Add Cloud Account
Onboard a new cloud account onto the Prisma Cloud platform.
The request body parameters differ depending on the cloud type of the account you want to add.
Request Body to Add an AWS Account
The table below lists the request body parameters to add an AWS account.
Parameter | Type | Description | Default Value or Required |
---|---|---|---|
accountId | string | AWS account ID | Required |
enabled | boolean | Whether or not the account is enabled | Default is false |
externalId | string | AWS account external ID | Required |
groupIds | array of strings | List of account group IDs for this account | Required |
name | string | Name to be used for the account on the Prisma Cloud platform (must be unique) | Required |
roleArn | string | Unique identifier for an AWS resource (ARN) | Required |
protectionMode | string | Valid values: MONITOR, MONITOR_AND_PROTECT | Default is MONITOR |
Request Body Example
{
"accountId": "",
"enabled": true,
"externalId": "",
"groupIds": [],
"name": "",
"roleArn": "",
"protectionMode": "MONITOR"
}
Request Body to Add an AWS Org Account
The table below lists the request body parameters to add an AWS org account.
Parameter | Type | Description | Default Value or Required |
---|---|---|---|
accountId | string | AWS account ID | Required |
enabled | boolean | Whether or not the account is enabled | Default is false |
externalId | string | AWS account external ID | Required |
groupIds | array | List of account group IDs for account | Required |
name | string | Name to be used for the account on the Prisma Cloud platform (must be unique) | Required |
roleArn | string | Unique identifier for an AWS resource (ARN) | Required |
accountType | string | organization | Required |
memberRoleName | string | AWS Member account role name | Required |
memberExternalId | string | AWS Member account role's external ID | Required |
memberRoleStatus | boolean | true: The member role created using stack set exists in all the member accounts. All the Org accounts will be added. false: Only the master account will be added. | Default is false |
protectionMode | string | Valid values: MONITOR, MONITOR_AND_PROTECT | Default is MONITOR |
hierarchySelection | array of objects | List of AWS Organization Units (OU), AWS accounts, and AWS Organizations to onboard under this organization | Default is none |
hierarchySelection.resourceId | string | Resource ID. Valid values are AWS OU ID, AWS account ID, or AWS Organization ID. Note you must escape any double quotes in the resource ID with a backslash. | Required if hierarchySelection is specified |
hierarchySelection.displayName | string | Display name for AWS OU, AWS account, or AWS organization | Required if hierarchySelection is specified |
hierarchySelection.nodeType | string | Valid values: OU, ACCOUNT, ORG | Required if hierarchySelection is specified |
hierarchySelection.selectionType | string | Valid values: INCLUDE to include the specified resource to onboard, EXCLUDE to exclude the specified resource and onboard the rest, ALL to onboard all resources in the organization. | Required if hierarchySelection is specified |
Request Body Example
{
"accountId": "",
"enabled": true,
"externalId": "",
"groupIds": [],
"name": "",
"roleArn": "",
"accountType": "organization",
"memberRoleName": "",
"memberExternalId": "",
"memberRoleStatus": true,
"protectionMode": "MONITOR",
"hierarchySelection":
[{
"resourceId": "",
"displayName": "",
"nodeType": "OU",
"selectionType": "EXCLUDE"
}]
}
Request Body to Add an Azure Subscription
The table below lists the request body parameters to add an Azure subscription.
Parameter | Type | Description | Default Value or Required |
---|---|---|---|
cloudAccount.accountId | string | Azure account ID | Required |
cloudAccount.enabled | boolean | Whether or not to enable the account | Default is false |
cloudAccount.groupIds | array of strings | List of account group IDs for this account | Required |
cloudAccount.name | string | Name to be used for the account on the Prisma Cloud platform (must be unique) | Required |
cloudAccount.accountType | string | Valid value: account | Default is account |
cloudAccount.protectionMode | string | Valid values: MONITOR, MONITOR_AND_PROTECT | Required |
clientId | string | Application ID registered with Active Directory | Required |
tenantId | string | Active Directory ID associated with Azure | Required |
servicePrincipalId | string | Unique ID of the service principal object associated with the Prisma Cloud application | Required |
monitorFlowLogs | boolean | Automatically ingest flow logs | Required |
key | string | Application ID key | Required |
environmentType | string | Valid values: azure (Commercial), azure_gov (Government), azure_china (China) | Required |
Request Body Example
{
"cloudAccount": {
"accountId": "",
"enabled": true,
"groupIds": [],
"name": "",
"accountType": "account",
"protectionMode": "MONITOR"
},
"clientId": "",
"key": "",
"monitorFlowLogs": true,
"tenantId": "",
"servicePrincipalId": "",
"environmentType": "azure"
}
Request Body to Add an Azure Tenant
The table below lists the request body parameters to add an Azure tenant without management groups.
