Authentication

Service Accounts

A service account represents an application that needs authentication and authorization to invoke Rubrik APIs, as opposed to a user account that represents an individual user. Service accounts use a client secret to authenticate to an authorization server and obtain an access token to invoke the Rubrik APIs. Similar to user accounts, Rubrik allows assigning roles to the service accounts to enable role-based access control. But contrary to user accounts, service accounts cannot be used to access the Rubrik web UI.

Security

Service accounts enable client applications and other services to invoke the Rubrik APIs securely. When creating a service account, the authorization server assigns a unique client ID and client secret to the account. The combination of client ID and client secret is known as client credentials. The client credentials are known only to the client that is represented by the service account and the authorization server that grants the credentials to the service account. The client application authenticates to the authorization server using the client credentials and obtains an access token to authenticate to the Rubrik API server and access the protected resources.

Guidelines

Consider the following best practices when using service accounts:

Usage

Adding a service account

  1. Log in to Rubrik.
  2. Open the app tray and select Settings. The Settings menu appears.
  3. Click Users and Access and select Service Accounts. The Service Accounts page appears.
  4. Click Add Service Account. The Service Account Details page appears.
  5. In Name, type a service account name.
  6. Optional: In Description, type a service account description.
  7. Click Next. The Roles page appears, displaying a list of available roles.
  8. Select the roles to be assigned to the service account.
  9. Click Add. Rubrik displays the Client ID, Client Secret, and the Access Token URI to be used by the client application that owns the service account.
  10. Copy the client credentials and the access token URI and click Done. Alternatively, click Download As JSON to download a file containing the client credentials and the access token URI in the JSON format.

Obtaining an access token

In a terminal window, run the following command:

curl --request POST --header "Content-Type: application/json" \
--data '{"client_id": "$client_id", "client_secret": "$client_secret"}' \
$access_token_uri

For example, the following command uses sample values for the variables:

curl --request POST --header "Content-Type: application/json" \
--data '{"client_id": "client|EKy4bNDSGJfXbJZsJS2dQ5fiaeEoj1zu", "client_secret": "iNGp5X14xvD16XKwiiEqEAMAF6RxOucQIhTv9DjVC5U7BorvS5LZSEPFBhjQvo2"}' \
https://$account.my.rubrik-lab.com/api/client_token

The authorization server responds with an encoded access token. Client applications use the access token to invoke Rubrik APIs.

Using the access token

An access token is valid for 24 hours from the time it is generated. Run the following command to make sure your token is valid:

QUERY='{
  "query": "query {
      currentUser {
          email
          roles {
              name
          }
      }
  }"
}'

curl -X POST https://$account.my.rubrik-lab.com/api/graphql \
--header "Authorization: Bearer $access_token" \
--header "Content-type: application/json" \
--data "$(echo $QUERY)"

Deleting a session

While there is no restriction on the number of active sessions a service account can have, Rubrik provides an API endpoint to delete an existing session.

Run the following command to revoke the session established for the service account:

curl -X DELETE https://$account.my.rubrik-lab.com/api/session \
--header "Authorization: Bearer $access_token" \
--header "Content-type: application/json"