Press "Enter" to skip to content

Updating Rubrik scripts to support CDM 8.0.2 service account auth

Joshua Stenhouse 4

It’s been a while, but I’m back after a couple years of semi-retirement from writing PowerShell.

The 1st item on my list to address is those of you who have been using my Rubrik scripting all this time, and it finally broke with the upgrade to CDM 8.0.2. The reason your script broke is due to security improvements and this is a good thing. No point automating anything if you have nothing to automate! The change is CDM now requires you to use the new service account client ID and secret authentication mechanism, far more secure than user accounts without MFA or a token that periodically needs refreshing.

So, how do we fix your script to use the new authentication mechanism? Really simple actually, we switch back to username and password but we are actually storing your serviceAccountId and secret. Rather than go back and update each script on my blog I think it’s easier to take you through the required edits 1 by 1, so you know how to do it too.

Follow the instructions below to update your script:

  1. Delete your existing credentials file. Open your script and find your credentials prompt:
$RubrikCredentials = Get-Credential -Message "Enter Rubrik login credentials"

And change it to this (as PowerShell doesn’t support the colons, we will hard code it):

$RubrikCredentials = Get-Credential -Message "Enter client ID in user (without User:::) and client secret in password"

2. Find the session URL:

$RubrikSessionURL = $v1BaseURL + "session"

And change it the new URL for creating a session token:

$RubrikSessionURL = $v1BaseURL + "service_account/session"

3. Find the session header:

$Header = @{"Authorization" = "Basic "+[System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($RubrikUser+":"+$RubrikPassword))}

And change it to this, as we now auth using body vs header:

$RubrikAuthHeader = @{'Content-Type' = 'application/json';'Accept' = 'application/json';}

4. Add the below to create a new auth body containing our new user and secret, put this before the Invoke-RestMethod:

$RubrikAuthBody =
""secret"": ""$RubrikPassword"",
""serviceAccountId"": ""User:::$RubrikUser""

5. Find the session authentication API call:

$RubrikSessionResponse = Invoke-RestMethod -Uri $RubrikSessionURL -Headers $Header -Method POST -ContentType $Type

Change it use the new auth body and header:

$RubrikSessionResponse = Invoke-RestMethod -Uri $RubrikSessionURL -Body $RubrikAuthBody -Headers $RubrikAuthHeader -Method POST -ContentType $Type

6. Run your script, you will be prompted to enter your new service account credentials (if you don’t have this, go create a new service account on the cluster). Enter your serviceAccountId in user, don’t forget you should NOT include User::: as it isn’t accepted by PowerShell, and your secret in the password field.

And that’s it! You should now be able to authenticate again, and the rest of your script will function as before. Hope you found this useful and happy scripting,

  1. Blake Blake

    Thanks for the updated! I haven’t tested it yet, but curious if this new mechanism allows scheduled scripts or only on-demand given the prompt for userid and secrete. if it can be scheduled and doesn’t require manual credential input, is there any risk to someone editing the impact of the script to do something unintended by the original writer.

  2. Vernon Riley Vernon Riley

    Followed the directions to the letter and this doesn’t seem to work. Should the auth part of your script look like this?

    # Authenticating with API
    $RubrikAuthBody =
    “”secret””: “”$RubrikPassword””,
    “”serviceAccountId””: “”User:::$RubrikUser””
    $RubrikSessionResponse = Invoke-RestMethod -Uri $RubrikSessionURL -Body $RubrikAuthBody -Headers $RubrikAuthHeader -Method POST -ContentType $Type

    • Vernon Riley Vernon Riley

      I am trying to update the export vm code btw.

      • Vernon Riley Vernon Riley

        nevermind. I got it working

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: