This site will be decommissioned on December 31st 2024. After that date content will be available at techdocs.broadcom.com.

Use the Cloud Accounts Service API to manage your cloud accounts in VMware Aria Automation for Secure Clouds

VMware Aria Automation for Secure Clouds provides a public Cloud Account Service (CAS) API documented through a user-friendly Swagger interface for its customers to gather insights about their connected cloud accounts. You can consistently add, update, retrieve, and remove data about your accounts by provider, credentials, projects, and other identifiers across AWS, Azure, GCP and Kubernetes.

Before you start

To perform the API calls described in this article, you need to have the following:

  • A shell terminal with curl installed or an API development tool capable of making REST API calls, such as Postman.
  • An API access token for the VMware Aria Automation for Secure Clouds platform.

API overview

You can use the CAS API to query and collect data about your cloud accounts. The API allows for extensive aggregation, sub-aggregation, filters, and searches that can be used to identify, categorize, and sort cloud accounts and their credentials once they're onboarded. Additionally, you can use the API to update existing cloud account and credential information or onboard new ones to the service. For more information about using the API to onboard your cloud accounts, see the API Onboarding Guide.

Query cloud accounts

The cloud-accounts query endpoint lets you see all cloud accounts that are currently onboarded in your organization.

curl -X POST \
https://api.securestate.vmware.com/v1/cloud-accounts/query \
-H 'Authorization: Bearer {access_token}' \
-d '{}'

Response body

{
    "totalCount": {total cloud accounts},
    "cloudAccounts": [
        {
            "cloudAccountId": "{cloud account id}",
            "cloudAccountName": "{cloud account name}",
            "cspProjectId": "{csp project id}",
            "provider": "{provider}",
            "environment": "Production",
            "ownerInfo": {
                "name": "{Owner Name}",
                "email": "{Owner Email}"
            },
            "accountStatus": {
                "value": "{account status value}",
                "lastUpdateTime": "{timestamp}"
            },
            "eventStreamStatus": {
                "value": "{event stream status value}",
                "lastUpdateTime": "{timestamp}"
            },
            "rollupStatus": {
                "value": "{rollup status value}",
                "lastUpdateTime": "{timestamp}"
            },
            "properties": [
                {
                "name": "{property name}",
                "type": "string",
                "stringV": "{property value}"
                },
            ],
            "tags": {
                "Account": "{tag}"
            },
            "eTag": "{e-tag}",
            "createdTime": "{timestamp}",
            "lastUpdateTime": "{timestamp}"
            },
            ...
        ]
}

This response displays the JSON object the CAS API uses to store cloud account information. Here is a breakdown of what the individual elements mean.

   
JSON element   
   
Type   
   
Description   
   
cloudAccountId   
   
string   

Matches provider-specific ID for the cloud account.
   
cloudAccountName   
   
string   

The user-provided name of the cloud account.
   
cspProjectId   
   
string   

Unique identifier of a project. Normally set to “default”.
   
provider   
   
string   

The account’s cloud provider. Allowed values: aws, azure, or gcp.
   
environment   
   
string   

The environment the cloud account is in (example: production).
   
ownerInfo   
   
object   

Contains information about the cloud account owner.

     name
   
string   
   
Owner’s name.   

     email
   
string   

Owner’s email address.

accountStatus
   
object   

Current status of cloud account.

     value
   
string   

Allowed values: active, draft, validation-failed, deny-access

      lastUpdateTime
   
string   

Time the status was last updated. Expressed in UTC ISO-8601 timestamp.
   
eventStreamStatus   
   
object   

Current status of a cloud account’s event stream.

      value
   
string   

Allowed values: connected, disconnected

      lastUpdateTime
   
string   

Time the status was last updated. Expressed in UTC ISO-8601 timestamp.
   
rollupStatus   
   
object   

Current status of a cloud account’s rollup.

      value
   
string   

Allowed values: draft, error, healthy, review

      lastUpdateTime
   
string   

Time the status was last updated. Expressed in UTC ISO-8601 timestamp.
   
