Use the Cloud Accounts Service API to manage your cloud accounts in VMware Aria Automation for Secure Clouds
VMware Aria Automation for Secure Clouds provides a public Cloud Account Service (CAS) API documented through a user-friendly Swagger interface for its customers to gather insights about their connected cloud accounts. You can consistently add, update, retrieve, and remove data about your accounts by provider, credentials, projects, and other identifiers across AWS, Azure, GCP and Kubernetes.
Before you start
To perform the API calls described in this article, you need to have the following:
- A shell terminal with curl installed or an API development tool capable of making REST API calls, such as Postman.
- An API access token for the VMware Aria Automation for Secure Clouds platform.
API overview
You can use the CAS API to query and collect data about your cloud accounts. The API allows for extensive aggregation, sub-aggregation, filters, and searches that can be used to identify, categorize, and sort cloud accounts and their credentials once they're onboarded. Additionally, you can use the API to update existing cloud account and credential information or onboard new ones to the service. For more information about using the API to onboard your cloud accounts, see the API Onboarding Guide.
Query cloud accounts
The cloud-accounts query endpoint lets you see all cloud accounts that are currently onboarded in your organization.
curl -X POST \
https://api.securestate.vmware.com/v1/cloud-accounts/query \
-H 'Authorization: Bearer {access_token}' \
-d '{}'
Response body
{
"totalCount": {total cloud accounts},
"cloudAccounts": [
{
"cloudAccountId": "{cloud account id}",
"cloudAccountName": "{cloud account name}",
"cspProjectId": "{csp project id}",
"provider": "{provider}",
"environment": "Production",
"ownerInfo": {
"name": "{Owner Name}",
"email": "{Owner Email}"
},
"accountStatus": {
"value": "{account status value}",
"lastUpdateTime": "{timestamp}"
},
"eventStreamStatus": {
"value": "{event stream status value}",
"lastUpdateTime": "{timestamp}"
},
"rollupStatus": {
"value": "{rollup status value}",
"lastUpdateTime": "{timestamp}"
},
"properties": [
{
"name": "{property name}",
"type": "string",
"stringV": "{property value}"
},
],
"tags": {
"Account": "{tag}"
},
"eTag": "{e-tag}",
"createdTime": "{timestamp}",
"lastUpdateTime": "{timestamp}"
},
...
]
}
This response displays the JSON object the CAS API uses to store cloud account information. Here is a breakdown of what the individual elements mean.
| JSON element |
Type |
Description |
|---|---|---|
| cloudAccountId |
string |
Matches provider-specific ID for the cloud account. |
| cloudAccountName |
string |
The user-provided name of the cloud account. |
| cspProjectId |
string |
Unique identifier of a project. Normally set to “default”. |
| provider |
string |
The account’s cloud provider. Allowed values: aws, azure, or gcp. |
| environment |
string |
The environment the cloud account is in (example: production). |
| ownerInfo |
object |
Contains information about the cloud account owner. |
| name |
string |
Owner’s name. |
| |
string |
Owner’s email address. |
accountStatus |
object |
Current status of cloud account. |
| value |
string |
Allowed values: active, draft, validation-failed, deny-access |
| lastUpdateTime |
string |
Time the status was last updated. Expressed in UTC ISO-8601 timestamp. |
| eventStreamStatus |
object |
Current status of a cloud account’s event stream. |
value |
string |
Allowed values: connected, disconnected |
lastUpdateTime |
string |
Time the status was last updated. Expressed in UTC ISO-8601 timestamp. |
| rollupStatus |
object |
Current status of a cloud account’s rollup. |
| value |
string |
Allowed values: draft, error, healthy, review |
| lastUpdateTime |
string |
Time the status was last updated. Expressed in UTC ISO-8601 timestamp. |
| properties |
array |
Properties associated with cloud account (such as account IDs and keys). |
| name |
string |
Name of the property (example: AccountID). |
| type |
string |
Data type of the property. Is always string. |
| stringV |
string |
Value of the property (example: 5498765789). |
| tags |
object |
Lists any tags associated with the cloud account. |
| etag |
string |
A unique identifier for a specific version of the JSON object. |
| createdTime |
string |
Time the cloud account was created. Expressed in UTC ISO-8601 timestamp. |
| lastUpdateTime |
string |
Time the account was last updated. Expressed in UTC ISO-8601 timestamp. |
The properties object is worth noting as unique. It returns provider-specific fields and values.
