Cloud Account APIs for Azure Cloud-native Protection

The Rubrik GraphQL API provides GraphQL mutations to manage cloud accounts.

A cloud account in Rubrik represents the account of the tenant in the cloud provider domain. A cloud account enables Rubrik to access and protect the cloud-native workloads of the tenant.

Cloud account for Azure workloads

Protection of Azure workloads in Rubrik begins with the addition of a cloud account. The cloud account authorizes Rubrik to access the Azure subscriptions to be protected.

At a high-level, the process of adding a cloud account for Azure workloads involves the following steps:

Creating a service principal for Rubrik in your Azure Active Directory (AAD) tenant domain
Creating custom roles required for cloud-native protection of workloads in Azure subscriptions
Assigning the custom roles to the Rubrik service principal to allow access to Azure APIs for cloud-native protection

Different roles and roles assignments can be created for different features, also known as use cases. This page discusses the cloud-native protection use case.

The permissions required to access the Azure APIs for cloud-native protection are available here.

Rubrik provides options for managing cloud accounts using OAuth 2.0 and without using OAuth 2.0. The OAuth protocol allows you to authorize Rubrik to access Azure APIs on your behalf.

OAuth is required to add, upgrade, and delete cloud accounts.

When adding a cloud account with OAuth, Rubrik gains your consent and automatically creates the service principal with custom roles required to access the Azure account associated with the AAD tenant.

Without OAuth, Rubrik requires you to create an application in the AAD tenant with custom role assignments and provide the application ID to Rubrik.

Prerequisites for cloud account management using OAuth

To initiate the process of adding a cloud account with OAuth, first obtain an access token to authenticate requests to the Rubrik GraphQL API server, as described in Authentication.

Then, perform the following steps in preparation for using OAuth to add, upgrade, and delete cloud accounts.

Creating an Azure session

Create an Azure session using the startAzureCloudAccountOauth mutation.

The response includes the ID of the client application that gets registered with the AAD and the ID of the Azure session that is created.

The session expires after 60 minutes.

MUTATION='{
  "query": "mutation StartAzureCloudAccountOauth(
  "query": "  $tenantDomainName: String!
  "query": "  $azureCloudType: AzureCloudType!
  "query": ") {
  "query": "  startAzureCloudAccountOauth(
  "query": "    input: {
  "query": "      tenantDomainName: $tenantDomainName
  "query": "      azureCloudType: $azureCloudType
  "query": "    }
  "query": "  ) {
  "query": "    clientId
  "query": "    sessionId
  "query": "  }
  "query": "}
"
}'

curl -X POST https://$account.my.rubrik.com/api/graphql \
--header "authorization: Bearer $access_token" \
--header "content-type: application/json" \
--data "$(echo $MUTATION)"

The mutation takes the InitiateAzureCloudAccountOAuthInput object as the input.

Requesting an authorization code

Request a temporary authorization code using the session ID and client ID generated as a result of creating an Azure session. The authorization code is used by Rubrik to request an access token. Rubrik uses the access token to authenticate to the Azure APIs for creating a service principal required for cloud account management.

The URL for requesting an authorization code has the following format:

https://login.microsoftonline.com/$tenantDomainName/oauth2/authorize?
    client_id=$clientID&resource=https%3A%2F%2Fmanagement.azure.com
    &state=$sessionID
    &prompt=select_account
    &response_mode=query
    &response_type=code

Where, $tenantDomainName is the name of the AAD tenant domain of the Azure subscription. $clientID is the ID of the client application that gets registered with the AAD. $sessionID is the ID of the Azure session.

For more information about generating a temporary authorization code, refer to the Azure documentation.

Generating service principal to access Azure subscriptions

Use the authorization code in the completeAzureCloudAccountOauth GraphQL mutation to generate and store a service principal for accessing the Azure subscription.

MUTATION='{
  "query": "mutation CompleteAzureCloudAccountOauth(
  "query": "  $sessionId: String!
  "query": "  $authorizationCode: String!
  "query": "  $tenantDomainName: String!
  "query": "  $azureCloudType: AzureCloudType!
  "query": ") {
  "query": "  completeAzureCloudAccountOauth(
  "query": "    input: {
  "query": "      sessionId: $sessionId
  "query": "      authorizationCode: $authorizationCode
  "query": "      redirectUrl: "https://$account.my.rubrik.com/setup_azure"
  "query": "      tenantDomainName: $tenantDomainName
  "query": "      features: [CLOUD_NATIVE_PROTECTION]
  "query": "      azureCloudType: $azureCloudType
  "query": "      shouldSkipPermissionChecks: false
  "query": "    }
  "query": "  ) {
  "query": "    isSuccess
  "query": "  }
  "query": "}
"
}'

curl -X POST https://$account.my.rubrik.com/api/graphql \
--header "authorization: Bearer $access_token" \
--header "content-type: application/json" \
--data "$(echo $MUTATION)"

The mutation takes the CompleteAzureCloudAccountOAuthInput object as the input.

