feat(pam): view sensitive credentials/password for PAM accounts

backend/src/ee/routes/v1/pam-account-routers/pam-account-router.ts

@@ -4,17 +4,44 @@ import { z } from "zod";
 import { PamAccountDependenciesSchema } from "@app/db/schemas";
 import { AuditLogInfo, EventType, UserAgentType } from "@app/ee/services/audit-log/audit-log-types";
 import { PamAccountOrderBy, PamAccountView } from "@app/ee/services/pam-account/pam-account-enums";
-import { SanitizedActiveDirectoryAccountWithResourceSchema } from "@app/ee/services/pam-resource/active-directory/active-directory-resource-schemas";
-import { SanitizedAwsIamAccountWithResourceSchema } from "@app/ee/services/pam-resource/aws-iam/aws-iam-resource-schemas";
-import { SanitizedKubernetesAccountWithResourceSchema } from "@app/ee/services/pam-resource/kubernetes/kubernetes-resource-schemas";
-import { SanitizedMsSQLAccountWithResourceSchema } from "@app/ee/services/pam-resource/mssql/mssql-resource-schemas";
-import { SanitizedMySQLAccountWithResourceSchema } from "@app/ee/services/pam-resource/mysql/mysql-resource-schemas";
+import {
+  ActiveDirectoryAccountCredentialsSchema,
+  SanitizedActiveDirectoryAccountWithResourceSchema
+} from "@app/ee/services/pam-resource/active-directory/active-directory-resource-schemas";
+import {
+  AwsIamAccountCredentialsSchema,
+  SanitizedAwsIamAccountWithResourceSchema
+} from "@app/ee/services/pam-resource/aws-iam/aws-iam-resource-schemas";
+import {
+  KubernetesAccountCredentialsSchema,
+  SanitizedKubernetesAccountWithResourceSchema
+} from "@app/ee/services/pam-resource/kubernetes/kubernetes-resource-schemas";
+import {
+  MsSQLAccountCredentialsSchema,
+  SanitizedMsSQLAccountWithResourceSchema
+} from "@app/ee/services/pam-resource/mssql/mssql-resource-schemas";
+import {
+  MySQLAccountCredentialsSchema,
+  SanitizedMySQLAccountWithResourceSchema
+} from "@app/ee/services/pam-resource/mysql/mysql-resource-schemas";
 import { PamResource } from "@app/ee/services/pam-resource/pam-resource-enums";
 import { GatewayAccessResponseSchema } from "@app/ee/services/pam-resource/pam-resource-schemas";
-import { SanitizedPostgresAccountWithResourceSchema } from "@app/ee/services/pam-resource/postgres/postgres-resource-schemas";
-import { SanitizedRedisAccountWithResourceSchema } from "@app/ee/services/pam-resource/redis/redis-resource-schemas";
-import { SanitizedSSHAccountWithResourceSchema } from "@app/ee/services/pam-resource/ssh/ssh-resource-schemas";
-import { SanitizedWindowsAccountWithResourceSchema } from "@app/ee/services/pam-resource/windows-server/windows-server-resource-schemas";
+import {
+  PostgresAccountCredentialsSchema,
+  SanitizedPostgresAccountWithResourceSchema
+} from "@app/ee/services/pam-resource/postgres/postgres-resource-schemas";
+import {
+  RedisAccountCredentialsSchema,
+  SanitizedRedisAccountWithResourceSchema
+} from "@app/ee/services/pam-resource/redis/redis-resource-schemas";
+import {
+  SanitizedSSHAccountWithResourceSchema,
+  SSHAccountCredentialsSchema
+} from "@app/ee/services/pam-resource/ssh/ssh-resource-schemas";
+import {
+  SanitizedWindowsAccountWithResourceSchema,
+  WindowsAccountCredentialsSchema
+} from "@app/ee/services/pam-resource/windows-server/windows-server-resource-schemas";
 import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
 import { ms } from "@app/lib/ms";
@@ -48,6 +75,52 @@ const ListPamAccountsResponseSchema = z.object({
   totalCount: z.number().default(0)
 });
 
