Not an heavy Postman user (yet), but we use it quite heavily in our company.
And have seen that there is some struggle with AWS credentials.
Either you have to store static ones in Postman (not very secure) or need to update temporary ones with session token as such manually on the requests or collections / environments all the time.
Also, for us, seems quite common that someone saves it to the shared collection. Which of course is wrong.
So created a middle-wear this weekend that I’m calling (for lack of imagination) “pm-creds”.
It only supports getting AWS credentials at the moment, but adding more should be fairly easy.
I have seem some similar things being done before, and perhaps there is another project just exactly the same as mine… Then I apologize, but haven’t found it yet.
The purpose is basically:
- Securely fetch credentials from AWS profiles using a “pre-request” script on the collection based on a env var set on in the environment. (or fetch using AWS default evaluation chain).
- Only listen to localhost and enforce TLS and that client send certificate. So other local programs without access to the certificate can use the service.
- Only use POST to be extra sure no proxy is caching anything, even though it’s localhost…
- Generates CA cert that is added to Postman so we can use TLS without having to disable “TLS/SSL verify”.
- By default you need to press “y” in the console running the program to allow credentials to be sent when Postman is requesting it.
- Automatically allow delivery of credentials to Postman for profiles based on suffix/prefix (ie. profiles ending in “-dev” etc).
- Warning colors on request being made for profiles based on suffix/prefix. Those request will be printed in red color to grab ut most attention to them before allowing. (ie. profiles ending with “-prod” etc).
- Deny profiles all together based on prefix/suffix (ie. for “-prod” etc).
And sorry for shamelessly plugging my own project! But thought it could be useful to some of you and input would be appreciated as well!
I have surely missed something. But if anyone is interested please have a look at:
GitHub - nuttmeister/pm-creds: Postman Credentials is used to securely set credentials for a provider into your postman collections and requests for source and instructions on how to get started.
And binary releases are available as well under Releases · nuttmeister/pm-creds · GitHub .
It’s still very early days and code quality is not perfect yet everywhere. But it should be rather useful at this point in time.
To basically get started, download binary or build from source and run the following commands.
pm-creds --create-certs --create-config pm-creds
Configuration files, certificates are stored in ~/.pm-creds (and equivalent home directory on windows )
Add the provider (only AWS as stated before) under ~/.pm-creds/providers.toml like below
[aws] type = "aws"
Add the ca-cert.pem as CA Certificate in Postman settings.
Add the server.pem and server.key as Client certificate for http://localhost:9999.
Then configure the pre-request script under /postman folder or in the readme and you should be good to go!
Anyway. Sorry for the longest post and shameless self-promotion.
Input, PRs for other providers such as GCP etc would be appreciated.
If this helped anyone it would have made my day! Thanks!