properties   
   
array   

Properties associated with cloud account (such as account IDs and keys).

     name
   
string   

Name of the property (example: AccountID).

     type
   
string   

Data type of the property. Is always string.

     stringV
   
string   

Value of the property (example: 5498765789).
   
tags   
   
object   

Lists any tags associated with the cloud account.
   
etag   
   
string   

A unique identifier for a specific version of the JSON object.
   
createdTime   
   
string   

Time the cloud account was created. Expressed in UTC ISO-8601 timestamp.
   
lastUpdateTime   
   
string   

Time the account was last updated. Expressed in UTC ISO-8601 timestamp.

The properties object is worth noting as unique. It returns provider-specific fields and values.

   
Provider   

Properties Object
   
Value   
   
AWS   
   
name   
   
LegacyCloudAccountID   
   
type   
   
string   
   
stringV   

{AWS Legacy Account ID}
   
name   
   
AccountID   
   
type   
   
string   
   
stringV   

{AWS Account ID}
   
Azure   
   
name   
   
LegacyCloudAccountID   
   
type   
   
string   
   
stringV   

{Azure Legacy Account ID}
   
name   
   
SubscriptionID   
   
type   
   
string   
   
stringV   

{Azure Subscription ID}
   
GCP   
   
name   
   
ProjectId   
   
type   
   
string   
   
stringV   

{GCP Project ID}

Some of these elements are required to make certain API calls, but most are either optional or read-only. The examples in this article demonstrate the minimum information needed to get a successful response and specify optional elements where available.

Query cloud accounts and credentials

You can add the getCredentials element to a cloud account query and include any credentials linked to the onboarded cloud accounts in the response.

curl -X POST \
https://api.securestate.vmware.com/v1/cloud-accounts/query \
-H 'Authorization: Bearer {access_token}' \
-d '{
        "getCredentials": true
    }'

Response body

{
    "totalCount": 28,
    "cloudAccounts": […],
    "credentials": [
        {
            "credentialId": "{credential id}",
            "credentialType": "{credential type}",
            "provider": "{provider}",
            "properties": [
                {
                    "name": "{property name}",
                    "type": "string",
                    "stringV": "{property value}"
                },
                {
                    "name": "{property name}",
                    "type": "string",
                    "stringV": "{property value}"
                }
            ],
            "eTag": " {e-tag}",
            "createdTime": " {timestamp}",
            "lastUpdateTime": " {timestamp}"
         },
	 ...
     ]
}

The cloud credential JSON object has two unique elements apart from the cloud account JSON object.

   
JSON element   
   
Type   
   
Description   
   
credentialId   
   
string   

The assigned credential ID.
   
credentialType   
   
string   

The credential type. Allowed values: collector

Just like in the previous query, the properties object here has some provider-specific values.

Provider
Properties Object

Value

AWS

name

RoleArn

type

string

stringV

{IAM Amazon Resource Name}

name

ExternalId

type

string

stringV

{External ID parameter}

Azure

name

ApplicationId

type

string

stringV

{Azure Active Directory application client ID}

name

DirectoryId

type

string

stringV

{Azure Active Directory tenant ID}

GCP

name

ServiceAccountEmail

type

string

stringV

{GCP Service Account email}

Seeing the credentials won't be very useful if you can't determine what cloud accounts they're associated with. Although you can sometimes examine the properties object to see which cloud account a credential is attached to, the information may not be obvious for all providers.

The most direct, provider-agnostic way to see a link between a credential and cloud account is to note the credentialId, and then look for a match in the relationships object from the JSON response.

{
    "totalCount": {total cloud accounts},
    "cloudAccounts": […],
    "credentials": […],
    "relationships": [
        {
            "cloudAccountId": "{cloud account ID}",
            "credentialId": "{credential ID}"
        },
    ...
    ]
}

The relationships object is returned as part of any cloud account query request that includes getCredentials: true in the request, and matches the unique cloudAccountId and credentialId values together.

