This article will illustrate how to automate the configuration of roles and permissions for your CloudGuard account using the CloudGuard API.
Resources used:
- Role - this is used to add and update a new role to the CloudGuard account (see Role)
- CloudAccount - this is used to obtain the CloudGuard account id (see CloudAccounts)
- OrganizationalUnit - this is used to obtain the CloudGuard id for an Org Unit (see OrganizationalUnit)
Prerequisites
- you will need the API Key and Secret for your CloudGuard account. These are used as the username & password to access your account with the API, using Basic Authentication.
Get all the roles in your account
Request
GET https://api.dome9.com/v2/Role
Response
The response gives all the roles currently defined for the account, with their permissions.
[
{
"id":76721,
"name":"admin",
"description":"admin",
"permissions":{
"access":[
"1"
],
"manage":[
"1"
],
"create":[
"2"
],
"view":[
""
],
"crossAccountAccess":[ ]
}
},
{
"id":76641,
"name":"Auditor",
"description":"Auditor Role, Views all system resources",
"permissions":{
"access":[ ],
"manage":[ ],
"create":[ ],
"view":[
""
],
"crossAccountAccess":[ ]
}
},
{
"id":76642,
"name":"Super User",
"description":"Super User Role, Manages all system resources",
"permissions":{
"access":[ ],
"manage":[
""
],
"create":[
"0",
"2"
],
"view":[ ],
"crossAccountAccess":[ ]
}
}
]
Code sample
curl -X GET https://api.dome9.com/v2/Role/ \
--basic -u <key-id>:<key-secret> \
-H 'Accept: application/json'
Create a new role
Creating a new role is a 2 step process:
- first we create (
post
) a new role with empty permissions
- then we update (
put
) this role with the desired permissions
This is the JSON request block for the POST method:
{
"name":"new-name",
"description":"my-role-desc",
"permissions": {
"access": [],
"manage": [],
"create": [],
"view": [],
"crossAccountAccess": []
}
}
Create a new role without permissions
Request
POST https://api.dome9.com/v2/Role
{
"name":"new-role",
"description":"my-role-desc",
"permissions":{
"access":[ ],
"manage":[ ],
"create":[ ],
"view":[ ],
"crossAccountAccess":[ ]
}
}
Response
The response shows the new role. The id, 94761, will be used to add permissions to the role.
{
"id":94761,
"name":"new-role",
"description":"my-role-desc",
"permissions":{
"access":[ ],
"manage":[ ],
"create":[ ],
"view":[ ],
"crossAccountAccess":[ ]
}
}
Code sample
curl -X POST https://api.dome9.com/v2/Role \
--basic -u <key-id>:<key-secret> \
-H 'Content-Type: application/json' \
-H 'Accept: application/json'
-d '{
"name":"new-name",
"description":"my-role-desc",
"permissions": {
"access": [],
"manage": [],
"create": [],
"view": [],
"crossAccountAccess": []
}
}'
Add permissions to the role
Construct the correct permissions
object
The most relevant permissions are manage
and view
. Note that manage
also includes the view
permission so there is no need to add duplicates.
The resolution for our use-case will be either all accounts or a specific AWS account(s). You can also assign permissions to an Organizational Unit (a group of cloud accounts).
Permission for specific AWS accounts
In the (manage/view) property we'll construct an array of the form: 1|<CloudGuard Cloud Account Id>
Example - permissions object for managing 2 AWS accounts:
"permissions": {
"access": [],
"manage": [
"1|aaaaaaaaa-48b8-4f64-baa5-b70901fe56db",
"1|bbbbbbbbb-48b8-4f64-baa5-b70901fe56db"
],
"create": [],
"view": [],
"crossAccountAccess": []
}
Note: "1"
is the code for AWS. For Azure, use "7", and for GCP, "8". For Organizational Units (groups of accounts), use "12". The value after "|" is the CloudGuard id for the account (or Org Unit, see below, for details how to obtain this).
Permission for ALL resources (AWS account, Azure ,GCP and any other asset/policy)
In the (manage/view) property we'll add an entry with an empty string, which represents a 'catch all' filter.
Example - permissions object for viewing ALL AWSaccounts:
"permissions": {
"access": [],
"manage": [],
"create": [],
"view": [
""
],
"crossAccountAccess": []
}
``
Determine the CloudGuard account id from the AWS account number
The permissions array in the request block for updating (post) roles requires the internal CloudGuard account id. To obtain this, we will use the cloudaccounts
resource to resolve the AWS account number to the CloudGuard ID.
Request
GET https://api.dome9.com/v2/CloudAccounts
Response
The response shows details for the CloudGuard account. The id field in the response is the internal CloudGuard account ID.
[
{
"id":"6*******-a***-4***-b***-c**********a",
"vendor":"aws",
"name":"AWS-1",
"externalAccountNumber":"***********9",
"error":null,
"creationDate":"2018-08-27T12:58:25.443Z",
"credentials":{ ... },
"iamSafe":null,
"netSec":{ ...
},
"magellan":false,
"fullProtection":false,
"allowReadOnly":false
}
]
Code sample
curl -X GET https://api.dome9.com/v2/CloudAccounts/ \
--basic -u <key-id>:<key-secret> \
-H 'Accept: application/json'
In a similar way, you can use GET https://api.dome9.com/v2/OrganizationalUnit to obtain a list of all Org Units,
and their ids.
Update a role with permissions
To add permissions to a role, we will put
into the right resource id the new role object.
In this example we'll add a permission to manage a single AWS account, but we could make any permissions modification, such as removing old permissions or adding new permissions.
Notes:
- This will overwrite the entire entity, so, if you wish to perform a partial update, make sure to
get
it first, apply your modification to the entire list, and then put
the new state
- Please review the resource URL that we are putting into (containing the role ID)
Request
PUT https://api.dome9.com/v2/Role/94761
{
"id": 94761,
"name":"new-role",
"description":"auto-desc",
"permissions": {
"access": [],
"manage": [
"1|6*******-a***-4***-b***-c**********a"
],
"create": [],
"view": [],
"crossAccountAccess": []
}
}
Response
The response confirms the addition of the 'manage' permission to the role.
{
"id":94761,
"name":"new-role",
"description":"auto-desc",
"permissions":{
"access":[ ],
"manage":[
"1|6*******-a***-4***-b***-c**********a"
],
"create":[ ],
"view":[ ],
"crossAccountAccess":[ ]
}
}
Code sample
curl -X GET https://api.dome9.com/v2/CloudAccounts/94761 \
--basic -u <key-id>:<key-secret> \
-H 'Accept: application/json'
-d '{
"id":94761,
"name":"new-role",
"description":"auto-desc",
"permissions":{
"access":[ ],
"manage":[
"1|6*******-a***-4***-b***-c**********a"
],
"create":[ ],
"view":[ ],
"crossAccountAccess":[ ]
}
}'
Delete a role
Delete a role by sending the delete
http request to the relevant resource id.
Request
DELETE https://api.dome9.com/v2/Role/94761
Response
204