Scanning with credentials

The Credentials page provides a single place to store any secure credentials needed by runZero, including:

  • SNMPv3 credentials
  • Access secrets for cloud services like AWS and Azure
  • API keys for services such as Censys and Miradore

Credentials are stored in encrypted form in the runZero database. Credentials, such as SNMP passwords, are used by runZero Explorers and are transmitted to them in encrypted form. For security reasons, the secret part of any credential cannot be viewed once entered.

When adding a credential, you can choose to make it a global credential that can be used for all organizations or to allow access only by specific organizations. The Allow all or Disallow all buttons let you quickly apply the same setting across all organizations. Individual organizations can also be toggled to allow or disallow access.

Most credential fields can be edited after the credential is saved. Some fields, like URLs, cannot be edited after saving for security reasons. Sensitive fields, such as passwords or access keys, will be hidden but can be overwritten.

Credential settings

The specific fields and options for a credential depend on the type of credential.

VMware and SNMP credentials, which are used by the runZero Explorer, allow a CIDR allow list to be specified. This can be used to limit which scanned IP addresses the credential will be used with. This feature allows you to avoid sending SNMP or VMware credentials to all scanned hosts on the network, and instead limit them to specific IP addresses or ranges.

Credential verification

Credentials can be verified when created or edited to ensure they can successfully authenticate. Choose Verify & save when creating or editing a credential to run the verification before saving. If verification fails, it will display an error message and then give you the option to Save anyway. Save anyway will save the most recent verification status.

Credential management

Users must have administrator-level permissions to manage credentials. Users with Administrator as their default role can fully manage all credentials. Users with per-organization permissions do not have access to global credentials, and are only able to manage credentials in organizations where they have administrator permissions. A shared credential cannot be deleted by an organization administrator.

Updated