Parameter | Type | Description | Default Value or Required |
---|---|---|---|
cloudAccount.accountId | string | cloudAccount.accountId should be "" (empty) | Must be empty |
cloudAccount.enabled | boolean | Whether or not to enable the account | Default is false |
cloudAccount.groupIds | array of strings | List of account group IDs for this account | Required |
cloudAccount.name | string | Name to be used for the account on the Prisma Cloud platform (must be unique) | Required |
cloudAccount.accountType | string | Valid value: tenant | Required |
cloudAccount.protectionMode | string | Valid values: MONITOR, MONITOR_AND_PROTECT | Default is MONITOR_AND_PROTECT |
clientId | string | Application ID registered with Active Directory | Required |
tenantId | string | Active Directory ID associated with Azure | Required |
servicePrincipalId | string | Unique ID of the service principal object associated with the Prisma Cloud application | Required |
monitorFlowLogs | boolean | Automatically ingest flow logs | Required |
key | string | Application ID key | Required |
environmentType | string | Valid values: azure (Commercial), azure_gov (Government), azure_china (China) | Required |
Request Body Example
{
"cloudAccount": {
"accountId": "",
"enabled": true,
"groupIds": [],
"name": "",
"accountType": "tenant",
"protectionMode": "MONITOR"
},
"clientId": "",
"key": "",
"monitorFlowLogs": true,
"tenantId": "",
"servicePrincipalId": "",
"environmentType": "azure"
}
Request Body to Add an Azure Tenant with Management Groups
The table below lists the request body parameters to add an Azure tenant plus management groups and subscriptions associated with that tenant.
Parameter | Type | Description | Default Value or Required |
---|---|---|---|
cloudAccount.accountId | string | Must be set to "" (empty) | Must be empty |
cloudAccount.enabled | boolean | Whether or not to enable the account | Default is false |
cloudAccount.name | string | Name to be used for the account on the Prisma Cloud platform (must be unique) | Required |
cloudAccount.accountType | string | Valid value: tenant | Required |
cloudAccount.protectionMode | string | Valid values: MONITOR, MONITOR_AND_PROTECT | Default is MONITOR_AND_PROTECT |
clientId | string | Application ID registered with Active Directory | Required |
tenantId | string | Active Directory ID associated with Azure | Required |
servicePrincipalId | string | Unique ID of the service principal object associated with the Prisma Cloud application | Required |
monitorFlowLogs | boolean | Automatically ingest flow logs | Required |
key | string | Application ID key | Required |
environmentType | string | Valid values: azure (Commercial), azure_gov (Government), azure_china (China) | Required |
defaultAccountGroupId | string | Account group ID for this tenant. Used for alert rules. | Required |
rootSyncEnabled | boolean | true = Azure tenant has children. Must be set to true. | Required |
hierarchySelection | array of objects | List of subscriptions and/or management groups to onboard | Default is none |
hierarchySelection.resourceId | string | Management group ID or subscription ID. Note you must escape any double quotes in the resource ID with a backslash. | Required if hierarchySelection is specified |
hierarchySelection.displayName | string | Display name for management group or subscription | Required if hierarchySelection is specified |
hierarchySelection.nodeType | string | Valid values: SUBSCRIPTION, TENANT, MANAGEMENT_GROUP | Required if hierarchySelection is specified |
hierarchySelection.selectionType | string | Valid values: INCLUDE to include the specified resource to onboard, EXCLUDE to exclude the specified resource and onboard the rest, ALL to onboard all resources in the tenant. | Required if hierarchySelection is specified |
Request Body Example
{
"cloudAccount": {
"accountId": "",
"enabled": true,
"name": "",
"accountType": "tenant",
"protectionMode": "MONITOR_AND_PROTECT"
},
"clientId": "",
"key": "",
"monitorFlowLogs": true,
"tenantId": "",
"servicePrincipalId": "",
"environmentType": "azure",
"defaultAccountGroupId": "",
"rootSyncEnabled": true,
"hierarchySelection":[{
"displayName":"Tenant Root Group",
"nodeType":"TENANT",
"resourceId":"",
"selectionType":"INCLUDE"
}]
}
Request Body to Add a GCP Project
The table below lists the request body parameters.