+const AccountCredentialsBaseSchema = z.object({
+  accountId: z.string().uuid(),
+  accountName: z.string(),
+  resourceName: z.string(),
+  projectId: z.string().uuid()
+});
+
+const AccountCredentialsResponseSchema = z.discriminatedUnion("resourceType", [
+  AccountCredentialsBaseSchema.extend({
+    resourceType: z.literal(PamResource.Postgres),
+    credentials: PostgresAccountCredentialsSchema
+  }),
+  AccountCredentialsBaseSchema.extend({
+    resourceType: z.literal(PamResource.MySQL),
+    credentials: MySQLAccountCredentialsSchema
+  }),
+  AccountCredentialsBaseSchema.extend({
+    resourceType: z.literal(PamResource.MsSQL),
+    credentials: MsSQLAccountCredentialsSchema
+  }),
+  AccountCredentialsBaseSchema.extend({
+    resourceType: z.literal(PamResource.SSH),
+    credentials: SSHAccountCredentialsSchema
+  }),
+  AccountCredentialsBaseSchema.extend({
+    resourceType: z.literal(PamResource.Redis),
+    credentials: RedisAccountCredentialsSchema
+  }),
+  AccountCredentialsBaseSchema.extend({
+    resourceType: z.literal(PamResource.Kubernetes),
+    credentials: KubernetesAccountCredentialsSchema
+  }),
+  AccountCredentialsBaseSchema.extend({
+    resourceType: z.literal(PamResource.AwsIam),
+    credentials: AwsIamAccountCredentialsSchema
+  }),
+  AccountCredentialsBaseSchema.extend({
+    resourceType: z.literal(PamResource.Windows),
+    credentials: WindowsAccountCredentialsSchema
+  }),
+  AccountCredentialsBaseSchema.extend({
+    resourceType: z.literal(PamResource.ActiveDirectory),
+    credentials: ActiveDirectoryAccountCredentialsSchema
+  })
+]);
+
 export const registerPamAccountRouter = async (server: FastifyZodProvider) => {
   server.route({
     method: "GET",
@@ -225,6 +298,54 @@ export const registerPamAccountRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    method: "GET",
+    url: "/:accountId/credentials",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "View full (unsanitized) PAM account credentials",
+      params: z.object({
+        accountId: z.string().uuid()
+      }),
+      querystring: z.object({
+        mfaSessionId: z.string().optional()
+      }),
+      response: {
+        200: AccountCredentialsResponseSchema
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const result = await server.services.pamAccount.viewCredentials({
+        accountId: req.params.accountId,
+        mfaSessionId: req.query.mfaSessionId,
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        projectId: result.projectId,
+        event: {
+          type: EventType.PAM_ACCOUNT_READ_CREDENTIALS,
+          metadata: {
+            accountId: result.accountId,
+            accountName: result.accountName,
+            resourceName: result.resourceName,
+            resourceType: result.resourceType
+          }
+        }
+      });
+
+      return result as z.infer<typeof AccountCredentialsResponseSchema>;
+    }
+  });
+
   server.route({
     method: "GET",
     url: "/",

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -606,6 +606,7 @@ export enum EventType {
   PAM_ACCOUNT_DELETE = "pam-account-delete",
   PAM_ACCOUNT_CREDENTIAL_ROTATION = "pam-account-credential-rotation",
   PAM_ACCOUNT_CREDENTIAL_ROTATION_FAILED = "pam-account-credential-rotation-failed",
+  PAM_ACCOUNT_READ_CREDENTIALS = "pam-account-read-credentials",
   PAM_WEB_ACCESS_SESSION_TICKET_CREATED = "pam-web-access-session-ticket-created",
   PAM_RESOURCE_LIST = "pam-resource-list",
   PAM_RESOURCE_GET = "pam-resource-get",
@@ -4852,6 +4853,16 @@ interface PamAccountCredentialRotationFailedEvent {
   };
 }
 
+interface PamAccountReadCredentialsEvent {
+  type: EventType.PAM_ACCOUNT_READ_CREDENTIALS;
+  metadata: {
+    accountId: string;
+    accountName: string;
+    resourceName: string;
+    resourceType: string;
+  };
+}
+
 interface PamResourceListEvent {
   type: EventType.PAM_RESOURCE_LIST;
   metadata: {
@@ -6154,6 +6165,7 @@ export type Event =
   | PamAccountDeleteEvent
   | PamAccountCredentialRotationEvent
   | PamAccountCredentialRotationFailedEvent
+  | PamAccountReadCredentialsEvent
   | PamResourceListEvent
   | PamResourceGetEvent
   | PamResourceCreateEvent

backend/src/ee/services/pam-account/pam-account-fns.ts

@@ -1,6 +1,7 @@
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
 import { KmsDataKey } from "@app/services/kms/kms-types";
 