| Provider |
Properties Object |
Value |
|---|---|---|
| AWS |
name |
LegacyCloudAccountID |
| type |
string |
|
| stringV |
{AWS Legacy Account ID} |
|
| name |
AccountID |
|
| type |
string |
|
| stringV |
{AWS Account ID} |
|
| Azure |
name |
LegacyCloudAccountID |
| type |
string |
|
| stringV |
{Azure Legacy Account ID} |
|
| name |
SubscriptionID |
|
| type |
string |
|
| stringV |
{Azure Subscription ID} |
|
| GCP |
name |
ProjectId |
| type |
string |
|
| stringV |
{GCP Project ID} |
Some of these elements are required to make certain API calls, but most are either optional or read-only. The examples in this article demonstrate the minimum information needed to get a successful response and specify optional elements where available.
Query cloud accounts and credentials
You can add the getCredentials element to a cloud account query and include any credentials linked to the onboarded cloud accounts in the response.
curl -X POST \
https://api.securestate.vmware.com/v1/cloud-accounts/query \
-H 'Authorization: Bearer {access_token}' \
-d '{
"getCredentials": true
}'
Response body
{
"totalCount": 28,
"cloudAccounts": […],
"credentials": [
{
"credentialId": "{credential id}",
"credentialType": "{credential type}",
"provider": "{provider}",
"properties": [
{
"name": "{property name}",
"type": "string",
"stringV": "{property value}"
},
{
"name": "{property name}",
"type": "string",
"stringV": "{property value}"
}
],
"eTag": " {e-tag}",
"createdTime": " {timestamp}",
"lastUpdateTime": " {timestamp}"
},
...
]
}
The cloud credential JSON object has two unique elements apart from the cloud account JSON object.
| JSON element |
Type |
Description |
|---|---|---|
| credentialId |
string |
The assigned credential ID. |
| credentialType |
string |
The credential type. Allowed values: collector |
Just like in the previous query, the properties object here has some provider-specific values.
| Provider | Properties Object |
Value |
|---|---|---|
| AWS |
name |
RoleArn |
| type |
string |
|
| stringV |
{IAM Amazon Resource Name} |
|
| name |
ExternalId |
|
| type |
string |
|
| stringV |
{External ID parameter} |
|
| Azure |
name |
ApplicationId |
| type |
string |
|
| stringV |
{Azure Active Directory application client ID} |
|
| name |
DirectoryId |
|
| type |
string |
|
| stringV |
{Azure Active Directory tenant ID} |
|
| GCP |
name |
ServiceAccountEmail |
| type |
string |
|
| stringV |
{GCP Service Account email} |
Seeing the credentials won't be very useful if you can't determine what cloud accounts they're associated with. Although you can sometimes examine the properties object to see which cloud account a credential is attached to, the information may not be obvious for all providers.
The most direct, provider-agnostic way to see a link between a credential and cloud account is to note the credentialId, and then look for a match in the relationships object from the JSON response.
{
"totalCount": {total cloud accounts},
"cloudAccounts": […],
"credentials": […],
"relationships": [
{
"cloudAccountId": "{cloud account ID}",
"credentialId": "{credential ID}"
},
...
]
}
The relationships object is returned as part of any cloud account query request that includes getCredentials: true in the request, and matches the unique cloudAccountId and credentialId values together.
Filter query results
You can filter the results from a query based on several criteria like provider, region, account status, account ID, and so on to refine the types of cloud accounts you want to capture. This curl command filters the results so that only Microsoft Azure cloud accounts are returned in the response.
curl -X POST \
https://api.securestate.vmware.com/v1/cloud-accounts/query \
-H 'Authorization: Bearer {access_token}' \
-d '{
"filters": {
"providers": ["Azure"]
}
}'
Response body
{
"totalCount": {total cloud accounts},
"cloudAccounts": [
{
"cloudAccountId": "{cloud account id}",
"cloudAccountName": "{cloud account name}",
"cspProjectId": "{csp project id}",
"provider": "azure",
"environment": "{environment}",
"accountStatus": {
"value": "{account status value}",
"lastUpdateTime": "{timestamp}"
},
"eventStreamStatus": {
"value": "{event stream status value}",
"lastUpdateTime": "{timestamp}"
},
"rollupStatus": {
"value": "{rollup status value}",
"lastUpdateTime": "{timestamp}"
},
"properties": [
{
"name": "SubscriptionId",
"type": "string",
"stringV": "{Azure subscription ID}"
}
],
"tags": {
"Account": "{tag}"
},
"eTag": "{e-tag}
"createdTime": "{timestamp}",
"lastUpdateTime": "{timestamp}"
},
...