Filter query results

You can filter the results from a query based on several criteria like provider, region, account status, account ID, and so on to refine the types of cloud accounts you want to capture. This curl command filters the results so that only Microsoft Azure cloud accounts are returned in the response.

curl -X POST \
https://api.securestate.vmware.com/v1/cloud-accounts/query \
-H 'Authorization: Bearer {access_token}' \
-d '{
	"filters": {
        "providers": ["Azure"]
        }    
    }'

Response body

{
    "totalCount": {total cloud accounts},
    "cloudAccounts": [
        {
            "cloudAccountId": "{cloud account id}",
            "cloudAccountName": "{cloud account name}",
            "cspProjectId": "{csp project id}",
            "provider": "azure",
            "environment": "{environment}",
            "accountStatus": {
                 "value": "{account status value}",
                 "lastUpdateTime": "{timestamp}"
            },
            "eventStreamStatus": {
                  "value": "{event stream status value}",
                  "lastUpdateTime": "{timestamp}"
            },
            "rollupStatus": {
                  "value": "{rollup status value}",
                  "lastUpdateTime": "{timestamp}"
            },            
            "properties": [                
                  {
                    "name": "SubscriptionId",
                    "type": "string",
                    "stringV": "{Azure subscription ID}"
                  }
            ],
            "tags": {
                "Account": "{tag}"
            },
            "eTag": "{e-tag}
            "createdTime": "{timestamp}",
            "lastUpdateTime": "{timestamp}"
        },
        ...
    ]
}

You can still include getCredentials with any filtered request. This example returns all active GCP cloud accounts along with their associated credentials.

curl -X POST \
https://api.securestate.vmware.com/v1/cloud-accounts/query \
-H 'Authorization: Bearer {access_token}' \
-d '{
    "filters": {
        "accountStatuses": ["active"],
        "providers": ["GCP"]
    },
    "getCredentials": true
}'

Query cloud credentials

All the previously described query operations can be performed just on cloud credentials by changing the base URL target from cloud-accounts to cloud-credentials.

This example returns all cloud credentials currently connected to your VMware Aria Automation for Secure Clouds instance.

curl -X POST \
https://api.securestate.vmware.com/v1/cloud-credentials/query \
-H 'Authorization: Bearer {access_token}' \
-d '{}'

Response body

{
    "totalCount": 29,
    "credentials": [
        {
            "credentialId": "{credential id}",
            "credentialType": "{credential type}",
            "provider": "{provider}",
            "properties": [
                {
                    "name": "{property name}",
                    "type": "string",
                    "stringV": " {property value}"
                },
                {
                    "name": "{property name}",
                    "type": "string",
                    "stringV": "{property value}"
                }
            ],
            "eTag": " {e-tag}",
            "createdTime": " {timestamp}",
            "lastUpdateTime": " {timestamp}"
         },
	 ...
    ]
}

Just like with cloud account queries, you can apply filters to determine the size and scope of your requests.

curl -X POST \
https://api.securestate.vmware.com/v1/cloud-credentials/query \
-H 'Authorization: Bearer {access_token}' \
'{
    "filters": {
        "providers": ["aws"]
    }
}'

Query cloud account collection status

VMware Aria Automation for Secure Clouds runs a full collection operation on your cloud accounts twice a day in twelve-hour increments to ensure all the resources associated with a given cloud account are updated.   The collection-status query endpoint lets you review results of these collection operations over the past seven days so you can identify any potential errors or issues that may be causing delays in cloud account updates.

The cloud account collection status endpoint can give you information about when the last collection operation was run, whether it was successful, and more details on common collection errors such as:

  • Lack of permissions.
  • Throttling issues from the cloud provider.
  • Any internal service errors or external public cloud errors.