Use case: Adding a cloud account

Rubrik allows adding a cloud account in two ways:

With OAuth, Rubrik generates the service principal, role definitions, and custom role assignments.
Without OAuth, you create the service principal, role definitions, and custom role assignments.

Adding a cloud account with OAuth

To add a cloud account using OAuth, perform the following steps.

Obtain a session ID and access token to access Azure APIs using OAuth, as described in the Prerequisites section.
Use a GraphQL mutation to add Azure cloud account in Rubrik using the session ID created during the OAuth workflow.

MUTATION='{
  "query": "mutation AddAzureCloudAccount(
  "query": "  $sessionId: String!
  "query": "  $regions: [AzureCloudAccountRegion!]!
  "query": "  $azureSubscriptionNativeId: String!
  "query": "  $subscriptionName: String!
  "query": "  $tenantDomainName: String!
  "query": ") {
  "query": "  addAzureCloudAccount(
  "query": "    input: {
  "query": "      sessionId: $sessionId
  "query": "      regions: $regions
  "query": "      subscriptions: [
  "query": "        {
  "query": "          features: [{featureType: CLOUD_NATIVE_PROTECTION}]
  "query": "          subscription: {
  "query": "            nativeId: $azureSubscriptionNativeId
  "query": "            name: $subscriptionName
  "query": "          }
  "query": "        }
  "query": "      ]
  "query": "      tenantDomainName: $tenantDomainName
  "query": "    }
  "query": "  ) {
  "query": "    status {
  "query": "      error
  "query": "      azureSubscriptionRubrikId
  "query": "      azureSubscriptionNativeId
  "query": "    }
  "query": "    tenantId
  "query": "  }
  "query": "}
"
}'

curl -X POST https://$account.my.rubrik.com/api/graphql \
--header "authorization: Bearer $access_token" \
--header "content-type: application/json" \
--data "$(echo $MUTATION)"

The mutation takes the AddAzureCloudAccountInput object as the input.

Adding a cloud account without using OAuth

To add a cloud account without using OAuth, perform the following steps.

Create an Azure AD application, as described in Azure documentation.
Create a custom role definition for the Azure subscription, as described in Azure documentation.
Create role assignments for the Azure subscription, as described in Azure documentation and assign the role to created Azure AD app.
- To determine the permissions missing from the role definition, fetch the list of permissions required for cloud accounts using the allLatestFeaturePermissionsForCloudAccounts query.
- Alternatively, you can also compare the permissions assigned to the role definition with the list of permissions required.
Register the Azure AD application with Rubrik using the setAzureCloudAccountCustomerAppCredentials mutation.

MUTATION='{
  "query": "mutation SetAzureCloudAccountCustomerAppCredentials(
  "query": "  $appClientId: String!
  "query": "  $appClientSecret: String!
  "query": "  $appTenantId: String!
  "query": "  $appName: String!
  "query": "  $tenantDomainName: String!
  "query": "  $azureCloudType: AzureCloudType!
  "query": ") {
  "query": "  setAzureCloudAccountCustomerAppCredentials(
  "query": "    input: {
  "query": "      appId: $appClientId
  "query": "      appSecretKey: $appClientSecret
  "query": "      appTenantId: $appTenantId
  "query": "      appName: $appName
  "query": "      tenantDomainName: $tenantDomainName
  "query": "      azureCloudType: $azureCloudType
  "query": "    }
  "query": "  )
  "query": "}
"
}'

curl -X POST https://$account.my.rubrik.com/api/graphql \
--header "authorization: Bearer $access_token" \
--header "content-type: application/json" \
--data "$(echo $MUTATION)"

The mutation takes the SetAzureCloudAccountCustomerAppCredentialsInput object as the input.

Add cloud account to Rubrik using the addAzureCloudAccountWithoutOauth mutation.