]
}
You can still include getCredentials with any filtered request. This example returns all active GCP cloud accounts along with their associated credentials.
curl -X POST \
https://api.securestate.vmware.com/v1/cloud-accounts/query \
-H 'Authorization: Bearer {access_token}' \
-d '{
"filters": {
"accountStatuses": ["active"],
"providers": ["GCP"]
},
"getCredentials": true
}'
Query cloud credentials
All the previously described query operations can be performed just on cloud credentials by changing the base URL target from cloud-accounts to cloud-credentials.
This example returns all cloud credentials currently connected to your VMware Aria Automation for Secure Clouds instance.
curl -X POST \
https://api.securestate.vmware.com/v1/cloud-credentials/query \
-H 'Authorization: Bearer {access_token}' \
-d '{}'
Response body
{
"totalCount": 29,
"credentials": [
{
"credentialId": "{credential id}",
"credentialType": "{credential type}",
"provider": "{provider}",
"properties": [
{
"name": "{property name}",
"type": "string",
"stringV": " {property value}"
},
{
"name": "{property name}",
"type": "string",
"stringV": "{property value}"
}
],
"eTag": " {e-tag}",
"createdTime": " {timestamp}",
"lastUpdateTime": " {timestamp}"
},
...
]
}
Just like with cloud account queries, you can apply filters to determine the size and scope of your requests.
curl -X POST \
https://api.securestate.vmware.com/v1/cloud-credentials/query \
-H 'Authorization: Bearer {access_token}' \
'{
"filters": {
"providers": ["aws"]
}
}'
Query cloud account collection status
VMware Aria Automation for Secure Clouds runs a full collection operation on your cloud accounts twice a day in twelve-hour increments to ensure all the resources associated with a given cloud account are updated. The collection-status query endpoint lets you review results of these collection operations over the past seven days so you can identify any potential errors or issues that may be causing delays in cloud account updates.
The cloud account collection status endpoint can give you information about when the last collection operation was run, whether it was successful, and more details on common collection errors such as:
- Lack of permissions.
- Throttling issues from the cloud provider.
- Any internal service errors or external public cloud errors.
Here is an example of a default request to the collection status endpoint.
curl -X POST \
https://api.securestate.vmware.com/v1/cloud-accounts/collection-status/query \
-H 'Authorization: Bearer {access_token}' \
-d '{}'
An empty request body gives you the full seven-day history for all connected cloud accounts. You can filter the response by entering a specific provider you would like to view the collection status history for.
curl -X POST \
https://api.securestate.vmware.com/v1/cloud-accounts/collection-status/query \
-H 'Authorization: Bearer {access_token}' \
-d '{
"filters": {
"provider": "{provider}",
}
}'
And you can specify even further by adding an individual cloud account ID.
curl -X POST \
https://api.securestate.vmware.com/v1/cloud-accounts/collection-status/query \
-H 'Authorization: Bearer {access_token}' \
-d '{
"filters": {
"provider": "{provider}",
"cloudAccountId": "{cloud account ID}"
}
}'
Response body
{
"results":[
{
"provider": "azure",
"cloudAccountId": "{cloud account ID}",
"collectionId": "{collector ID}",
"startTime": "{timestamp}",
"endTime": "{timestamp}",
"lastUpdateTime": "{timestamp}",
"status": "{collector status}",
"type": "{collector type}",
"collectorStatus": {
"Azure.AKS.ManagedCluster": {
"status": "Success"
},
"Azure.AppService.WebApp": {
"status": "Success"
},
"Azure.Authorization.Lock": {
"status": "Success"
},
"Azure.Authorization.PolicyAssignment": {
"status": "Success"
},
"Azure.Authorization.RoleAssignment": {
"status": "Success"
},
"Azure.Authorization.RoleDefinition": {
"status": "Success"
},
"Azure.Cache.Redis": {
"status": "Success"
},
"Azure.Cdn.Profile": {
"status": "Success"
},
"Azure.Compute.AvailabilitySet": {
"status": "Success"
},
...
},
...