Here is an example of a default request to the collection status endpoint.

curl -X POST \
 https://api.securestate.vmware.com/v1/cloud-accounts/collection-status/query \
 -H 'Authorization: Bearer {access_token}' \
 -d '{}'

An empty request body gives you the full seven-day history for all connected cloud accounts. You can filter the response by entering a specific provider you would like to view the collection status history for.

curl -X POST \
 https://api.securestate.vmware.com/v1/cloud-accounts/collection-status/query \
 -H 'Authorization: Bearer {access_token}' \
 -d '{
     "filters": {
         "provider": "{provider}",
        }
     }'

And you can specify even further by adding an individual cloud account ID.

curl -X POST \
https://api.securestate.vmware.com/v1/cloud-accounts/collection-status/query \
-H 'Authorization: Bearer {access_token}' \
-d '{
    "filters": {
        "provider": "{provider}",
        "cloudAccountId": "{cloud account ID}"
        }
   }'

Response body

{
    "results":[
         {
             "provider": "azure",
             "cloudAccountId": "{cloud account ID}",
             "collectionId": "{collector ID}",
             "startTime": "{timestamp}",
             "endTime": "{timestamp}",
             "lastUpdateTime": "{timestamp}",
             "status": "{collector status}",
             "type": "{collector type}",
             "collectorStatus": {
                 "Azure.AKS.ManagedCluster": {
                 "status": "Success"
                 },
                 "Azure.AppService.WebApp": {
                 "status": "Success"
                 },
                 "Azure.Authorization.Lock": {
                 "status": "Success"
                 },
                 "Azure.Authorization.PolicyAssignment": {
                 "status": "Success"
                 },
                 "Azure.Authorization.RoleAssignment": {
                 "status": "Success"
                 },
                 "Azure.Authorization.RoleDefinition": {
                 "status": "Success"
                 },
                 "Azure.Cache.Redis": {
                 "status": "Success"
                 },
                 "Azure.Cdn.Profile": {
                 "status": "Success"
                 },
                 "Azure.Compute.AvailabilitySet": {
                 "status": "Success"
                 },
                 ...   
             },
        ...
    ]
}

The response introduces a few more new JSON elements and uses others to convey different information from other response types.

JSON element Type Description
cloudaccountId string The cloud account ID. Represents the account, subscription, or project ID for AWS, Azure, or GCP.
provider string The cloud provider. Can be AWS, Azure, or GCP.
startTime string Time the collection began. Expressed in UTC ISO-8601 timestamp.
endTime string Time the collection ended. Expressed in UTC ISO-8601 timestamp.
lastUpdateTime string Time the cloud account was last updated. Expressed in UTC ISO-8601 timestamp.
status string Indicates the collection result for all resource types. Allowed values are Started, Completed, CompletedWithErrors, Failed, and Timeout.
type string Indicates the scope of the collection task. Value is always Full.
collectorStatus object Contained collector status updates for each resource type associated with an account. Resource types are specific to each cloud provider.
   collector object Collector for a specific resource type (example: AWS.EC2.Instance).
   status string Indicates the collection result for a specific resource type. Allowed values are Failure, Success, Collection Errors, and Timeout.
   errors string A message that provides information about a collection error. Conditional; only appears when status is CollectionErrors.

While the example demonstrates a response for an Azure account, AWS and GCP return similar data aside from having different names for the collectors under collectorStatus.

Some additional information is available should you encounter an error in collection status.

{
    "results":[
         {
             "provider": "{provider}",
             "cloudAccountId": "{cloud account ID}",
             "collectionId": "{collector ID}",
             "startTime": "{timestamp}",
             "endTime": "{timestamp}",
             "lastUpdateTime": "{timestamp}",
             "status": "{collector status}",
             "type": "{collector type}",
             "collectorStatus": {
                 "{collector name}": {
                     "status": "CollectionErrors",
                     "errors": [
                         "{error message}"
                     ]
         }
}

Here, {collector name} would correspond to a given rules collector (like AWS.EC2.Instance), while {error message} is a string value that provides you with more information on what the collection error is.

Cloud account operations

You can use the cloud-accounts endpoint to add, retrieve, update, or delete individual cloud accounts.