+import { PamResource } from "../pam-resource/pam-resource-enums";
 import { TPamAccountCredentials, TPamResourceInternalMetadata } from "../pam-resource/pam-resource-types";
 import { SSHAuthMethod } from "../pam-resource/ssh/ssh-resource-enums";
 
@@ -67,6 +68,19 @@ export const decryptAccountMessage = async ({
   return decryptedPlainTextBlob.toString();
 };
 
+// Returns false for account types where all credential fields are already visible in the sanitized view
+export const hasSensitiveCredentials = (resourceType: string, credentials: TPamAccountCredentials): boolean => {
+  if (resourceType === PamResource.AwsIam) return false;
+  if (resourceType === PamResource.Kubernetes) return false;
+  if (
+    resourceType === PamResource.SSH &&
+    "authMethod" in credentials &&
+    credentials.authMethod === SSHAuthMethod.Certificate
+  )
+    return false;
+  return true;
+};
+
 const hasConfiguredCredentials = (credentials: TPamAccountCredentials): boolean => {
   if ("password" in credentials && credentials.password) return true;
   if ("privateKey" in credentials && credentials.privateKey) return true;

backend/src/ee/services/pam-account/pam-account-service.ts

@@ -64,13 +64,19 @@ import { PamSessionStatus } from "../pam-session/pam-session-enums";
 import { OrgPermissionGatewayActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPamAccountDALFactory } from "./pam-account-dal";
 import { PamAccountRotationStatus } from "./pam-account-enums";
-import { decryptAccount, decryptAccountCredentials, encryptAccountCredentials } from "./pam-account-fns";
+import {
+  decryptAccount,
+  decryptAccountCredentials,
+  encryptAccountCredentials,
+  hasSensitiveCredentials
+} from "./pam-account-fns";
 import {
   TAccessAccountDTO,
   TCreateAccountDTO,
   TGetAccountByIdDTO,
   TListAccountsDTO,
-  TUpdateAccountDTO
+  TUpdateAccountDTO,
+  TViewAccountCredentialsDTO
 } from "./pam-account-types";
 
 type TPamAccountServiceFactoryDep = {
@@ -1371,13 +1377,119 @@ export const pamAccountServiceFactory = ({
     };
   };
 