]
}
The response introduces a few more new JSON elements and uses others to convey different information from other response types.
| JSON element | Type | Description |
|---|---|---|
| cloudaccountId | string | The cloud account ID. Represents the account, subscription, or project ID for AWS, Azure, or GCP. |
| provider | string | The cloud provider. Can be AWS, Azure, or GCP. |
| startTime | string | Time the collection began. Expressed in UTC ISO-8601 timestamp. |
| endTime | string | Time the collection ended. Expressed in UTC ISO-8601 timestamp. |
| lastUpdateTime | string | Time the cloud account was last updated. Expressed in UTC ISO-8601 timestamp. |
| status | string | Indicates the collection result for all resource types. Allowed values are Started, Completed, CompletedWithErrors, Failed, and Timeout. |
| type | string | Indicates the scope of the collection task. Value is always Full. |
| collectorStatus | object | Contained collector status updates for each resource type associated with an account. Resource types are specific to each cloud provider. |
| collector | object | Collector for a specific resource type (example: AWS.EC2.Instance). |
| status | string | Indicates the collection result for a specific resource type. Allowed values are Failure, Success, Collection Errors, and Timeout. |
| errors | string | A message that provides information about a collection error. Conditional; only appears when status is CollectionErrors. |
While the example demonstrates a response for an Azure account, AWS and GCP return similar data aside from having different names for the collectors under collectorStatus.
Some additional information is available should you encounter an error in collection status.
{
"results":[
{
"provider": "{provider}",
"cloudAccountId": "{cloud account ID}",
"collectionId": "{collector ID}",
"startTime": "{timestamp}",
"endTime": "{timestamp}",
"lastUpdateTime": "{timestamp}",
"status": "{collector status}",
"type": "{collector type}",
"collectorStatus": {
"{collector name}": {
"status": "CollectionErrors",
"errors": [
"{error message}"
]
}
}
Here, {collector name} would correspond to a given rules collector (like AWS.EC2.Instance), while {error message} is a string value that provides you with more information on what the collection error is.
Cloud account operations
You can use the cloud-accounts endpoint to add, retrieve, update, or delete individual cloud accounts.
Add a cloud account
Use this request to add a cloud account to VMware Aria Automation for Secure Clouds.
curl -X POST \
https://api.securestate.vmware.com/v1/providers/{provider}/cloud-accounts/ \
-H 'Authorization: Bearer {access_token}' \
-d '{
"cloudAccountName": "{cloud account name}",
"cspProjectId": "default",
"provider": "{provider}",
"properties": [
{
"name": "{property name}",
"type": "string",
"stringV": "{property value}"
}
]
}'
The provider element is optional in the request body; if you include it, make sure it matches the provider you entered in the base URL or you’ll get an error.
When adding a cloud account, each provider requires different values in the name and stringV fields of the properties object.
| Provider | Status |
Properties Object |
Values |
|---|---|---|---|
| AWS |
Required |
name |
accountId |
| type |
string |
||
| stringV |
{AWS account ID} |
||
| Azure |
Required |
name |
subscriptionId |
| type |
string |
||
| stringV |
{Azure Subscription ID} |
||
| GCP |
Required |
name |
projectId |
| type |
string |
||
| stringV |
{GCP Project ID} |
Response body
{
"cloudAccountId": "{cloud account id}",
"cloudAccountName": "{cloud account name}",
"cspProjectId": "default",
"provider": "{provider}",
"accountStatus": {
"value": "{account status value}",
"lastUpdateTime": "{timestamp}"
},
"rollupStatus": {
"value": "{rollup status value}",
"lastUpdateTime": "{timestamp}"
},
"properties": [
{
"name": "{property name}",
"type": "string",
"stringV": "1234567890"
}
],
"eTag": {e-tag},
"createdTime": "{timestamp}",
"lastUpdateTime": "{timestamp}"
}
To fully onboard a cloud account, you must also upload a corresponding credential and link it to the cloud account. See the Add a cloud credential and Link cloud accounts with credentials sections of this article.
Retrieve a cloud account
You can confirm the creation of your cloud account by retrieving it with this command, where {cloud account ID} corresponds to the cloudAccountId value from the previous section's request.
curl -X GET \
https://api.securestate.vmware.com/v1/providers/{provider}/cloud-accounts/{cloud account ID} \
-H 'Authorization: Bearer {access_token}'
The response body should be identical to the one you received when you added the cloud account.
Modify a cloud accounts
You can use the CAS API to change a cloud account's information after adding it. This request updates the environment and ownerInfo elements with new information or adds them if they don’t already exist.
curl -X PUT \
https://api.securestate.vmware.com/v1/providers/{provider}/cloud-accounts/{cloud account ID} \
-H 'Authorization: Bearer {access_token}' \
-d '{
"cloudAccountName": "{cloud account name}",
"cspProjectId": "default",
"provider": "{provider}",
"environment": "test",
"ownerInfo": {
"name": "owner name",
"email": "owner email"
},
"properties": [
{
"name": "{property name}",
"type": "string",
"stringV": "1234567890"
}
]
}'
A successful response confirms the information you entered.