Parameter | Type | Description | Default Value or Required |
---|---|---|---|
cloudAccount.accountId | string | GCP project ID | Required |
cloudAccount.name | string | Name to be used for the account on the Prisma Cloud platform (must be unique) | Required |
cloudAccount.enabled | boolean | Whether or not the account is enabled | Defaults is false |
cloudAccount.groupIds | array of strings | List of account group IDs for this account | Required |
cloudAccount.projectId | string | Existing GCP project ID | Required |
cloudAccount.protectionMode | string | Valid values: MONITOR, MONITOR_AND_PROTECT | Required |
cloudAccount.accountType | string | Valid value: account | Required |
credentials | JSON object | Service account key | Required |
compressionEnabled | boolean | Enable flow log compression | Default is false |
dataflowEnabledProject | string | GCP project for flow log compression | Required if compressionEnabled is true |
flowLogStorageBucket | string | GCP flow logs storage bucket | Default is "" |
Request Body Example
{
"cloudAccount": {
"accountId": "",
"accountType": "account",
"enabled": true,
"groupIds": [],
"name": "",
"projectId":"",
"protectionMode": "MONITOR"
},
"compressionEnabled": true,
"dataflowEnabledProject": "",
"flowLogStorageBucket": "",
"credentials": {
"type": "",
"project_id": "",
"private_key_id": "",
"private_key": "",
"client_email": "",
"client_id": "",
"auth_uri": "",
"token_uri": "",
"auth_provider_x509_cert_url": "",
"client_x509_cert_url": ""
}
Request Body to Add a GCP Org
The table below lists the request body parameters.
Parameter | Type | Description | Default Value or Required |
---|---|---|---|
cloudAccount.accountId | string | GCP Org ID | Required |
cloudAccount.name | string | Name to be used for the account on the Prisma Cloud platform (must be unique) | Required |
cloudAccount.enabled | boolean | Whether or not the account is enabled | Default is false |
cloudAccount.protectionMode | string | Valid values: MONITOR, MONITOR_AND_PROTECT | Required |
cloudAccount.accountType | string | Valid value: organization | Required |
credentials | JSON object | Service account key | Required |
compressionEnabled | boolean | Enable flow log compression | Default is false |
dataflowEnabledProject | string | GCP project for flow log compression | Required if compressionEnabled is true |
flowLogStorageBucket | string | GCP flow logs storage bucket | Default is "" |
organizationName | string | GCP organization name | Required |
accountGroupCreationMode | string | Cloud account group creation mode. Valid values: MANUAL: Create account groups manually AUTO: Create high-level account groups based on folders identified RECURSIVE: Drill down in folder tree to create account groups | Default is MANUAL |
defaultAccountGroupId | string | Account group ID for this account. Used for alert rules. | Required if accountGroupCreationMode is MANUAL |
hierarchySelection | array of objects | List of folders and/or projects to onboard under this organization | Default is none |
hierarchySelection.resourceId | string | Resource ID. For folders, format is folders/{folder ID}. For projects, format is {project number}. For orgs, format is organizations/{org ID} | Required if hierarchySelection is specified |
hierarchySelection.displayName | string | Display name for folder, project, or organization | Required if hierarchySelection is specified |
hierarchySelection.nodeType | string | Valid values: FOLDER, PROJECT, ORG | Required if hierarchySelection is specified |
hierarchySelection.selectionType | string | Valid values: INCLUDE, EXCLUDE, INCLUDE ALL. If hierarchySelection.nodeType is PROJECT or FOLDER, valid values are INCLUDE, EXCLUDE. | Required if hierarchySelection is specified |
Request Body Example
{
"cloudAccount": {
"accountId": "",
"accountType": "organization",
"proectionMode": "MONITOR"
"enabled": true,
"name": ""
},
"accountGroupCreationMode": "MANUAL"
"compressionEnabled": true,
"dataflowEnabledProject": "",
"flowLogStorageBucket": "",
"organizationName": "",
"defaultAccountGroupId": "",
"credentials": {
"type": "",
"project_id": "",
"private_key_id": "",
"private_key": "",
"client_email": "",
"client_id": "",
"auth_uri": "",
"token_uri": "",
"auth_provider_x509_cert_url": "",
"client_x509_cert_url": ""
},
"hierarchySelection":
[{
"resourceId": "",
"displayName": "",
"nodeType": "FOLDER",
"selectionType": "EXCLUDE"
}]
}
Request Body to Add a GCP Master Service Account
The table below lists the request body parameters.