MUTATION='{
  "query": "mutation AddAzureCloudAccountWithoutOauth(
  "query": "  $tenantDomainName: String!
  "query": "  $azureCloudType: AzureCloudType!
  "query": "  $subscriptionName: String!
  "query": "  $azureSubscriptionNativeId: String!
  "query": "  $regions: [AzureCloudAccountRegion!]!
  "query": ") {
  "query": "  addAzureCloudAccountWithoutOauth(
  "query": "    input: {
  "query": "      tenantDomainName: $tenantDomainName
  "query": "      azureCloudType: $azureCloudType
  "query": "      subscriptions: {
  "query": "        subscription: {
  "query": "          name: $subscriptionName
  "query": "          nativeId: $azureSubscriptionNativeId
  "query": "        }
  "query": "        features: [{featureType: CLOUD_NATIVE_PROTECTION, policyVersion: 1}]
  "query": "      }
  "query": "      regions: $regions
  "query": "    }
  "query": "  ) {
  "query": "    tenantId
  "query": "    status {
  "query": "      azureSubscriptionRubrikId
  "query": "      azureSubscriptionNativeId
  "query": "      error
  "query": "    }
  "query": "  }
  "query": "}
"
}'

curl -X POST https://$account.my.rubrik.com/api/graphql \
--header "authorization: Bearer $access_token" \
--header "content-type: application/json" \
--data "$(echo $MUTATION)"

The mutation takes the AddAzureCloudAccountWithoutOauthInput object as the input.

Use case: Upgrading permissions for a cloud account

Upgrading a cloud account involves updating permissions for roles associated with the Azure cloud account. The permissions may change with changes in the features being protected as part of the Azure cloud account in Rubrik. When this happens, the state of the cloud account changes from connected to missing permissions.

Upgrade the cloud account permissions to change it back to the connected state.

Upgrading permissions for a cloud account with OAuth

To upgrade a cloud account with OAuth, perform the following steps.

Obtain a session ID and access token to access Azure APIs using OAuth, as described in the Prerequisites section.
Use a GraphQL mutation to upgrade the Azure cloud account in Rubrik using the session ID created during the OAuth workflow.

MUTATION='{
  "query": "mutation UpgradeAzureCloudAccount(
  "query": "  $sessionId: String!
  "query": "  $azureSubscriptionRubrikId: UUID!
  "query": ") {
  "query": "  upgradeAzureCloudAccount(
  "query": "    input: {
  "query": "      sessionId: $sessionId
  "query": "      features: [CLOUD_NATIVE_PROTECTION]
  "query": "      azureSubscriptionRubrikIds: [$azureSubscriptionRubrikId]
  "query": "    }
  "query": "  ) {
  "query": "    status {
  "query": "      azureSubscriptionNativeId
  "query": "      isSuccess
  "query": "    }
  "query": "  }
  "query": "}
"
}'

curl -X POST https://$account.my.rubrik.com/api/graphql \
--header "authorization: Bearer $access_token" \
--header "content-type: application/json" \
--data "$(echo $MUTATION)"

The mutation takes the UpgradeAzureCloudAccountInput object as the input.

Upgrading permissions for a cloud account without using OAuth

To upgrade a cloud account without using OAuth, perform the following steps.

Update the permissions of role definitions for the cloud account.
- To determine the permissions missing from the role definition, fetch the list of permissions required for cloud accounts using the allLatestFeaturePermissionsForCloudAccounts query.
- Alternatively, you can also compare the permissions assigned to the role definition with the list of permissions required.

For more information about checking permissions for role definitions, check this Azure documentation.

Update the status of cloud account to connected using the upgradeAzureCloudAccountPermissionsWithoutOauth mutation.

MUTATION='{
  "query": "mutation UpgradeAzureCloudAccountPermissionsWithoutOauth(
  "query": "  $cloudAccountId: UUID!
  "query": ") {
  "query": "  upgradeAzureCloudAccountPermissionsWithoutOauth(
  "query": "    input: {cloudAccountId: $cloudAccountId, feature: CLOUD_NATIVE_PROTECTION}
  "query": "  ) {
  "query": "    status
  "query": "  }
  "query": "}
"
}'

curl -X POST https://$account.my.rubrik.com/api/graphql \
--header "authorization: Bearer $access_token" \
--header "content-type: application/json" \
--data "$(echo $MUTATION)"

The mutation takes the UpgradeAzureCloudAccountPermissionsWithoutOauthInput object as the input.

Use case: Updating a cloud account

Updating a cloud account involves updating its properties, like the name or the Azure subscription regions configured of the cloud account.