Add a cloud account

Use this request to add a cloud account to VMware Aria Automation for Secure Clouds.

curl -X POST \
  https://api.securestate.vmware.com/v1/providers/{provider}/cloud-accounts/ \
  -H 'Authorization: Bearer {access_token}' \
  -d '{
      "cloudAccountName": "{cloud account name}",
      "cspProjectId": "default",
      "provider": "{provider}",
      "properties": [
          {
              "name": "{property name}",
              "type": "string",
              "stringV": "{property value}"
          }
      ]
  }'

The provider element is optional in the request body; if you include it, make sure it matches the provider you entered in the base URL or you’ll get an error.

When adding a cloud account, each provider requires different values in the name and stringV fields of the properties object.

Provider
Status

Properties Object

Values

AWS

Required

name

accountId

type

string

stringV

{AWS account ID}

Azure

Required

name

subscriptionId

type

string

stringV

{Azure Subscription ID}

GCP

Required

name

projectId

type

string

stringV

{GCP Project ID}

Response body

{
    "cloudAccountId": "{cloud account id}",
    "cloudAccountName": "{cloud account name}",
    "cspProjectId": "default",
    "provider": "{provider}",
    "accountStatus": {
        "value": "{account status value}",
        "lastUpdateTime": "{timestamp}"
    },
    "rollupStatus": {
        "value": "{rollup status value}",
        "lastUpdateTime": "{timestamp}"
    },
    "properties": [
        {
            "name": "{property name}",
            "type": "string",
            "stringV": "1234567890"
        }
    ],
    "eTag": {e-tag},
    "createdTime": "{timestamp}",
    "lastUpdateTime": "{timestamp}"
}

To fully onboard a cloud account, you must also upload a corresponding credential and link it to the cloud account. See the Add a cloud credential and Link cloud accounts with credentials sections of this article.

Retrieve a cloud account

You can confirm the creation of your cloud account by retrieving it with this command, where {cloud account ID} corresponds to the cloudAccountId value from the previous section's request.

curl -X GET \
  https://api.securestate.vmware.com/v1/providers/{provider}/cloud-accounts/{cloud account ID} \
  -H 'Authorization: Bearer {access_token}'

The response body should be identical to the one you received when you added the cloud account.

Modify a cloud accounts

You can use the CAS API to change a cloud account's information after adding it. This request updates the environment and ownerInfo elements with new information or adds them if they don’t already exist.

curl -X PUT \
  https://api.securestate.vmware.com/v1/providers/{provider}/cloud-accounts/{cloud account ID} \
  -H 'Authorization: Bearer {access_token}' \
  -d '{
      "cloudAccountName": "{cloud account name}",
      "cspProjectId": "default",
      "provider": "{provider}",
	"environment": "test",
      "ownerInfo": {
          "name": "owner name",
          "email": "owner email"
      },
      "properties": [
          {
              "name": "{property name}",
              "type": "string",
              "stringV": "1234567890"
          }
      ]
  }'

A successful response confirms the information you entered.

Response body

{
    "cloudAccountId": "{cloud account id}",
    "cloudAccountName": "{cloud account name}",
    "cspProjectId": "{csp project id}",
    "provider": "{provider}",
    "environment": "{environment}",
    "ownerInfo": {
        "name": "owner name",
        "email": "owner email"
    },
    "accountStatus": {
        "value": "{account status value}",
        "lastUpdateTime": "{timestamp}"
    },
    "eventStreamStatus": {
        "value": "{event stream status value}",
        "lastUpdateTime": "{timestamp}"
    },
    "rollupStatus": {
        "value": "{rollup status value}",
        "lastUpdateTime": "{timestamp}"
    },
    "properties": [
        {
            "name": "{property name}",
            "type": "string",
            "stringV": "1234567890"
        },
    ],
    "eTag": "{e-tag}",
    "createdTime": "{timestamp}",
    "lastUpdateTime": "{timestamp}"
}

Delete a cloud account

Use this command to remove an existing cloud account from VMware Aria Automation for Secure Clouds.

curl -X DELETE \
  https://api.securestate.vmware.com/v1/providers/{provider}/cloud-accounts/{cloud account ID} \
  -H 'Authorization: Bearer {access_token}'

A successful response displays identical information to a post or get request. You can also verify the account was deleted by making a GET request with the cloud account ID and confirming a 404 response.

