Create a cloud account connector or update an existing one. Connect to your cloud account. For AWS, use either account credentials or role-based authentication. For GCP, use account organization credentials.
PUT https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/connectors/{connectorName}?api-version=2020-01-01-preview
URI Parameters
| Name |
In |
Required |
Type |
Description |
|
connectorName
|
path |
True
|
string
|
Name of the cloud account connector
|
|
subscriptionId
|
path |
True
|
string
pattern: ^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$
|
Azure subscription ID
|
|
api-version
|
query |
True
|
string
|
API version for the operation
|
Request Body
| Name |
Type |
Description |
|
properties.authenticationDetails
|
AuthenticationDetailsProperties:
|
Settings for authentication management, these settings are relevant only for the cloud connector.
|
|
properties.hybridComputeSettings
|
HybridComputeSettingsProperties
|
Settings for hybrid compute management. These settings are relevant only for Arc autoProvision (Hybrid Compute).
|
Responses
| Name |
Type |
Description |
|
200 OK
|
ConnectorSetting
|
OK
|
|
Other Status Codes
|
CloudError
|
Error response describing why the operation failed.
|
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name |
Description |
|
user_impersonation
|
impersonate your user account
|
Examples
AwsAssumeRole - Create a cloud account connector for a subscription
Sample request
PUT https://management.azure.com/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/connectors/aws_dev2?api-version=2020-01-01-preview
{
"properties": {
"hybridComputeSettings": {
"autoProvision": "On",
"resourceGroupName": "AwsConnectorRG",
"region": "West US 2",
"proxyServer": {
"ip": "167.220.197.140",
"port": "34"
},
"servicePrincipal": {
"applicationId": "ad9bcd79-be9c-45ab-abd8-80ca1654a7d1",
"secret": "<secret>"
}
},
"authenticationDetails": {
"authenticationType": "awsAssumeRole",
"awsAssumeRoleArn": "arn:aws:iam::81231569658:role/AscConnector",
"awsExternalId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23"
}
}
}
import com.azure.resourcemanager.security.models.AutoProvision;
import com.azure.resourcemanager.security.models.AwAssumeRoleAuthenticationDetailsProperties;
import com.azure.resourcemanager.security.models.HybridComputeSettingsProperties;
import com.azure.resourcemanager.security.models.ProxyServerProperties;
import com.azure.resourcemanager.security.models.ServicePrincipalProperties;
/**
* Samples for Connectors CreateOrUpdate.
*/
public final class Main {
/*
* x-ms-original-file:
* specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/
* CreateUpdateAwsAssumeRoleConnectorSubscription_example.json
*/
/**
* Sample code: AwsAssumeRole - Create a cloud account connector for a subscription.
*
* @param manager Entry point to SecurityManager.
*/
public static void awsAssumeRoleCreateACloudAccountConnectorForASubscription(
com.azure.resourcemanager.security.SecurityManager manager) {
manager.connectors().define("aws_dev2")
.withHybridComputeSettings(new HybridComputeSettingsProperties().withAutoProvision(AutoProvision.ON)
.withResourceGroupName("AwsConnectorRG").withRegion("West US 2")
.withProxyServer(new ProxyServerProperties().withIp("167.220.197.140").withPort("34"))
.withServicePrincipal(new ServicePrincipalProperties()
.withApplicationId("ad9bcd79-be9c-45ab-abd8-80ca1654a7d1").withSecret("fakeTokenPlaceholder")))
.withAuthenticationDetails(new AwAssumeRoleAuthenticationDetailsProperties()
.withAwsAssumeRoleArn("arn:aws:iam::81231569658:role/AscConnector")
.withAwsExternalId("20ff7fc3-e762-44dd-bd96-b71116dcdc23"))
.create();
}
}
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
package armsecurity_test
import (
"context"
"log"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity"
)
// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/9ac34f238dd6b9071f486b57e9f9f1a0c43ec6f6/specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/CreateUpdateAwsAssumeRoleConnectorSubscription_example.json
func ExampleAccountConnectorsClient_CreateOrUpdate_awsAssumeRoleCreateACloudAccountConnectorForASubscription() {
cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
log.Fatalf("failed to obtain a credential: %v", err)
}
ctx := context.Background()
clientFactory, err := armsecurity.NewClientFactory("<subscription-id>", cred, nil)
if err != nil {
log.Fatalf("failed to create client: %v", err)
}
res, err := clientFactory.NewAccountConnectorsClient().CreateOrUpdate(ctx, "aws_dev2", armsecurity.ConnectorSetting{
Properties: &armsecurity.ConnectorSettingProperties{
AuthenticationDetails: &armsecurity.AwAssumeRoleAuthenticationDetailsProperties{
AuthenticationType: to.Ptr(armsecurity.AuthenticationTypeAwsAssumeRole),
AwsAssumeRoleArn: to.Ptr("arn:aws:iam::81231569658:role/AscConnector"),
AwsExternalID: to.Ptr("20ff7fc3-e762-44dd-bd96-b71116dcdc23"),
},
HybridComputeSettings: &armsecurity.HybridComputeSettingsProperties{
AutoProvision: to.Ptr(armsecurity.AutoProvisionOn),
ProxyServer: &armsecurity.ProxyServerProperties{
IP: to.Ptr("167.220.197.140"),
Port: to.Ptr("34"),
},
Region: to.Ptr("West US 2"),
ResourceGroupName: to.Ptr("AwsConnectorRG"),
ServicePrincipal: &armsecurity.ServicePrincipalProperties{
ApplicationID: to.Ptr("ad9bcd79-be9c-45ab-abd8-80ca1654a7d1"),
Secret: to.Ptr("<secret>"),
},
},
},
}, nil)
if err != nil {
log.Fatalf("failed to finish the request: %v", err)
}
// You could use response here. We use blank identifier for just demo purposes.
_ = res
// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
// res.ConnectorSetting = armsecurity.ConnectorSetting{
// Name: to.Ptr("aws_dev2"),
// Type: to.Ptr("Microsoft.Security/connectors"),
// ID: to.Ptr("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/connectors/aws_dev2"),
// Properties: &armsecurity.ConnectorSettingProperties{
// AuthenticationDetails: &armsecurity.AwAssumeRoleAuthenticationDetailsProperties{
// AuthenticationProvisioningState: to.Ptr(armsecurity.AuthenticationProvisioningStateValid),
// AuthenticationType: to.Ptr(armsecurity.AuthenticationTypeAwsAssumeRole),
// GrantedPermissions: []*armsecurity.PermissionProperty{
// to.Ptr(armsecurity.PermissionPropertyAWSAWSSecurityHubReadOnlyAccess),
// to.Ptr(armsecurity.PermissionPropertyAWSSecurityAudit),
// to.Ptr(armsecurity.PermissionPropertyAWSAmazonSSMAutomationRole)},
// AccountID: to.Ptr("81231569658"),
// AwsAssumeRoleArn: to.Ptr("arn:aws:iam::81231569658:role/AscConnector"),
// AwsExternalID: to.Ptr("20ff7fc3-e762-44dd-bd96-b71116dcdc23"),
// },
// HybridComputeSettings: &armsecurity.HybridComputeSettingsProperties{
// AutoProvision: to.Ptr(armsecurity.AutoProvisionOn),
// HybridComputeProvisioningState: to.Ptr(armsecurity.HybridComputeProvisioningStateValid),
// ProxyServer: &armsecurity.ProxyServerProperties{
// IP: to.Ptr("167.220.197.140"),
// Port: to.Ptr("34"),
// },
// Region: to.Ptr("West US 2"),
// ResourceGroupName: to.Ptr("AwsConnectorRG"),
// ServicePrincipal: &armsecurity.ServicePrincipalProperties{
// ApplicationID: to.Ptr("ad9bcd79-be9c-45ab-abd8-80ca1654a7d1"),
// },
// },
// },
// }
}
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
const { SecurityCenter } = require("@azure/arm-security");
const { DefaultAzureCredential } = require("@azure/identity");
/**
* This sample demonstrates how to Create a cloud account connector or update an existing one. Connect to your cloud account. For AWS, use either account credentials or role-based authentication. For GCP, use account organization credentials.
*
* @summary Create a cloud account connector or update an existing one. Connect to your cloud account. For AWS, use either account credentials or role-based authentication. For GCP, use account organization credentials.