Response body
{
"cloudAccountId": "{cloud account id}",
"cloudAccountName": "{cloud account name}",
"cspProjectId": "{csp project id}",
"provider": "{provider}",
"environment": "{environment}",
"ownerInfo": {
"name": "owner name",
"email": "owner email"
},
"accountStatus": {
"value": "{account status value}",
"lastUpdateTime": "{timestamp}"
},
"eventStreamStatus": {
"value": "{event stream status value}",
"lastUpdateTime": "{timestamp}"
},
"rollupStatus": {
"value": "{rollup status value}",
"lastUpdateTime": "{timestamp}"
},
"properties": [
{
"name": "{property name}",
"type": "string",
"stringV": "1234567890"
},
],
"eTag": "{e-tag}",
"createdTime": "{timestamp}",
"lastUpdateTime": "{timestamp}"
}
Delete a cloud account
Use this command to remove an existing cloud account from VMware Aria Automation for Secure Clouds.
curl -X DELETE \
https://api.securestate.vmware.com/v1/providers/{provider}/cloud-accounts/{cloud account ID} \
-H 'Authorization: Bearer {access_token}'
A successful response displays identical information to a post or get request. You can also verify the account was deleted by making a GET request with the cloud account ID and confirming a 404 response.
{
"message": "cloud account not found",
"statusCode": 404
}
When you delete cloud account, all associated findings are flagged as resolved in VMware Aria Automation for Secure Clouds. If you add the cloud account again, findings are re-detected and updated with new timestamps based on when you re-added the cloud account.
Deleting a cloud account only removes it from VMware Aria Automation for Secure Clouds; nothing is deleted from your cloud environment.
Bulk onboarding and discovery for cloud accounts and Kubernetes
There are three additional API endpoints that are explicitly concerned with onboarding.
- The discovery endpoint is used exclusively in the onboarding process for GCP.
- The bulk-updates endpoint is used to add one or more cloud accounts and link them with previously added credentials in a single API request.
- The collector-apis endpoint is used to add, retrieve, or remove information about Kubernetes clusters to VMware Aria Automation for Secure Clouds.
You can find more information on how to use these endpoints in the API Onboarding Guide.
Cloud credential operations
You can use the cloud-credentials endpoint to perform the same operations as the cloud-accounts endpoint, but targeted towards the credentials associated with a cloud account instead of the account itself. You can add, attach, remove, or update the credentials for a specific service without affecting the overall status of an account.
Add a cloud credential
Use this command to add a credential to VMware Aria Automation for Secure Clouds. Note the only credentialType value the API accepts is collection.
curl -X POST \
https://api.securestate.vmware.com/v1/providers/{provider}/cloud-credentials/ \
-H 'Authorization: Bearer {access_token}' \
-d '{
"credentialType": "collection",
"provider": "{provider}",
"properties": [
{
"name": "{property name 1}",
"type": "string",
"stringV": "{property value 1}"
},
{
"name": "{property name 2}",
"type": "string",
"stringV": "{property value 2}"
}
...
]
}'
The provider element is optional in the request body; if you include it, make sure it matches the provider you entered in the base URL or you’ll get an error.
When adding a cloud credential, each provider requires different values in the name and stringV fields of the properties object.
| Provider | Status |
Properties Object |
Value |
|---|---|---|---|
| AWS |
Required |
name |
RoleArn |
| type |
string |
||
| stringV |
{IAM Amazon Resource Name} |
||
| Optional |
name |
ExternalId |
|
| type |
string |
||
| stringV |
{External ID parameter} |
||
| Azure |
Required |
name |
ApplicationId |
| type |
string |
||
| stringV |
{Azure Active Directory application client ID} |
||
| Required |
name |
ApplicationKey |
|
| type |
string |
||
| stringV |
{Azure Active Directory client secret} |
||
| Required |
name |
DirectoryId |
|
| type |
string |
||
| stringV |
{Azure Active Directory tenant ID} |
||
| GCP |
Required |
name |
ServiceAccountEmail |
| type |
string |
||
| stringV |
{GCP Service Account email} |
||
| Required |
name |
ServiceAccountKey |
|
| type |
string |
||
| stringV |
{Base 64 encoded service account key} |
The values for the AWS and Azure stringV properties can be gathered from their cloud consoles, while the GCP values come from the encoded service account key created in the API onboarding process and the service email associated with the GCP project.
