I've recently started a new job where I'm transitioning from using KeePass to LastPass. At my last role, I could easily extract credentials automatically for scripts using KeePass, but my new workplace has LastPass with two-factor authentication enabled. I'm wondering if I can request a service account without 2FA just for credential pulling. I've found a couple of LastPass modules but haven't had any luck getting them to work. Is there an API available that I can use, or should I combine it with the existing modules to connect to the shared vault? I want to schedule some scripts to run without being interrupted by 2FA, but I'm okay with entering my personal code for now while testing. Any guidance would be greatly appreciated. My new employer isn't too into automation yet, but they hired me for my experience in that area, and I didn't expect LastPass to be so tricky for programmatic access.
5 Answers
The LastPass API is primarily focused on user provisioning and management, not for pulling vault data programmatically. It sounds like you'll need to rely on the `lastpass-cli` tool in an interactive session, since a smooth, automated vault retrieval isn't really in their ecosystem. I wouldn’t recommend disabling 2FA on user accounts either; if you can, lean towards using gMSA or JEA for cleaner automation solutions down the line.
Sounds like you're hitting a LastPass limitation instead of a PowerShell one. Their public API isn't built for seamless unattended vault retrieval, which makes automation challenging. I'd recommend finding a more appropriate secret management solution for automation while keeping LastPass for interactive use.
Absolutely agree! Better to keep 2FA intact. Maintaining security is crucial, so don’t cut corners.
If you're in an Active Directory environment, consider using Group Managed Service Accounts (gMSA). This could sidestep most of your credential management issues. If you're just seeking local admin rights for your scripts, setting up a Just Enough Administration (JEA) configuration with a virtual account could also work for you.
You might want to look into whether there's an API available for LastPass. But honestly, I recommend checking out Bitwarden instead – it's pretty great and allows you to host everything yourself without having to worry about external access.
For reference, explaining how you used KeePass could shed some light for others. We stored the database securely on one server and the access key on a separate server, locked down with NTFS permissions. We also leveraged the PoshKeepass module for easy access to credentials. It was efficient and met our security requirements, which might be an option to consider if LastPass continues to be difficult to work with.
Thanks for the insight! I didn't realize the API was limited. I’ll definitely consider the gMSA approach.