Sometimes you want to automate the creation of Canarytokens across your fleet. Perhaps you want every EC2 instance to reach out and fetch a token on creation (or startup). The Canary Console API allows for automation, but it seems a bad idea to use your API key on every host.
The Canarytoken factory gives you a limited-use key that can create other tokens. You can leave this key on a host knowing that even if an attacker were able to grab it, he'd be able to create new tokens but not remove (or alter) anything else.
We recommend that you use the Canarytoken Deploy Flock API key type, instead of Factory Auth Tokens.
The Canarytoken Deploy Flock API type is specifically designed to only be able to create and download (deploy) Canarytokens within a specific flock, and can be viewed/managed from the Console UI Flock API settings in the same way as your other Flock API keys.
Existing Canarytoken Factory Endpoints and factory auth strings continue to work as before to support existing deployments. They are now simpler to manage in the Console UI as they're transparently converted to Canarytoken Deploy Flock API keys.
How to create a factory auth key
Make a POST request to https://xxxxxxxx.canary.tools/api/v1/canarytoken/create_factory using your Canary Console API key as the parameter "auth_token" and a reminder of which environment or application will be using this factory as the parameter "memo". You will receive a "factory_auth" value in the response (if it is successful).
How to generate Canarytokens
Generate Canarytokens by making a POST request to https://xxxxxxxx.canary.tools/api/v1/canarytoken/factory with "factory_auth", "memo" and "kind" of Canarytoken you would like to generate. You will receive the Canarytoken's details in the response.
You can also delete this factory auth value (in the event you think it is being abused or has fulfilled its duties).
How to delete a factory auth key
Make a DELETE request to https://xxxxxxxx.canary.tools/api/v1/canarytoken/delete_factory using your Canary Console API key and specifying the "factory_auth" value that you would like to delete.
Please note that this does not delete the Canarytokens that you have created with this "factory_auth" value.