MUTATION='{
  "query": "mutation UpdateAzureCloudAccount(
  "query": "  $subscriptions: [AzureCloudAccountSubscriptionInput!]!
  "query": "  $regionsToAdd: [AzureCloudAccountRegion!]!
  "query": "  $regionsToRemove: [AzureCloudAccountRegion!]!
  "query": ") {
  "query": "  updateAzureCloudAccount(
  "query": "    input: {
  "query": "      subscriptions: $subscriptions
  "query": "      features: [CLOUD_NATIVE_PROTECTION]
  "query": "      regionsToAdd: $regionsToAdd
  "query": "      regionsToRemove: $regionsToRemove
  "query": "    }
  "query": "  ) {
  "query": "    status {
  "query": "      azureSubscriptionNativeId
  "query": "      isSuccess
  "query": "    }
  "query": "  }
  "query": "}
"
}'

curl -X POST https://$account.my.rubrik.com/api/graphql \
--header "authorization: Bearer $access_token" \
--header "content-type: application/json" \
--data "$(echo $MUTATION)"

The mutation takes the UpdateAzureCloudAccountInput object as the input.

Use case: Disabling a cloud account

Disabling a cloud account stops the protection for workloads in the subscriptions being managed by Rubrik as part of the cloud account.

To disable a subscription, use the startDisableAzureNativeSubscriptionProtectionJob mutation to initiate an asynchronous job to disable the subscription. When the job completes, the subscription will be in disabled state.

MUTATION='{
  "query": "mutation StartDisableAzureNativeSubscriptionProtectionJob(
  "query": "  $azureSubscriptionRubrikId: UUID!
  "query": "  $shouldDeleteNativeSnapshots: Boolean!
  "query": ") {
  "query": "  startDisableAzureNativeSubscriptionProtectionJob(
  "query": "    input: {
  "query": "      azureSubscriptionRubrikId: $azureSubscriptionRubrikId
  "query": "      shouldDeleteNativeSnapshots: $shouldDeleteNativeSnapshots
  "query": "      azureNativeProtectionFeature: SQL_DB
  "query": "    }
  "query": "  ) {
  "query": "    jobId
  "query": "    error
  "query": "  }
  "query": "}
"
}'

curl -X POST https://$account.my.rubrik.com/api/graphql \
--header "authorization: Bearer $access_token" \
--header "content-type: application/json" \
--data "$(echo $MUTATION)"

The mutation takes the StartDisableAzureNativeSubscriptionProtectionJobInput object as the input.

Use case: Deleting a cloud account

Deleting a cloud account results in deleting the Azure subscriptions associated with the cloud account for a specified feature from Rubrik.

Using OAuth to delete a cloud account results in deleting the role definitions and role assignments associated with the subscription as well.

To delete a cloud account it must be in the disabled state. Disable the cloud account, as described in Disabling a cloud account.

Deleting a cloud account with OAuth

To delete a cloud account with OAuth, perform the following steps.

Obtain a session ID and access token to access Azure APIs using OAuth, as described in the Prerequisites section.
Use a GraphQL mutation to delete the Azure cloud account from Rubrik using the session ID created during the OAuth workflow.

MUTATION='{
  "query": "mutation DeleteAzureCloudAccount(
  "query": "  $sessionId: String!
  "query": "  $azureSubscriptionRubrikId: UUID!
  "query": ") {
  "query": "  deleteAzureCloudAccount(
  "query": "    input: {
  "query": "      sessionId: $sessionId
  "query": "      features: CLOUD_NATIVE_PROTECTION
  "query": "      azureSubscriptionRubrikIds: [$azureSubscriptionRubrikId]
  "query": "    }
  "query": "  ) {
  "query": "    status {
  "query": "      isSuccess
  "query": "      error
  "query": "    }
  "query": "  }
  "query": "}
"
}'

curl -X POST https://$account.my.rubrik.com/api/graphql \
--header "authorization: Bearer $access_token" \
--header "content-type: application/json" \
--data "$(echo $MUTATION)"

The mutation takes the DeleteAzureCloudAccountInput object as the input.

Deleting a cloud account without using OAuth

To delete a cloud account without using OAuth, perform the following steps.

Delete the cloud account using the deleteAzureCloudAccountWithoutOauth mutation.

MUTATION='{
  "query":
"mutation DeleteAzureCloudAccountWithoutOauth(
"  $azureSubscriptionRubrikId: UUID!
") {
"  deleteAzureCloudAccountWithoutOauth(
"    input: {
"      features: CLOUD_NATIVE_PROTECTION
"      azureSubscriptionRubrikIds: [$azureSubscriptionRubrikId]
"    }
"  ) {
"    status {
"      isSuccess
"      error
"    }
"  }
"}
"
}'

curl -X POST https://$account.my.rubrik.com/api/graphql \
--header "authorization: Bearer $access_token" \
--header "content-type: application/json" \
--data "$(echo $MUTATION)"

The mutation takes the DeleteAzureCloudAccountWithoutOauthInput object as the input.

Delete the role assignments and role definition for the cloud account subscriptions from Azure.

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search