A successful response confirms the credential information you entered.
Response body
{
"credentialId": "{credential id}",
"credentialType": "collection",
"provider": "{provider}",
"properties": [
{
"name": "{property name}"
"type": "string",
"stringV": "{property value}"
}
],
"eTag": "{e-tag}",
"createdTime": "{Timestamp}",
"lastUpdateTime": "{Timestamp}"
}
Once you have the credentialId from the response you can use it for the other three operations available with the cloud-credentials endpoint.
Retrieve a credential
Copy and paste the credentialId into this request's base URL to confirm the credential upload.
curl -X GET \
https://api.securestate.vmware.com/v1/providers/{provider}/cloud-credentials/{credential ID} \
-H 'Authorization: Bearer {access_token}' \
A successful request should display the same response as before in the previous section. You can also use this command to retrieve the information of any other credentials uploaded to VMware Aria Automation for Secure Clouds.
Modify a credential
To update an existing credential, use this request:
curl -X PUT \
https://api.securestate.vmware.com/v1/providers/{provider}/cloud-credentials/{credential ID} \
-H 'Authorization: Bearer {access_token}' \
-d '{
"credentialType": "collection",
"provider": "{provider}"
"properties": [
{
"name": "{property name 1}",
"type": "string",
"stringV": "{new property value 1}"
},
{
"name": "{property name 2}",
"type": "string",
"stringV": "{new property value 2}"
}
]
}'
You can use this request to change any of the properties stored for a given credential ID. A successful response should return the new values you entered.
Response body
{
"credentialId": "{credential id}",
"credentialType": "collection",
"provider": "gcp",
"properties": [
{
"name": "{property name 1}"
"type": "string",
"stringV": "{new property value 1}"
},
{
"name": "{property name 2}",
"type": "string",
"stringV": "{new property value 2}"
}
],
"eTag": "{tag}",
"createdTime": "{timestamp}",
"lastUpdateTime": "{timestamp}"
}
Delete a credential
Use this command to remove expired or redundant credentials.
curl -X DELETE \
https://api.securestate.vmware.com/v1/providers/{provider}/cloud-credentials/{credentialId} \
-H 'Authorization: Bearer {access_token}'
A successful response displays identical information to a post or get request. You can also verify the credential was deleted by by making a get request with the ID and confirming a 404 response.
{
"message": "credential not found",
"statusCode": 404
}
This operation only removes the credential from VMware Aria Automation for Secure Clouds, it won’t be deleted from your cloud environment.
Link cloud accounts with cloud credentials
If you've uploaded a cloud account and cloud credential separately, you must link them together with the account-credential-relationship endpoint. You can also use these API calls to attach new credentials to an existing cloud accounts and remove credentials that have expired.
Add an account-credential relationship
Use this command to link a cloud account and credential together.
curl -X POST \
https://api.securestate.vmware.com/v1/providers/{provider}/account-credential-relationship \
-H 'Authorization: Bearer {access_token}' \
-d '{
"cloudAccountId": "{cloud account ID}",
"credentialId": "{credential ID}"
}'
A successful response returns both supplied IDs together.
Response body
{
"cloudAccountId": "{cloud account ID}",
"credentialId": "{cloud credential ID}",
"eTag": "{e-tag}",
"createdTime": "{timestamp}",
"lastUpdateTime": "{timestamp}"
}
You can confirm the link by calling the cloud account query endpoint with the getCredentials element and finding the account-credential pair in the relationships object from the response.
{
"totalCount": {total cloud accounts},
"cloudAccounts": […],
"credentials": […],
"relationships": [
{
"cloudAccountId": "{cloud account ID}",
"credentialId": "{credential ID}"
},
...
]
}
Remove an account-credential relationship
Use this command to remove the link between a cloud account and credential.
curl -X DELETE \
https://api.securestate.vmware.com/v1/providers/{provider}/{cloudAccountId}_{credentialId} \
-H 'Authorization: Bearer {access_token}'
A successful response returns a JSON object that is identical to the response in the previous example. This operation unlinks the cloud account and credential, but does not delete them.
Swagger documentation
Refer to the Cloud Accounts Service API Swagger documentation for interactive examples of these API calls. For post-type requests you can edit the existing templates in the Swagger UI or just copy the JSON portion from any of the request examples written in this article and add the information for your cloud accounts. You can see examples of how to use the bulk onboarding API in the API Onboarding Guide.
