Skip to main content

Add Cloud Account

Onboard a new cloud account onto the Prisma Cloud platform.

The request body parameters differ depending on the cloud type of the account you want to add.

Request Body to Add an AWS Account

The table below lists the request body parameters to add an AWS account.

ParameterTypeDescriptionDefault Value or Required
accountIdstringAWS account IDRequired
enabledbooleanWhether or not the account is enabledDefault is false
externalIdstringAWS account external IDRequired
groupIdsarray of stringsList of account group IDs for this accountRequired
namestringName to be used for the account on the Prisma Cloud platform (must be unique)Required
roleArnstringUnique identifier for an AWS resource (ARN)Required
protectionModestringValid values: MONITOR, MONITOR_AND_PROTECTDefault is MONITOR

Request Body Example

{
"accountId": "",
"enabled": true,
"externalId": "",
"groupIds": [],
"name": "",
"roleArn": "",
"protectionMode": "MONITOR"
}

Request Body to Add an AWS Org Account

The table below lists the request body parameters to add an AWS org account.

ParameterTypeDescriptionDefault Value or Required
accountIdstringAWS account IDRequired
enabledbooleanWhether or not the account is enabledDefault is false
externalIdstringAWS account external IDRequired
groupIdsarrayList of account group IDs for accountRequired
namestringName to be used for the account on the Prisma Cloud platform (must be unique)Required
roleArnstringUnique identifier for an AWS resource (ARN)Required
accountTypestringorganizationRequired
memberRoleNamestringAWS Member account role nameRequired
memberExternalIdstringAWS Member account role's external IDRequired
memberRoleStatusbooleantrue: The member role created using stack set exists in all the member accounts. All the Org accounts will be added.
false: Only the master account will be added.
Default is false
protectionModestringValid values: MONITOR, MONITOR_AND_PROTECTDefault is MONITOR
hierarchySelectionarray of objectsList of AWS Organization Units (OU), AWS accounts, and AWS Organizations to onboard under this organizationDefault is none
hierarchySelection.resourceIdstringResource ID. Valid values are AWS OU ID, AWS account ID, or AWS Organization ID.
Note you must escape any double quotes in the resource ID with a backslash.
Required if hierarchySelection is specified
hierarchySelection.displayNamestringDisplay name for AWS OU, AWS account, or AWS organizationRequired if hierarchySelection is specified
hierarchySelection.nodeTypestringValid values: OU, ACCOUNT, ORGRequired if hierarchySelection is specified
hierarchySelection.selectionTypestringValid values: INCLUDE to include the specified resource to onboard, EXCLUDE to exclude the specified resource and onboard the rest, ALL to onboard all resources in the organization.Required if hierarchySelection is specified

Request Body Example

{
"accountId": "",
"enabled": true,
"externalId": "",
"groupIds": [],
"name": "",
"roleArn": "",
"accountType": "organization",
"memberRoleName": "",
"memberExternalId": "",
"memberRoleStatus": true,
"protectionMode": "MONITOR",
"hierarchySelection":
[{
"resourceId": "",
"displayName": "",
"nodeType": "OU",
"selectionType": "EXCLUDE"
}]
}

Request Body to Add an Azure Subscription

The table below lists the request body parameters to add an Azure subscription.

ParameterTypeDescriptionDefault Value or Required
cloudAccount.accountIdstringAzure account IDRequired
cloudAccount.enabledbooleanWhether or not to enable the accountDefault is false
cloudAccount.groupIdsarray of stringsList of account group IDs for this accountRequired
cloudAccount.namestringName to be used for the account on the Prisma Cloud platform (must be unique)Required
cloudAccount.accountTypestringValid value: accountDefault is account
cloudAccount.protectionModestringValid values: MONITOR, MONITOR_AND_PROTECTRequired
clientIdstringApplication ID registered with Active DirectoryRequired
tenantIdstringActive Directory ID associated with AzureRequired
servicePrincipalIdstringUnique ID of the service principal object associated with the Prisma Cloud applicationRequired
monitorFlowLogsbooleanAutomatically ingest flow logsRequired
keystringApplication ID keyRequired
environmentTypestringValid values:
azure (Commercial),
azure_gov (Government),
azure_china (China)
Required

Request Body Example

{
"cloudAccount": {
"accountId": "",
"enabled": true,
"groupIds": [],
"name": "",
"accountType": "account",
"protectionMode": "MONITOR"
},
"clientId": "",
"key": "",
"monitorFlowLogs": true,
"tenantId": "",
"servicePrincipalId": "",
"environmentType": "azure"
}

Request Body to Add an Azure Tenant

The table below lists the request body parameters to add an Azure tenant without management groups.

