Cloud Account APIs for Azure Cloud-native Protection

The Rubrik GraphQL API provides GraphQL mutations to manage cloud accounts.

A cloud account in Rubrik represents the account of the tenant in the cloud provider domain. A cloud account enables Rubrik to access and protect the cloud-native workloads of the tenant.

Cloud account for Azure workloads

Protection of Azure workloads in Rubrik begins with the addition of a cloud account. The cloud account authorizes Rubrik to access the Azure subscriptions to be protected.

At a high-level, the process of adding a cloud account for Azure workloads involves the following steps:

  1. Creating a service principal for Rubrik in your Azure Active Directory (AAD) tenant domain
  2. Creating custom roles required for cloud-native protection of workloads in Azure subscriptions
  3. Assigning the custom roles to the Rubrik service principal to allow access to Azure APIs for cloud-native protection

Different roles and roles assignments can be created for different features, also known as use cases. This page discusses the cloud-native protection use case.

The permissions required to access the Azure APIs for cloud-native protection are available here.

Rubrik provides options for managing cloud accounts using OAuth 2.0 and without using OAuth 2.0. The OAuth protocol allows you to authorize Rubrik to access Azure APIs on your behalf.

OAuth is required to add, upgrade, and delete cloud accounts.

When adding a cloud account with OAuth, Rubrik gains your consent and automatically creates the service principal with custom roles required to access the Azure account associated with the AAD tenant.

Without OAuth, Rubrik requires you to create an application in the AAD tenant with custom role assignments and provide the application ID to Rubrik.

Prerequisites for cloud account management using OAuth

To initiate the process of adding a cloud account with OAuth, first obtain an access token to authenticate requests to the Rubrik GraphQL API server, as described in Authentication.

Then, perform the following steps in preparation for using OAuth to add, upgrade, and delete cloud accounts.

Creating an Azure session

Create an Azure session using the startAzureCloudAccountOauth mutation.

The response includes the ID of the client application that gets registered with the AAD and the ID of the Azure session that is created.

The session expires after 60 minutes.

MUTATION='{
  "query": "mutation StartAzureCloudAccountOauth(
  $tenantDomainName: String!
  $azureCloudType: AzureCloudType!
) {
  startAzureCloudAccountOauth(
    input: {
      tenantDomainName: $tenantDomainName
      azureCloudType: $azureCloudType
    }
  ) {
    clientId
    sessionId
  }
}
"
}'

curl -X POST https://$account.my.rubrik.com/api/graphql \
--header "authorization: Bearer $access_token" \
--header "content-type: application/json" \
--data "$(echo $MUTATION)"

The mutation takes the InitiateAzureCloudAccountOAuthInput object as the input.

Requesting an authorization code

Request a temporary authorization code using the session ID and client ID generated as a result of creating an Azure session. The authorization code is used by Rubrik to request an access token. Rubrik uses the access token to authenticate to the Azure APIs for creating a service principal required for cloud account management.

The URL for requesting an authorization code has the following format:

https://login.microsoftonline.com/$tenantDomainName/oauth2/authorize?
    client_id=$clientID&resource=https%3A%2F%2Fmanagement.azure.com
    &state=$sessionID
    &prompt=select_account
    &response_mode=query
    &response_type=code

Where, $tenantDomainName is the name of the AAD tenant domain of the Azure subscription. $clientID is the ID of the client application that gets registered with the AAD. $sessionID is the ID of the Azure session.

For more information about generating a temporary authorization code, refer to the Azure documentation.

Generating service principal to access Azure subscriptions

Use the authorization code in the completeAzureCloudAccountOauth GraphQL mutation to generate and store a service principal for accessing the Azure subscription.

MUTATION='{
  "query": "mutation CompleteAzureCloudAccountOauth(
  $sessionId: String!
  $authorizationCode: String!
  $tenantDomainName: String!
  $azureCloudType: AzureCloudType!
) {
  completeAzureCloudAccountOauth(
    input: {
      sessionId: $sessionId
      authorizationCode: $authorizationCode
      redirectUrl: "https://$account.my.rubrik.com/setup_azure"
      tenantDomainName: $tenantDomainName
      features: [CLOUD_NATIVE_PROTECTION]
      azureCloudType: $azureCloudType
      shouldSkipPermissionChecks: false
    }
  ) {
    isSuccess
  }
}
"
}'

curl -X POST https://$account.my.rubrik.com/api/graphql \
--header "authorization: Bearer $access_token" \
--header "content-type: application/json" \
--data "$(echo $MUTATION)"

The mutation takes the CompleteAzureCloudAccountOAuthInput object as the input.

Use case: Adding a cloud account

Rubrik allows adding a cloud account in two ways:

Adding a cloud account with OAuth

To add a cloud account using OAuth, perform the following steps.