{
    "message": "cloud account not found",
    "statusCode": 404
}

When you delete cloud account, all associated findings are flagged as resolved in VMware Aria Automation for Secure Clouds. If you add the cloud account again, findings are re-detected and updated with new timestamps based on when you re-added the cloud account.

Deleting a cloud account only removes it from VMware Aria Automation for Secure Clouds; nothing is deleted from your cloud environment.

Bulk onboarding and discovery for cloud accounts and Kubernetes

There are three additional API endpoints that are explicitly concerned with onboarding.

  • The discovery endpoint is used exclusively in the onboarding process for GCP.
  • The bulk-updates endpoint is used to add one or more cloud accounts and link them with previously added credentials in a single API request.
  • The collector-apis endpoint is used to add, retrieve, or remove information about Kubernetes clusters to VMware Aria Automation for Secure Clouds.

You can find more information on how to use these endpoints in the API Onboarding Guide.

Cloud credential operations

You can use the cloud-credentials endpoint to perform the same operations as the cloud-accounts endpoint, but targeted towards the credentials associated with a cloud account instead of the account itself. You can add, attach, remove, or update the credentials for a specific service without affecting the overall status of an account.

Add a cloud credential

Use this command to add a credential to VMware Aria Automation for Secure Clouds. Note the only credentialType value the API accepts is collection.

curl -X POST \
  https://api.securestate.vmware.com/v1/providers/{provider}/cloud-credentials/ \
  -H 'Authorization: Bearer {access_token}' \
  -d '{
	"credentialType": "collection",
        "provider": "{provider}",
        "properties": [
            {
                "name": "{property name 1}",
                "type": "string",
                "stringV": "{property value 1}"
            },
	    {
                "name": "{property name 2}",
                "type": "string",
                "stringV": "{property value 2}"
            }
            ...
        ]
  }'

The provider element is optional in the request body; if you include it, make sure it matches the provider you entered in the base URL or you’ll get an error.

When adding a cloud credential, each provider requires different values in the name and stringV fields of the properties object.

Provider
Status

Properties Object

Value

AWS

Required

name

RoleArn

type

string

stringV

{IAM Amazon Resource Name}

Optional

name

ExternalId

type

string

stringV

{External ID parameter}

Azure

Required

name

ApplicationId

type

string

stringV

{Azure Active Directory application client ID}

Required

name

ApplicationKey

type

string

stringV

{Azure Active Directory client secret}

Required

name

DirectoryId

type

string

stringV

{Azure Active Directory tenant ID}

GCP

Required

name

ServiceAccountEmail

type

string

stringV

{GCP Service Account email}

Required

name

ServiceAccountKey

type

string

stringV

{Base 64 encoded service account key}

The values for the AWS and Azure stringV properties can be gathered from their cloud consoles, while the GCP values come from the encoded service account key created in the API onboarding process and the service email associated with the GCP project.

A successful response confirms the credential information you entered.

Response body

{
    "credentialId": "{credential id}",
    "credentialType": "collection",
    "provider": "{provider}",
    "properties": [
        {
            "name": "{property name}"
            "type": "string",
            "stringV": "{property value}"
        }
    ],
    "eTag": "{e-tag}",
    "createdTime": "{Timestamp}",
    "lastUpdateTime": "{Timestamp}"
}

Once you have the credentialId from the response you can use it for the other three operations available with the cloud-credentials endpoint.