ParameterTypeDescriptionDefault Value or Required
cloudAccount.accountIdstringcloudAccount.accountId should be "" (empty)Must be empty
cloudAccount.enabledbooleanWhether or not to enable the accountDefault is false
cloudAccount.groupIdsarray of stringsList of account group IDs for this accountRequired
cloudAccount.namestringName to be used for the account on the Prisma Cloud platform (must be unique)Required
cloudAccount.accountTypestringValid value: tenantRequired
cloudAccount.protectionModestringValid values: MONITOR, MONITOR_AND_PROTECTDefault is MONITOR_AND_PROTECT
clientIdstringApplication ID registered with Active DirectoryRequired
tenantIdstringActive Directory ID associated with AzureRequired
servicePrincipalIdstringUnique ID of the service principal object associated with the Prisma Cloud applicationRequired
monitorFlowLogsbooleanAutomatically ingest flow logsRequired
keystringApplication ID keyRequired
environmentTypestringValid values:
azure (Commercial),
azure_gov (Government),
azure_china (China)
Required

Request Body Example

{
"cloudAccount": {
"accountId": "",
"enabled": true,
"groupIds": [],
"name": "",
"accountType": "tenant",
"protectionMode": "MONITOR"
},
"clientId": "",
"key": "",
"monitorFlowLogs": true,
"tenantId": "",
"servicePrincipalId": "",
"environmentType": "azure"
}

Request Body to Add an Azure Tenant with Management Groups

The table below lists the request body parameters to add an Azure tenant plus management groups and subscriptions associated with that tenant.

ParameterTypeDescriptionDefault Value or Required
cloudAccount.accountIdstringMust be set to "" (empty)Must be empty
cloudAccount.enabledbooleanWhether or not to enable the accountDefault is false
cloudAccount.namestringName to be used for the account on the Prisma Cloud platform (must be unique)Required
cloudAccount.accountTypestringValid value: tenantRequired
cloudAccount.protectionModestringValid values: MONITOR, MONITOR_AND_PROTECTDefault is MONITOR_AND_PROTECT
clientIdstringApplication ID registered with Active DirectoryRequired
tenantIdstringActive Directory ID associated with AzureRequired
servicePrincipalIdstringUnique ID of the service principal object associated with the Prisma Cloud applicationRequired
monitorFlowLogsbooleanAutomatically ingest flow logsRequired
keystringApplication ID keyRequired
environmentTypestringValid values:
azure (Commercial),
azure_gov (Government),
azure_china (China)
Required
defaultAccountGroupIdstringAccount group ID for this tenant. Used for alert rules.Required
rootSyncEnabledbooleantrue = Azure tenant has children. Must be set to true.Required
hierarchySelectionarray of objectsList of subscriptions and/or management groups to onboardDefault is none
hierarchySelection.resourceIdstringManagement group ID or subscription ID.
Note you must escape any double quotes in the resource ID with a backslash.
Required if hierarchySelection is specified
hierarchySelection.displayNamestringDisplay name for management group or subscriptionRequired if hierarchySelection is specified
hierarchySelection.nodeTypestringValid values: SUBSCRIPTION, TENANT, MANAGEMENT_GROUPRequired if hierarchySelection is specified
hierarchySelection.selectionTypestringValid values: INCLUDE to include the specified resource to onboard, EXCLUDE to exclude the specified resource and onboard the rest, ALL to onboard all resources in the tenant.Required if hierarchySelection is specified

Request Body Example

{
"cloudAccount": {
"accountId": "",
"enabled": true,
"name": "",
"accountType": "tenant",
"protectionMode": "MONITOR_AND_PROTECT"
},
"clientId": "",
"key": "",
"monitorFlowLogs": true,
"tenantId": "",
"servicePrincipalId": "",
"environmentType": "azure",
"defaultAccountGroupId": "",
"rootSyncEnabled": true,
"hierarchySelection":[{
"displayName":"Tenant Root Group",
"nodeType":"TENANT",
"resourceId":"",
"selectionType":"INCLUDE"
}]
}

Request Body to Add a GCP Project

The table below lists the request body parameters.

