Connect-Rubrik - Service User Secret #812 only works for admin role?

[StefanBPS]

I can connect to a Rubrik server using the accountid and secret but not when the account has a limited set of privileges in the attached role.

In the past I used to use API tokens for livemounting and restoring VM's using the Rubrik Powershell SDK with a role setup to allow only that. This role works when I use the API token connect to the Rubrik server but when I use the same role attached to a service account and use that ID + secret to login I get this error message:

PS C:.\script.ps1 VERBOSE: POST with 174-byte payload VERBOSE: received 549-byte response of content type application/json VERBOSE: Content encoding: utf-8

Name Value

---

id authType ServiceAccount version 8.0.1-p1-22135 header {User-Agent, Authorization} api 1 time 11/8/2022 2:35:12 PM userId server 172.17.200.150

PSVersion : 7.2.7 PSEdition : Core GitCommitId : 7.2.7 OS : Microsoft Windows 10.0.17763 Platform : Win32NT PSCompatibleVersions : {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion : 2.3 SerializationVersion : 1.1.0.1 WSManStackVersion : 3.0 HostConsoleName : Visual Studio Code Host HostConsoleVersion : 2022.10.0 HostCulture : en-US HostCultureUI : en-US RubrikConnection : True UserAgentString : RubrikPowerShellSDK-6.0.1--7.2.7--platform--Win32NT--platform_version--Microsoft Windows 10.0.17763 RubrikAuthentication : Bearer RubrikClusterVersion : 8.0.1-p1-22135 RubrikCurrentModuleVersion : 6.0.1 RubrikInstalledModule : 6.0.1 RubrikModuleOptions : ApplyCustomViewDefinitions = True; CredentialPath = ; DefaultWebRequestTimeOut = 100 RubrikModuleDefaultParameters :

WARNING: User unavailable: userId = 903b71c9-ab61-40f0-b297-3de75101aba7 OperationStopped: C:\Program Files\WindowsPowerShell\Modules\Rubrik\6.0.1\Private\Submit-Request.ps1:133:25 Line | 133 | throw $_.Exception | ~~~~~~ | Response status code does not indicate success: 404 (Not Found).

PS C:>

I only give the service account user the admin role, rerun the script and this happens:

VERBOSE: POST with 174-byte payload VERBOSE: received 549-byte response of content type application/json VERBOSE: Content encoding: utf-8

Name Value

---

id authType ServiceAccount version 8.0.1-p1-22135 header {User-Agent, Authorization} api 1 time 11/8/2022 2:42:00 PM userId server 172.17.200.150

PSVersion : 7.2.7 PSEdition : Core GitCommitId : 7.2.7 OS : Microsoft Windows 10.0.17763 Platform : Win32NT PSCompatibleVersions : {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion : 2.3 SerializationVersion : 1.1.0.1 WSManStackVersion : 3.0 HostConsoleName : Visual Studio Code Host HostConsoleVersion : 2022.10.0 HostCulture : en-US HostCultureUI : en-US RubrikConnection : True UserAgentString : RubrikPowerShellSDK-6.0.1--7.2.7--platform--Win32NT--platform_version--Microsoft Windows 10.0.17763 RubrikAuthentication : Bearer RubrikClusterVersion : 8.0.1-p1-22135 RubrikCurrentModuleVersion : 6.0.1 RubrikInstalledModule : 6.0.1 RubrikModuleOptions : ApplyCustomViewDefinitions = True; CredentialPath = ; DefaultWebRequestTimeOut = 100 RubrikModuleDefaultParameters :

Status : Success HTTPStatusCode : 204 HTTPStatusDescription : NoContent

problem disappeared.

Does anybody know if you need some specific privilege attached to the role that the API tokens did not need to make this work?

Originally posted by @StefanBPS in https://github.com/rubrikinc/rubrik-sdk-for-powershell/issues/812#issuecomment-1307239651

[Bryan-Meier]

Hi @StefanBPS,

I am not an admin of our Rubrik Cluster but I do know that our admin said the setup for AccountIds and Secrets is definitely different than previous versions of Rubrik. As far as I know, the old API token implementation was unsecure because once you had the token you could execute any API call because the privileges around that token were not able to be tightened down. The new implementation with AccountID and Secret requires the role to be setup specifically for the account which will grant access to only the API's required rather than everything. Hence being more secure. I am sure there is documentation around this but I didn't have time to search for it. Hopefully this helps in some fashion. Rubrik support can help with this as well.

[StefanBPS]

The old API tokens worked fine and would adhere to RBAC roles within Rubrik I think @Bryan-Meier The new method works fine on Linux with restricted RBAC roles (non Rubrik administrator) but the new method does not work on Windows with powershell.

Two issues:

1)once you restrict the user that you use (as in, it is not attached to the Rubrik administrator role but a more restricted role that works fine with the API tokens) powershell gives the error as seen above.

2)The 6.0.1 Rubrik powershell module has a bug that makes this new service account business not work with Powershell 5.1, this causes all kinds of challenges.