Retrieve a credential

Copy and paste the credentialId into this request's base URL to confirm the credential upload.

curl -X GET \
https://api.securestate.vmware.com/v1/providers/{provider}/cloud-credentials/{credential ID} \
-H 'Authorization: Bearer {access_token}' \

A successful request should display the same response as before in the previous section. You can also use this command to retrieve the information of any other credentials uploaded to VMware Aria Automation for Secure Clouds.

Modify a credential

To update an existing credential, use this request:

curl -X PUT \
https://api.securestate.vmware.com/v1/providers/{provider}/cloud-credentials/{credential ID} \
-H 'Authorization: Bearer {access_token}' \
-d '{
    "credentialType": "collection",
    "provider": "{provider}"
    "properties": [
        {
            "name": "{property name 1}",
            "type": "string",
            "stringV": "{new property value 1}"
        },
        {
            "name": "{property name 2}",
            "type": "string",
            "stringV": "{new property value 2}"
        }
    ]
}'

You can use this request to change any of the properties stored for a given credential ID. A successful response should return the new values you entered.

Response body

{
    "credentialId": "{credential id}",
    "credentialType": "collection",
    "provider": "gcp",
    "properties": [
        {
            "name": "{property name 1}"
            "type": "string",
            "stringV": "{new property value 1}"
        },
        {
            "name": "{property name 2}",
            "type": "string",
            "stringV": "{new property value 2}"
        }
    ],
    "eTag": "{tag}",
    "createdTime": "{timestamp}",
    "lastUpdateTime": "{timestamp}"
}

Delete a credential

Use this command to remove expired or redundant credentials.

curl -X DELETE \
  https://api.securestate.vmware.com/v1/providers/{provider}/cloud-credentials/{credentialId} \
  -H 'Authorization: Bearer {access_token}'

A successful response displays identical information to a post or get request. You can also verify the credential was deleted by by making a get request with the ID and confirming a 404 response.

{
    "message": "credential not found",
    "statusCode": 404
}

This operation only removes the credential from VMware Aria Automation for Secure Clouds, it won’t be deleted from your cloud environment.

If you've uploaded a cloud account and cloud credential separately, you must link them together with the account-credential-relationship endpoint. You can also use these API calls to attach new credentials to an existing cloud accounts and remove credentials that have expired.

Add an account-credential relationship

Use this command to link a cloud account and credential together.

curl -X POST \
https://api.securestate.vmware.com/v1/providers/{provider}/account-credential-relationship \
-H 'Authorization: Bearer {access_token}' \
-d '{
    "cloudAccountId": "{cloud account ID}",
    "credentialId": "{credential ID}"
}'

A successful response returns both supplied IDs together.

Response body

{    
    "cloudAccountId": "{cloud account ID}",    
    "credentialId": "{cloud credential ID}",    
    "eTag": "{e-tag}",    
    "createdTime": "{timestamp}",    
    "lastUpdateTime": "{timestamp}"
}

You can confirm the link by calling the cloud account query endpoint with the getCredentials element and finding the account-credential pair in the relationships object from the response.

{
    "totalCount": {total cloud accounts},
    "cloudAccounts": […],
    "credentials": […],
    "relationships": [
        {
            "cloudAccountId": "{cloud account ID}",
            "credentialId": "{credential ID}"
        },
    ...
    ]
}

Remove an account-credential relationship

Use this command to remove the link between a cloud account and credential.

curl -X DELETE \
https://api.securestate.vmware.com/v1/providers/{provider}/{cloudAccountId}_{credentialId} \
-H 'Authorization: Bearer {access_token}'

A successful response returns a JSON object that is identical to the response in the previous example. This operation unlinks the cloud account and credential, but does not delete them.

Swagger documentation

Refer to the Cloud Accounts Service API Swagger documentation for interactive examples of these API calls. For post-type requests you can edit the existing templates in the Swagger UI or just copy the JSON portion from any of the request examples written in this article and add the information for your cloud accounts. You can see examples of how to use the bulk onboarding API in the API Onboarding Guide.

check-circle-line exclamation-circle-line close-line
Scroll to top icon