Download Agentless Permission Templates

x-prisma-cloud-target-env: {"permission":"manageCreds","saas":true,"self-hosted":true}
x-public: true

Downloads a tarball file that contains the agentless resource permission templates for the cloud accounts. Apply these permission templates to complete the onboarding process for agentless scanning.

• AWS: The tarball contains templates in JSON format ending with the following names:
  • _aws_hub_target_user_permissions.json
  • _aws_hub_user_permissions.json
  • _aws_target_user_permissions.json

For more information on how to apply the permission templates, refer to the "Configure agentless scanning" section in the Prisma Cloud Compute administration guide.

• Azure: Use the following script, that comes bundled in the tarball file, to apply permission template to an Azure cloud account:

  • apply_azure_permissions.sh: Run the script with a location (that specifies location of the resource) parameter. For more information on location parameters, see resource location in ARM template.

• OCI: Use the following script, that comes bundled in the tarball file, to apply permission template to an OCI cloud account:

  • pcc-apply-permissions.sh: Run the script with a compartment name parameter.

• GCP: The tarball contains Jinja templates in YAML format ending with the following names:

  • _hub_target_access_permissions.yaml.jinja
  • _hub_target_user_permissions.yaml.jinja
  • _hub_user_permissions.yaml.jinja
  • _target_user_permissions.yaml.jinja

For more information on how to apply the permission templates, refer to the "Configure agentless scanning" section in the Prisma Cloud Compute administration guide.

Note: The body parameter credentialID is required to download templates in tar.gz format.

Before you begin

Add the supported cloud accounts (AWS, Azure, GCP, and OCI) in Prisma Cloud Compute.

cURL Request

Refer to the following example cURL command:

$ curl -k \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X POST \
  -O <agentlesstemplate.tar.gz> \
  -d {"credentialID":"aws_docs"} \
  “https://<CONSOLE>/api/v<VERSION>/agentless/templates”

application/json

Request Body

• awsRegionType shared.RegionType

  Possible values: [regular,gov,china,all]

  RegionType specifies the region type that runs the Amazon services

• credential object

  Credential specifies the authentication data of an external provider

  _id string

  Specifies the unique ID for credential.

  accountGUID string

  Specifies the unique ID for an IBM Cloud account.

  accountID string

  Specifies the account identifier. Example: a username, access key, account GUID, and so on.

  accountName string

  Specifies the name of the cloud account.

  apiToken object

  Secret Stores the plain and encrypted version of a value. The plain version is not stored in a database

  encrypted string

  Specifies an encrypted value of the secret.

  plain string

  Specifies the plain text value of the secret.

  azureSPInfo object

  AzureSPInfo contains the Azure credentials needed for certificate based authentications

  clientId string

  ClientID is the client identifier.

  subscriptionId string

  SubscriptionID is a GUID that uniquely identifies the subscription to use Azure services.

  tenantId string

  TenantID is the ID of the AAD directory in which the application was created.

  caCert string

  Specifies the CA certificate for a certificate-based authentication.

  cloudProviderAccountID string

  Specifies the cloud provider account ID.

  created date-time

  Specifies the time when the credential was created (or, when the account ID was changed for AWS).

  description string

  Specifies the description for a credential.

  external boolean

  Indicates whether the credential is external. Available values are: true: external false: Not external.

  global boolean

  Indicates whether the credential scope is global. Available values are: true: Global false: Not Global Note: For GCP, the credential scope is the organization.

  lastModified date-time

  Specifies the time when the credential was last modified.

  ociCred object

  OCICred are additional parameters required for OCI credentials

  fingerprint string

  Fingerprint is the public key signature.

  tenancyId string

  TenancyID is the OCID of the tenancy.

  owner string

  Specifies the user who created or modified the credential.

  prismaLastModified int64

  Specifies the time when the account was last modified by Prisma Cloud Compute.

  roleArn string

  Specifies the Amazon Resource Name (ARN) of the role to be assumed.

  secret object

  Secret Stores the plain and encrypted version of a value. The plain version is not stored in a database

  encrypted string

  Specifies an encrypted value of the secret.

  plain string

  Specifies the plain text value of the secret.

  skipVerify boolean

  Indicates whether to skip the certificate verification in TLS communication.

  stsEndpoints string[]

  Specifies a list of specific endpoints for use in STS sessions in various regions.

  tokens object

  TemporaryToken is a temporary session token for cloud provider APIs AWS - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html GCP - https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials Azure - https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-single-sign-on

  awsAccessKeyId string

  Specifies a temporary access key.

  awsSecretAccessKey object

  Secret Stores the plain and encrypted version of a value. The plain version is not stored in a database

  encrypted string

  Specifies an encrypted value of the secret.

  plain string

  Specifies the plain text value of the secret.

  duration int64

  Specifies a duration for the token.

  expirationTime date-time

  Specifies an expiration time for the token.

  token object

  Secret Stores the plain and encrypted version of a value. The plain version is not stored in a database

  encrypted string

  Specifies an encrypted value of the secret.

  plain string

  Specifies the plain text value of the secret.

  type cred.Type

  Possible values: [aws,azure,gcp,ibmCloud,oci,apiToken,githubToken,githubEnterpriseToken,basic,dtr,kubeconfig,certificate]

  Type specifies the credential type

  url string

  Specifies the base server URL.

  useAWSRole boolean

  Indicates whether to authenticate using the IAM Role attached to the instance. Available values are: true: Authenticate with the attached credentials false: Don’t authenticate with the attached credentials.

  useSTSRegionalEndpoint boolean

  Indicates whether to use the regional STS endpoint for an STS session. Available values are: true: Use the regional STS false: Don’t use the regional STS.

• credentialID string

  (Required) Specifies the ID for which the templates are generated.

Responses

• 200
• default

---

OK

Loading...