+  const viewCredentials = async ({
+    accountId,
+    mfaSessionId,
+    actor,
+    actorId,
+    actorAuthMethod,
+    actorOrgId
+  }: TViewAccountCredentialsDTO) => {
+    const accountWithResource = await pamAccountDAL.findByIdWithResourceDetails(accountId);
+    if (!accountWithResource) throw new NotFoundError({ message: `Account with ID '${accountId}' not found` });
+
+    const { permission } = await permissionService.getProjectPermission({
+      actor,
+      actorId,
+      projectId: accountWithResource.projectId,
+      actorAuthMethod,
+      actorOrgId,
+      actionProjectType: ActionProjectType.PAM
+    });
+
+    const metadataByAccountId = await pamAccountDAL.findMetadataByAccountIds([accountWithResource.id]);
+    const accountMetadata = metadataByAccountId[accountWithResource.id] || [];
+
+    ForbiddenError.from(permission).throwUnlessCan(
+      ProjectPermissionPamAccountActions.ReadCredentials,
+      subject(ProjectPermissionSub.PamAccounts, {
+        resourceName: accountWithResource.resource.name,
+        accountName: accountWithResource.name,
+        metadata: accountMetadata
+      })
+    );
+
+    // Decrypt early so we can check if there are sensitive fields before triggering MFA
+    const credentials = await decryptAccountCredentials({
+      encryptedCredentials: accountWithResource.encryptedCredentials,
+      kmsService,
+      projectId: accountWithResource.projectId
+    });
+
+    if (!hasSensitiveCredentials(accountWithResource.resource.resourceType, credentials)) {
+      throw new BadRequestError({ message: "This account has no sensitive credentials to view" });
+    }
+
+    if (!mfaSessionId && accountWithResource.requireMfa) {
+      const project = await projectDAL.findById(accountWithResource.projectId);
+      if (!project)
+        throw new NotFoundError({ message: `Project with ID '${accountWithResource.projectId}' not found` });
+
+      const actorUser = await userDAL.findById(actorId);
+      if (!actorUser) throw new NotFoundError({ message: `User with ID '${actorId}' not found` });
+
+      const org = await orgDAL.findOrgById(project.orgId);
+      if (!org) throw new NotFoundError({ message: `Organization with ID '${project.orgId}' not found` });
+
+      const orgMfaMethod = org.enforceMfa ? (org.selectedMfaMethod as MfaMethod | null) : undefined;
+      const userMfaMethod = actorUser.isMfaEnabled ? (actorUser.selectedMfaMethod as MfaMethod | null) : undefined;
+      const mfaMethod = (orgMfaMethod ?? userMfaMethod ?? MfaMethod.EMAIL) as MfaMethod;
+
+      const newMfaSessionId = await mfaSessionService.createMfaSession(actorUser.id, accountWithResource.id, mfaMethod);
+
+      if (mfaMethod === MfaMethod.EMAIL && actorUser.email) {
+        await mfaSessionService.sendMfaCode(actorUser.id, actorUser.email);
+      }
+
+      throw new BadRequestError({
+        message: "MFA verification required to view PAM account credentials",
+        name: "SESSION_MFA_REQUIRED",
+        details: {
+          mfaSessionId: newMfaSessionId,
+          mfaMethod
+        }
+      });
+    }
+
+    if (mfaSessionId && accountWithResource.requireMfa) {
+      const mfaSession = await mfaSessionService.getMfaSession(mfaSessionId);
+      if (!mfaSession) {
+        throw new BadRequestError({ message: "MFA session not found or expired" });
+      }
+
+      if (mfaSession.userId !== actorId) {
+        throw new BadRequestError({ message: "MFA session does not belong to current user" });
+      }
+
+      if (mfaSession.resourceId !== accountWithResource.id) {
+        throw new BadRequestError({ message: "MFA session is for a different account" });
+      }
+
+      if (mfaSession.status !== MfaSessionStatus.ACTIVE) {
+        throw new BadRequestError({ message: "MFA session is not active. Please complete MFA verification first." });
+      }
+
+      await mfaSessionService.deleteMfaSession(mfaSessionId);
+    }
+
+    return {
+      credentials,
+      resourceType: accountWithResource.resource.resourceType,
+      accountId: accountWithResource.id,
+      accountName: accountWithResource.name,
+      resourceName: accountWithResource.resource.name,
+      projectId: accountWithResource.projectId
+    };
+  };
+
   return {
     create,
     updateById,
     deleteById,
     list,
     getById,
     access,
+    viewCredentials,
     getSessionCredentials,
     rotateAllDueAccounts,
     triggerManualRotation

backend/src/ee/services/pam-account/pam-account-types.ts

@@ -45,3 +45,8 @@ export type TListAccountsDTO = {
 export type TGetAccountByIdDTO = {
   accountId: string;
 } & Omit<TProjectPermission, "projectId">;
+
+export type TViewAccountCredentialsDTO = {
+  accountId: string;
+  mfaSessionId?: string;
+} & Omit<TProjectPermission, "projectId">;

backend/src/ee/services/permission/default-roles.ts

@@ -392,7 +392,8 @@ const buildAdminPermissionRules = () => {
       ProjectPermissionPamAccountActions.Create,
       ProjectPermissionPamAccountActions.Edit,
       ProjectPermissionPamAccountActions.Delete,
-      ProjectPermissionPamAccountActions.TriggerRotation
+      ProjectPermissionPamAccountActions.TriggerRotation,
+      ProjectPermissionPamAccountActions.ReadCredentials
     ],
     ProjectPermissionSub.PamAccounts
   );

backend/src/ee/services/permission/project-permission.ts

@@ -254,7 +254,8 @@ export enum ProjectPermissionPamAccountActions {
   Create = "create",
   Edit = "edit",
   Delete = "delete",
-  TriggerRotation = "trigger-rotation"
+  TriggerRotation = "trigger-rotation",
+  ReadCredentials = "read-credentials"
 }
 
 export enum ProjectPermissionPamSessionActions {