Parameter | Type | Description | Default Value or Required |
---|---|---|---|
cloudAccount.accountId | string | GCP project ID | Required |
cloudAccount.name | string | Name to be used for the account on the Prisma Cloud platform (must be unique) | Required |
cloudAccount.enabled | boolean | Whether or not the account is enabled | Default is false |
cloudAccount.groupIds | array of strings | List of account group IDs for this account | Required |
cloudAccount.projectId | string | Existing GCP project ID | Required |
cloudAccount.protectionMode | string | Valid values: MONITOR, MONITOR_AND_PROTECT | Required |
cloudAccount.accountType | string | Valid value: masterServiceAccount | Required |
defaultAccountGroupId | string | Account group ID for this account. Used for alert rules. | Required |
credentials | JSON object | Service account key | Required |
compressionEnabled | boolean | Enable flow log compression | Default is false |
dataflowEnabledProject | string | GCP project for flow log compression | Required if compressionEnabled is true |
flowLogStorageBucket | string | GCP flow logs storage bucket | Default is "" |
Request Body Example
{
"cloudAccount": {
"accountId": "",
"accountType": "masterServiceAccount",
"enabled": true,
"groupIds": [],
"name": "",
"projectId":"",
"protectionMode": "MONITOR"
},
"compressionEnabled": true,
"dataflowEnabledProject": "",
"flowLogStorageBucket": "",
"organizationName": "",
"credentials": {
"type": "",
"project_id": "",
"private_key_id": "",
"private_key": "",
"client_email": "",
"client_id": "",
"auth_uri": "",
"token_uri": "",
"auth_provider_x509_cert_url": "",
"client_x509_cert_url": ""
}
Request Body to Add an Alibaba Account
The table below lists the request body parameters to add an Alibaba account.
Parameter | Type | Description | Default Value or Required |
---|---|---|---|
accountId | string | AWS account ID | Required |
groupIds | array of strings | List of account group IDs for this account | Required |
name | string | Name to be used for the account on the Prisma Cloud platform (must be unique) | Required |
roleArn | string | Unique identifier for an Alibaba RAM role resource | Required |
enabled | boolean | Whether or not the account is enabled | Default is false |
deploymentType | string | Deployment type. Valid values: ali-int, ali-cn, ali-fn ali-int: Alibaba International ali-cn: Alibaba China. Allows you to monitor all the resources in the Alibaba China region, but does not monitor resources in the Alibaba Finance region. ali-fn: Alibaba Finance. Applicable only for the Alibaba China region. Allows you to monitor resources located only in the Alibaba Finance regions. | Optional |
Request Body Example
{
"accountId": "",
"groupIds": [],
"name": "",
"enabled": true,
"ramArn": ""
}
Requirements and Request Body to Add an OCI Account
To add an Oracle Cloud Infrastructure (OCI) account, you must:
- Use Generate Zipped Terraform Script (OCI) in the console | Required
Request Body Example
{
"accountType":"tenant",
"defaultAccountGroupId":"",
"enabled":true,
"name":"",
"groupName":"",
"homeRegion":"",
"policyName":"",
"accountId":"",
"userName":"",
"userOcid":""
}
Path Parameters
- cloud_type string required
Possible values: [
aws
,azure
,gcp
,alibaba_cloud
,oci
]Cloud Type
Query Parameters
- skipStatusChecks boolean
true = Skip account status checks to improve response time
- application/json
Request Body required
Cloud Account
property name*
object
- 200
- 400
- 404
- 500
successful operation
duplicate_cloud_account_name / duplicate_cloud_account / invalid_account_id_format / duplicate_cloud_account_needs_upgrade / cannot_select_zero_account_groups / invalid_account_group_ids
invalid_account_type
internal_error