ParameterTypeDescriptionDefault Value or Required
cloudAccount.accountIdstringGCP project IDRequired
cloudAccount.namestringName to be used for the account on the Prisma Cloud platform (must be unique)Required
cloudAccount.enabledbooleanWhether or not the account is enabledDefaults is false
cloudAccount.groupIdsarray of stringsList of account group IDs for this accountRequired
cloudAccount.projectIdstringExisting GCP project IDRequired
cloudAccount.protectionModestringValid values: MONITOR, MONITOR_AND_PROTECTRequired
cloudAccount.accountTypestringValid value: accountRequired
credentialsJSON objectService account keyRequired
compressionEnabledbooleanEnable flow log compressionDefault is false
dataflowEnabledProjectstringGCP project for flow log compressionRequired if compressionEnabled is true
flowLogStorageBucketstringGCP flow logs storage bucketDefault is ""

Request Body Example

{
"cloudAccount": {
"accountId": "",
"accountType": "account",
"enabled": true,
"groupIds": [],
"name": "",
"projectId":"",
"protectionMode": "MONITOR"
},
"compressionEnabled": true,
"dataflowEnabledProject": "",
"flowLogStorageBucket": "",
"credentials": {
"type": "",
"project_id": "",
"private_key_id": "",
"private_key": "",
"client_email": "",
"client_id": "",
"auth_uri": "",
"token_uri": "",
"auth_provider_x509_cert_url": "",
"client_x509_cert_url": ""
}

Request Body to Add a GCP Org

The table below lists the request body parameters.

ParameterTypeDescriptionDefault Value or Required
cloudAccount.accountIdstringGCP Org IDRequired
cloudAccount.namestringName to be used for the account on the Prisma Cloud platform (must be unique)Required
cloudAccount.enabledbooleanWhether or not the account is enabledDefault is false
cloudAccount.protectionModestringValid values: MONITOR, MONITOR_AND_PROTECTRequired
cloudAccount.accountTypestringValid value: organizationRequired
credentialsJSON objectService account keyRequired
compressionEnabledbooleanEnable flow log compressionDefault is false
dataflowEnabledProjectstringGCP project for flow log compressionRequired if compressionEnabled is true
flowLogStorageBucketstringGCP flow logs storage bucketDefault is ""
organizationNamestringGCP organization nameRequired
accountGroupCreationModestringCloud account group creation mode. Valid values:
MANUAL: Create account groups manually
AUTO: Create high-level account groups based on folders identified
RECURSIVE: Drill down in folder tree to create account groups
Default is MANUAL
defaultAccountGroupIdstringAccount group ID for this account. Used for alert rules.Required if accountGroupCreationMode is MANUAL
hierarchySelectionarray of objectsList of folders and/or projects to onboard under this organizationDefault is none
hierarchySelection.resourceIdstringResource ID. For folders, format is folders/{folder ID}. For projects, format is {project number}. For orgs, format is organizations/{org ID}Required if hierarchySelection is specified
hierarchySelection.displayNamestringDisplay name for folder, project, or organizationRequired if hierarchySelection is specified
hierarchySelection.nodeTypestringValid values: FOLDER, PROJECT, ORGRequired if hierarchySelection is specified
hierarchySelection.selectionTypestringValid values: INCLUDE, EXCLUDE, INCLUDE ALL. If hierarchySelection.nodeType is PROJECT or FOLDER, valid values are INCLUDE, EXCLUDE.Required if hierarchySelection is specified