MUTATION='{
  "query": "mutation AddAzureCloudAccount(
  $sessionId: String!
  $regions: [AzureCloudAccountRegion!]!
  $azureSubscriptionNativeId: String!
  $subscriptionName: String!
  $tenantDomainName: String!
) {
  addAzureCloudAccount(
    input: {
      sessionId: $sessionId
      regions: $regions
      subscriptions: [
        {
          features: [{featureType: CLOUD_NATIVE_PROTECTION}]
          subscription: {
            nativeId: $azureSubscriptionNativeId
            name: $subscriptionName
          }
        }
      ]
      tenantDomainName: $tenantDomainName
    }
  ) {
    status {
      error
      azureSubscriptionRubrikId
      azureSubscriptionNativeId
    }
    tenantId
  }
}
"
}'

curl -X POST https://$account.my.rubrik.com/api/graphql \
--header "authorization: Bearer $access_token" \
--header "content-type: application/json" \
--data "$(echo $MUTATION)"

The mutation takes the AddAzureCloudAccountInput object as the input.

Adding a cloud account without using OAuth

To add a cloud account without using OAuth, perform the following steps.

MUTATION='{
  "query": "mutation SetAzureCloudAccountCustomerAppCredentials(
  $appClientId: String!
  $appClientSecret: String!
  $appTenantId: String!
  $appName: String!
  $tenantDomainName: String!
  $azureCloudType: AzureCloudType!
) {
  setAzureCloudAccountCustomerAppCredentials(
    input: {
      appId: $appClientId
      appSecretKey: $appClientSecret
      appTenantId: $appTenantId
      appName: $appName
      tenantDomainName: $tenantDomainName
      azureCloudType: $azureCloudType
    }
  )
}
"
}'

curl -X POST https://$account.my.rubrik.com/api/graphql \
--header "authorization: Bearer $access_token" \
--header "content-type: application/json" \
--data "$(echo $MUTATION)"

The mutation takes the SetAzureCloudAccountCustomerAppCredentialsInput object as the input.

MUTATION='{
  "query": "mutation AddAzureCloudAccountWithoutOauth(
  $tenantDomainName: String!
  $azureCloudType: AzureCloudType!
  $subscriptionName: String!
  $azureSubscriptionNativeId: String!
  $regions: [AzureCloudAccountRegion!]!
) {
  addAzureCloudAccountWithoutOauth(
    input: {
      tenantDomainName: $tenantDomainName
      azureCloudType: $azureCloudType
      subscriptions: {
        subscription: {
          name: $subscriptionName
          nativeId: $azureSubscriptionNativeId
        }
        features: [{featureType: CLOUD_NATIVE_PROTECTION, policyVersion: 1}]
      }
      regions: $regions
    }
  ) {
    tenantId
    status {
      azureSubscriptionRubrikId
      azureSubscriptionNativeId
      error
    }
  }
}
"
}'

curl -X POST https://$account.my.rubrik.com/api/graphql \
--header "authorization: Bearer $access_token" \
--header "content-type: application/json" \
--data "$(echo $MUTATION)"

The mutation takes the AddAzureCloudAccountWithoutOauthInput object as the input.

Use case: Upgrading permissions for a cloud account

Upgrading a cloud account involves updating permissions for roles associated with the Azure cloud account. The permissions may change with changes in the features being protected as part of the Azure cloud account in Rubrik. When this happens, the state of the cloud account changes from connected to missing permissions.

Upgrade the cloud account permissions to change it back to the connected state.

Upgrading permissions for a cloud account with OAuth

To upgrade a cloud account with OAuth, perform the following steps.

MUTATION='{
  "query": "mutation UpgradeAzureCloudAccount(
  $sessionId: String!
  $azureSubscriptionRubrikId: UUID!
) {
  upgradeAzureCloudAccount(
    input: {
      sessionId: $sessionId
      features: [CLOUD_NATIVE_PROTECTION]
      azureSubscriptionRubrikIds: [$azureSubscriptionRubrikId]
    }
  ) {
    status {
      azureSubscriptionNativeId
      isSuccess
    }
  }
}
"
}'

curl -X POST https://$account.my.rubrik.com/api/graphql \
--header "authorization: Bearer $access_token" \
--header "content-type: application/json" \
--data "$(echo $MUTATION)"

The mutation takes the UpgradeAzureCloudAccountInput object as the input.

Upgrading permissions for a cloud account without using OAuth

To upgrade a cloud account without using OAuth, perform the following steps.

For more information about checking permissions for role definitions, check this Azure documentation.

