How to execute third party CLI using postman

Hello, I am building a project for automating the inclusion of api secrets into the request header with the following functional requirement:

Enable/disable the loading of the client’s API_KEY: API_SECRET_VALUE pair into request header in postman

I was wondering if there is a work around to execute 3rd party CLI’s in the clients local machine , then fetch the result of the CLI in order to populate request header fields in Postman? I don’t want to preload the api secrets into postman due to security reasons, so that is not an option. Another solution that would work was to have each client host a local server that would execute the 3rd party CLI, since that would require too much setup from the client POV.

There are two ways of doing this.

The preference is to call the 3rd party API first as part of your pipeline and then pass these as parameters to the Postman CLI (Newman).

This means you just need the variables in the Postman collection that you send via the pipeline. No extra code is required.

The other option is you write a pre-request test script that pulls data from the 3rd party CLI using sendRequest. Extra code is needed, and you need to include error handling.

However, looking at the blurb for that application. It doesn’t look like it’s got a standard API and need to be installed locally (via PowerShell, so looks like its Windows based as you call the executable). I can’t actually work out where it actually saves\stores the vault. But it does look like you have to install this on a host server that can be accessed by the pipeline.

We use Microsoft Azure Key Vault which pretty much does the same thing but is a hosted service that integrates well with Azure Dev Ops pipelines.

Thanks for your insightful response!

I’m still a beginner but for the first option you proposed, would a good design be to write a script that would fetch the secrets from the 3rd party cli(1password), then the script would load the api_key_secret:api_value_secret pairs into the appropriate newman CLI command?

The script would be run on the client’s local machine.

You can do that if you are not running this from a continuous integration platform like Jenkins or Azure Dev Ops. (I would recommend investing in one though).

If you are running this locally from the client machine, you don’t really need the 3rd party vault.

Technically, I guess it makes it more secure, but if running locally you could store your passwords in a CSV file on a locked down shared drive. If you are being extra cautious, you could encrypt the passwords, so the file only contains the encrypted password and the secret needed to decrypt located on a locked down shared drive.

I’m not quite understanding how that third party vault works though. It needs to be central if more than one client is going to use the secrets contained in it. It can’t be installed locally on one device, as only that device will be able to access it.

The advantage with Azure Dev Ops is that it has an inbuilt task that you can add to your pipeline to retrieve Azure key vaults secrets before you run your command line for Newman. (I guess that is the advantage of both being Microsoft products).