rubrik-sdk-for-powershell
rubrik-sdk-for-powershell copied to clipboard
rubrikinc
Connect-Rubrik - add support for MFA
Is your feature request related to a problem? Please describe.
We recently turned on RSA for multi-factor Auth on our Rubrik server. There doesn't seem to be any support for that in the Connect-Rubrik command.
Describe the solution you'd like
Enable some way to handle MFA when using Connect-Rubrik.
Describe alternatives you've considered
Could possibly use a token, but unable to generate one right now.
Additional context
Getting an "Authentication is possible but has failed or not yet been provided" message after an Invoke-WebRequest call.
Just following up on this. Is there a workaround that can be used? Can anyone point to a working process/procedure?
I ended up generating a token in the Rubrik site. I just saved that to a file and then use a Get-Content for the file and pass that in for the -Token param.
I think that the "generate token" functionality was giving us fits at the time for some reason. It started working, I saved out a token then used that to connect.
Having the same issue but with renewing the token. I can connect with token created via rubrik but after it expires, I get error: "Authentication is possible but has failed or not yet been provided" when trying to renew via basic authentication with username and password. Does anyone know or has figure out how to renew token with powershell with MFA enabled? Thank you everyone!
The way around MFA for the powershell module is to use an API token. API tokens are more secure than using a basic authentication with MFA. The approach we are moving to as a whole is to use Service Accounts. You can see how to use them here. https://rubrikinc.github.io/rubrik-api-documentation/api/auth/
When you use the Connect-Rubrik cmdlet it creates a Global Variable called $RubrikConnection. You will see it addressed as $Global:RubrikConnection. To use a Service Account with the module you can create the connection with the below code.
# When you create the Service account in CDM, you can create a json file or some other file to store the contents.
# If you have a vault or a more secure way to store this information, that would be better than a file.
$ServiceAccountPath = "C:\Scripts\CDM-DatabaseAutomation.json"
# The below is used to talk to your CDM cluster and get the API session token based on your Service Account details in the file above.
$sessionURL = "https://$cluster/api/v1/service_account/session"
#region Connect to CDM
# Read the contents of the json file in, or if you stored in a vault update the below code accordingly.
# Talk to the CDM cluster and get the session token.
# Create a $Global:RubrikConnection to use with Rubrik cmdlets
$ContentType = "application/json"
$ServiceAccount = Get-Content -Raw -Path $ServiceAccountPath | ConvertFrom-Json
$ConnectToRubrik = @{
Method = 'Post'
URI = "$($sessionURL)"
ContentType = $ContentType
Body = @{
serviceAccountId = "$($ServiceAccount.client_id)"
secret = "$($ServiceAccount.client_secret)"
} | ConvertTo-Json
}
$rubrikSession = Invoke-RestMethod @ConnectToRubrik
$rubrikSession
$Global:RubrikConnection = @{
api = 1
server = $cluster
token = $rubrikSession.token
header = @{
'Authorization' = "Bearer $($rubrikSession.token)"
}
}
#endregion
The way around MFA for the powershell module is to use an API token. API tokens are more secure than using a basic authentication with MFA. The approach we are moving to as a whole is to use Service Accounts. You can see how to use them here. https://rubrikinc.github.io/rubrik-api-documentation/api/auth/
When you use the Connect-Rubrik cmdlet it creates a Global Variable called $RubrikConnection. You will see it addressed as $Global:RubrikConnection. To use a Service Account with the module you can create the connection with the below code.
# When you create the Service account in CDM, you can create a json file or some other file to store the contents. # If you have a vault or a more secure way to store this information, that would be better than a file. $ServiceAccountPath = "C:\Scripts\CDM-DatabaseAutomation.json" # The below is used to talk to your CDM cluster and get the API session token based on your Service Account details in the file above. $sessionURL = "https://$cluster/api/v1/service_account/session" #region Connect to CDM # Read the contents of the json file in, or if you stored in a vault update the below code accordingly. # Talk to the CDM cluster and get the session token. # Create a $Global:RubrikConnection to use with Rubrik cmdlets $ContentType = "application/json" $ServiceAccount = Get-Content -Raw -Path $ServiceAccountPath | ConvertFrom-Json $ConnectToRubrik = @{ Method = 'Post' URI = "$($sessionURL)" ContentType = $ContentType Body = @{ serviceAccountId = "$($ServiceAccount.client_id)" secret = "$($ServiceAccount.client_secret)" } | ConvertTo-Json } $rubrikSession = Invoke-RestMethod @ConnectToRubrik $rubrikSession $Global:RubrikConnection = @{ api = 1 server = $cluster token = $rubrikSession.token header = @{ 'Authorization' = "Bearer $($rubrikSession.token)" } } #endregion
That worked! awesome. Thank you!
In case of MFA: If you manually generate a token from the GUI, you can use that token as long as it doesn't expire. However, after some time (security!) the token expires. Via the GUI you can generate new tokens even before the previous token expires, but you cannot use API with a (nearly expiring) token to generate a new token. So you can use automation through the API until your token expires, after that your automation is lost until you do things manually.
