Cloudability API

Cloudability API Documentation

Welcome to the Cloudability API documentation.

At Cloudability our public API is a first class citizen. As much as we know you love using our console, a well factored API can deliver and enable myriad use cases beyond even our imagination.
If you are a large public cloud user you'll find intelligent ways to automate scripting of repetitive tasks that would be impractical to manage manually at the scale you require. We also expect to see more machine to machine integrations where information is be shared between systems, augmenting important data sets and supporting the delivery of information to end users in a medium that works for them.

Get Started

Vendor Credentials End Point (AWS)

Summary

This end point is used to manage credentials within Cloudability that support the integration and ingestion of data from public cloud vendors. This includes tasks such as initial setup, listing out current credentials and deleting deprecated credentials.

  • This endpoint does not support filtering and sorting.

Endpoint Particulars

endpoint: /vendors/AWS/accounts for RESTful CRUD interactions
endpoint: /vendors/AWS/accounts/[vendorAccountId]/verification
endpoint: /vendors/AWS/accounts/[vendorAccountId]/user-to-role-migration
endpoint: /vendors/AWS/accounts/[vendorAccountId]/cloudformation-template
endpoint: /vendors/AWS/accounts/[vendorAccountId]/external-id-rotation

The Credential Object

id (string) - 12 digit string corresponding to your AWS account ID
vendorAccountName (string) - The name give to your AWS account
vendorAccountId (string) - 12 digit string corresponding to your AWS account ID
vendorKey (string) - "aws"
verification (object) - object containing details of verification state:
      state (string) - examples "unverified", "verified", "error"
      lastVerificationAttemptedAt (string) - date timestamp, example: "1970-01-01T00:00:00.000Z"
       message (string) - error message for credentials in error state
authorization (object) - object contain vendor specific authorization details
      type (string) - "aws_role" or "aws_user"
      roleName (string) - currently hardcoded to "CloudabilityRole",
      externalId (string) - the external ID used to prevent confused deputies. Generated by Cloudability
parentAccountId (string) - 12 digit string representing parent's account ID (if current cred is a linked account)
createdAt - (string) - date timestamp corresponding to cloudability credential creation time

Example 'Verified' Linked Account Credentials Object 

{
  "result": {
    "id": "999988887777",
    "vendorAccountName": "Account Name",
    "vendorAccountId": "999988887777",
    "vendorKey": "aws",
    "verification": {
      "state": "verified",
      "lastVerificationAttemptedAt": "2017-11-03T08:35:55.049Z"
    },
    "authorization": {
      "type": "aws_role",
      "roleName": "CloudabilityRole",
      "externalId": "1265c251-1e14-49db-b933-af3364c8ac77"
    },
    "parentAccountId": "111122223333",
    "createdAt": "2017-11-03T07:35:55.049Z"
  }
}

Example Requests

Create Credential for Linked Account

Special Note: If your linked account is brand new to make sure Cloudability is aware of it run a verification on your master payer account. We do have a regular background job to register new accounts, but if your account is brand new do run the verification to guarantee the credential can be created as follows.

curl -X POST 'https://api.cloudability.com/v3/vendors/aws/accounts' \
     -H 'Content-Type: application/json' \
     -u '[auth_token]:' \
     -d @- << EOF
{ 
  "vendorAccountId": "999988887777",
  "type": "aws_role"
}
EOF

Upon successful creation the API will return the credentials object

Retrieve Account

curl 'https://api.cloudability.com/v3/vendors/AWS/accounts/[vendorAccountId]' \
   -u '[auth_token]:'

Pro Tip!: If you are reviewing a master payer account you can get the payload to include all it's linked accounts by adding include=associatedAccounts as a query parameter. All linked accounts will return as a list of regular credential objects within the associatedAccounts attribute.

Delete Credential for an account

curl -X DELETE 'https://api.cloudability.com/v3/vendors/AWS/accounts/999988887777' \
     -u '[auth_token]:'

List Accounts

curl 'https://api.cloudability.com/v3/vendors/AWS/accounts' \
   -u '[auth_token]:'

Verify credentials for an account

curl -X POST 'https://api.cloudability.com/v3/vendors/AWS/accounts/999988887777/verification' \
     -u '[auth_token]:'

Migrate a AWS User Cred to AWS Role

curl -X POST 'https://api.cloudability.com/v3/vendors/AWS/accounts/999988887777/user-to-role-migration' \
     -u '[auth_token]:'

Get CloudFormation Template For Account

curl 'https://api.cloudability.com/v3/vendors/AWS/accounts/999988887777/cloudformation-template' \
     -u '[auth_token]:'

Rotate the external ID

curl -X POST 'https://api.cloudability.com/v3/vendors/AWS/accounts/999988887777/external-id-rotation' \
     -u '[auth_token]:'

Recipe for Adding New Linked Account Credentials (AWS)

  1. If your linked account is brand new to make sure Cloudability is aware of it run a verification on your master payer account. We do have a regular background job to register new accounts, but if your account is brand new do run the verification to guarantee the credential can be created in the next step.
  2. Create Credential For Linked Account
  3. Get Cloudformation Template (CFT) For Account
  4. Create CFT Stack in AWS via AWS console or AWS API/SDK/CLI (net result is the creation of the IAM role Cloudability assumes)
  5. Verify Credentials for an account

Recipe for Migrating AWS User Creds to AWS Role creds

  1. Migrate a AWS User Credential to AWS Role Credential
  2. Get Cloudformation Template (CFT) For Account
  3. Create the CFT Stack in AWS via AWS console or AWS API/SDK/CLI
  4. Verify Credentials for an account

Recipe for rotating External ID

  1. Rotate ExternalId
  2. Update CFT Stack in AWS
  3. Verify Credentials for an account

Recipe for creating credential, retrieving externalID and creating IAM role with your own scripting

The only unique thing about each CloudFormation template is the externalID itself. This is a AWS best practice from a security perspective, but instead of needing to generate a separate template each time you could just activate a credential, retrieve it's externalID and then script on your end to create the role. Here are the calls to do this:

  1. create the credential within Cloudability
  2. The externalID is returned within the JSON response from a successful request above. It can also be obtained afterwards by retrieving the account credential.
  3. Use a script on your end to apply the externalID as a parameter with your own template.
  4. Verify Credentials for an account