworks.com/public_api/v1/api_keys/generate \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --header 'Authorization: <YOUR_PRIMARY_KEY_HERE>' \
  --header 'x-xdr-auth-id: <YOUR_AUTH_ID>' \
  --data '{
  "request_data": {
    "roles": [
      "CLI Read-Only Custom"
    ],
    "security_level": "standard",
    "comment": "Developer CLI Read-Only scan key",
    "expiration": <FUTURE_EPOCH_TIMESTAMP> 
  }
}'
Verify API key status

To ensure the keys are configured correctly, privileged users can verify their status by navigating to SettingsAPI Keys. Locate the generated key in the API Keys inventory and confirm that the Role column reflects the specific custom role assigned rather than a broad administrative role.

Reference

For more information about generating API Keys, refer to Manage API keys.