MUTATION='{
  "query": "mutation UpgradeAzureCloudAccountPermissionsWithoutOauth(
  $cloudAccountId: UUID!
) {
  upgradeAzureCloudAccountPermissionsWithoutOauth(
    input: {cloudAccountId: $cloudAccountId, feature: CLOUD_NATIVE_PROTECTION}
  ) {
    status
  }
}
"
}'

curl -X POST https://$account.my.rubrik.com/api/graphql \
--header "authorization: Bearer $access_token" \
--header "content-type: application/json" \
--data "$(echo $MUTATION)"

The mutation takes the UpgradeAzureCloudAccountPermissionsWithoutOauthInput object as the input.

Use case: Updating a cloud account

Updating a cloud account involves updating its properties, like the name or the Azure subscription regions configured of the cloud account.

MUTATION='{
  "query": "mutation UpdateAzureCloudAccount(
  $subscriptions: [AzureCloudAccountSubscriptionInput!]!
  $regionsToAdd: [AzureCloudAccountRegion!]!
  $regionsToRemove: [AzureCloudAccountRegion!]!
) {
  updateAzureCloudAccount(
    input: {
      subscriptions: $subscriptions
      features: [CLOUD_NATIVE_PROTECTION]
      regionsToAdd: $regionsToAdd
      regionsToRemove: $regionsToRemove
    }
  ) {
    status {
      azureSubscriptionNativeId
      isSuccess
    }
  }
}
"
}'

curl -X POST https://$account.my.rubrik.com/api/graphql \
--header "authorization: Bearer $access_token" \
--header "content-type: application/json" \
--data "$(echo $MUTATION)"

The mutation takes the UpdateAzureCloudAccountInput object as the input.

Use case: Disabling a cloud account

Disabling a cloud account stops the protection for workloads in the subscriptions being managed by Rubrik as part of the cloud account.

To disable a subscription, use the startDisableAzureNativeSubscriptionProtectionJob mutation to initiate an asynchronous job to disable the subscription. When the job completes, the subscription will be in disabled state.

MUTATION='{
  "query": "mutation StartDisableAzureNativeSubscriptionProtectionJob(
  $azureSubscriptionRubrikId: UUID!
  $shouldDeleteNativeSnapshots: Boolean!
) {
  startDisableAzureNativeSubscriptionProtectionJob(
    input: {
      azureSubscriptionRubrikId: $azureSubscriptionRubrikId
      shouldDeleteNativeSnapshots: $shouldDeleteNativeSnapshots
      azureNativeProtectionFeature: SQL_DB
    }
  ) {
    jobId
    error
  }
}
"
}'

curl -X POST https://$account.my.rubrik.com/api/graphql \
--header "authorization: Bearer $access_token" \
--header "content-type: application/json" \
--data "$(echo $MUTATION)"

The mutation takes the StartDisableAzureNativeSubscriptionProtectionJobInput object as the input.

Use case: Deleting a cloud account

Deleting a cloud account results in deleting the Azure subscriptions associated with the cloud account for a specified feature from Rubrik.

Using OAuth to delete a cloud account results in deleting the role definitions and role assignments associated with the subscription as well.

To delete a cloud account it must be in the disabled state. Disable the cloud account, as described in Disabling a cloud account.

Deleting a cloud account with OAuth

To delete a cloud account with OAuth, perform the following steps.

MUTATION='{
  "query": "mutation DeleteAzureCloudAccount(
  $sessionId: String!
  $azureSubscriptionRubrikId: UUID!
) {
  deleteAzureCloudAccount(
    input: {
      sessionId: $sessionId
      features: CLOUD_NATIVE_PROTECTION
      azureSubscriptionRubrikIds: [$azureSubscriptionRubrikId]
    }
  ) {
    status {
      isSuccess
      error
    }
  }
}
"
}'

curl -X POST https://$account.my.rubrik.com/api/graphql \
--header "authorization: Bearer $access_token" \
--header "content-type: application/json" \
--data "$(echo $MUTATION)"

The mutation takes the DeleteAzureCloudAccountInput object as the input.

Deleting a cloud account without using OAuth

To delete a cloud account without using OAuth, perform the following steps.

MUTATION='{
  "query":
"mutation DeleteAzureCloudAccountWithoutOauth(
  $azureSubscriptionRubrikId: UUID!
) {
  deleteAzureCloudAccountWithoutOauth(
    input: {
      features: CLOUD_NATIVE_PROTECTION
      azureSubscriptionRubrikIds: [$azureSubscriptionRubrikId]
    }
  ) {
    status {
      isSuccess
      error
    }
  }
}
"
}'

curl -X POST https://$account.my.rubrik.com/api/graphql \
--header "authorization: Bearer $access_token" \
--header "content-type: application/json" \
--data "$(echo $MUTATION)"

The mutation takes the DeleteAzureCloudAccountWithoutOauthInput object as the input.