Request Body Example

{
"cloudAccount": {
"accountId": "",
"accountType": "organization",
"proectionMode": "MONITOR"
"enabled": true,
"name": ""
},
"accountGroupCreationMode": "MANUAL"
"compressionEnabled": true,
"dataflowEnabledProject": "",
"flowLogStorageBucket": "",
"organizationName": "",
"defaultAccountGroupId": "",
"credentials": {
"type": "",
"project_id": "",
"private_key_id": "",
"private_key": "",
"client_email": "",
"client_id": "",
"auth_uri": "",
"token_uri": "",
"auth_provider_x509_cert_url": "",
"client_x509_cert_url": ""
},
"hierarchySelection":
[{
"resourceId": "",
"displayName": "",
"nodeType": "FOLDER",
"selectionType": "EXCLUDE"
}]
}

Request Body to Add a GCP Master Service Account

The table below lists the request body parameters.

ParameterTypeDescriptionDefault Value or Required
cloudAccount.accountIdstringGCP project IDRequired
cloudAccount.namestringName to be used for the account on the Prisma Cloud platform (must be unique)Required
cloudAccount.enabledbooleanWhether or not the account is enabledDefault is false
cloudAccount.groupIdsarray of stringsList of account group IDs for this accountRequired
cloudAccount.projectIdstringExisting GCP project IDRequired
cloudAccount.protectionModestringValid values: MONITOR, MONITOR_AND_PROTECTRequired
cloudAccount.accountTypestringValid value: masterServiceAccountRequired
defaultAccountGroupIdstringAccount group ID for this account. Used for alert rules.Required
credentialsJSON objectService account keyRequired
compressionEnabledbooleanEnable flow log compressionDefault is false
dataflowEnabledProjectstringGCP project for flow log compressionRequired if compressionEnabled is true
flowLogStorageBucketstringGCP flow logs storage bucketDefault is ""
Request Body Example
{
"cloudAccount": {
"accountId": "",
"accountType": "masterServiceAccount",
"enabled": true,
"groupIds": [],
"name": "",
"projectId":"",
"protectionMode": "MONITOR"
},
"compressionEnabled": true,
"dataflowEnabledProject": "",
"flowLogStorageBucket": "",
"organizationName": "",
"credentials": {
"type": "",
"project_id": "",
"private_key_id": "",
"private_key": "",
"client_email": "",
"client_id": "",
"auth_uri": "",
"token_uri": "",
"auth_provider_x509_cert_url": "",
"client_x509_cert_url": ""
}

Request Body to Add an Alibaba Account

The table below lists the request body parameters to add an Alibaba account.

ParameterTypeDescriptionDefault Value or Required
accountIdstringAWS account IDRequired
groupIdsarray of stringsList of account group IDs for this accountRequired
namestringName to be used for the account on the Prisma Cloud platform (must be unique)Required
roleArnstringUnique identifier for an Alibaba RAM role resourceRequired
enabledbooleanWhether or not the account is enabledDefault is false
deploymentTypestringDeployment type.
Valid values: ali-int, ali-cn, ali-fn
ali-int: Alibaba International
ali-cn: Alibaba China. Allows you to monitor all the resources in the Alibaba China region, but does not monitor resources in the Alibaba Finance region.
ali-fn: Alibaba Finance. Applicable only for the Alibaba China region. Allows you to monitor resources located only in the Alibaba Finance regions.
Optional

Request Body Example

{
"accountId": "",
"groupIds": [],
"name": "",
"enabled": true,
"ramArn": ""
}

Requirements and Request Body to Add an OCI Account

To add an Oracle Cloud Infrastructure (OCI) account, you must:

  1. Use Generate Zipped Terraform Script (OCI) in the console | Required

Request Body Example

{
"accountType":"tenant",
"defaultAccountGroupId":"",
"enabled":true,
"name":"",
"groupName":"",
"homeRegion":"",
"policyName":"",
"accountId":"",
"userName":"",
"userOcid":""
}
Path Parameters
  • cloud_type string required

    Possible values: [aws, azure, gcp, alibaba_cloud, oci]

    Cloud Type

Query Parameters
  • skipStatusChecks boolean

    true = Skip account status checks to improve response time

Request Body required

Cloud Account

  • property name* object
Responses

successful operation

Loading...