* x-ms-original-file: specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/CreateUpdateAwsAssumeRoleConnectorSubscription_example.json
*/
async function awsAssumeRoleCreateACloudAccountConnectorForASubscription() {
const subscriptionId =
process.env["SECURITY_SUBSCRIPTION_ID"] || "20ff7fc3-e762-44dd-bd96-b71116dcdc23";
const connectorName = "aws_dev2";
const connectorSetting = {
authenticationDetails: {
authenticationType: "awsAssumeRole",
awsAssumeRoleArn: "arn:aws:iam::81231569658:role/AscConnector",
awsExternalId: "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
},
hybridComputeSettings: {
autoProvision: "On",
proxyServer: { ip: "167.220.197.140", port: "34" },
region: "West US 2",
resourceGroupName: "AwsConnectorRG",
servicePrincipal: {
applicationId: "ad9bcd79-be9c-45ab-abd8-80ca1654a7d1",
secret: "<secret>",
},
},
};
const credential = new DefaultAzureCredential();
const client = new SecurityCenter(credential, subscriptionId);
const result = await client.connectors.createOrUpdate(connectorName, connectorSetting);
console.log(result);
}
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
using Azure;
using Azure.ResourceManager;
using System;
using System.Threading.Tasks;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager.Resources;
using Azure.ResourceManager.SecurityCenter.Models;
using Azure.ResourceManager.SecurityCenter;
// Generated from example definition: specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/CreateUpdateAwsAssumeRoleConnectorSubscription_example.json
// this example is just showing the usage of "Connectors_CreateOrUpdate" operation, for the dependent resources, they will have to be created separately.
// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);
// this example assumes you already have this SubscriptionResource created on azure
// for more information of creating SubscriptionResource, please refer to the document of SubscriptionResource
string subscriptionId = "20ff7fc3-e762-44dd-bd96-b71116dcdc23";
ResourceIdentifier subscriptionResourceId = SubscriptionResource.CreateResourceIdentifier(subscriptionId);
SubscriptionResource subscriptionResource = client.GetSubscriptionResource(subscriptionResourceId);
// get the collection of this SecurityCloudConnectorResource
SecurityCloudConnectorCollection collection = subscriptionResource.GetSecurityCloudConnectors();
// invoke the operation
string connectorName = "aws_dev2";
SecurityCloudConnectorData data = new SecurityCloudConnectorData
{
HybridComputeSettings = new HybridComputeSettingsProperties(AutoProvisionState.On)
{
ResourceGroupName = "AwsConnectorRG",
Region = "West US 2",
ProxyServer = new ProxyServerProperties
{
IP = "167.220.197.140",
Port = "34",
},
ServicePrincipal = new ServicePrincipalProperties
{
ApplicationId = Guid.Parse("ad9bcd79-be9c-45ab-abd8-80ca1654a7d1"),
Secret = "<secret>",
},
},
AuthenticationDetails = new AwsAssumeRoleAuthenticationDetailsProperties("arn:aws:iam::81231569658:role/AscConnector", Guid.Parse("20ff7fc3-e762-44dd-bd96-b71116dcdc23")),
};
ArmOperation<SecurityCloudConnectorResource> lro = await collection.CreateOrUpdateAsync(WaitUntil.Completed, connectorName, data);
SecurityCloudConnectorResource result = lro.Value;
// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
SecurityCloudConnectorData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
Sample response
{
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/connectors/aws_dev2",
"name": "aws_dev2",
"type": "Microsoft.Security/connectors",
"properties": {
"hybridComputeSettings": {
"hybridComputeProvisioningState": "Valid",
"autoProvision": "On",
"resourceGroupName": "AwsConnectorRG",
"region": "West US 2",
"proxyServer": {
"ip": "167.220.197.140",
"port": "34"
},
"servicePrincipal": {
"applicationId": "ad9bcd79-be9c-45ab-abd8-80ca1654a7d1"
}
},
"authenticationDetails": {
"authenticationProvisioningState": "Valid",
"grantedPermissions": [
"AWS::AWSSecurityHubReadOnlyAccess",
"AWS::SecurityAudit",
"AWS::AmazonSSMAutomationRole"
],
"authenticationType": "awsAssumeRole",
"accountId": "81231569658",
"awsAssumeRoleArn": "arn:aws:iam::81231569658:role/AscConnector",
"awsExternalId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23"
}
}
}
AwsCred - Create a cloud account connector for a subscription
Sample request
PUT https://management.azure.com/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/connectors/aws_dev1?api-version=2020-01-01-preview
{
"properties": {
"hybridComputeSettings": {
"autoProvision": "On",
"resourceGroupName": "AwsConnectorRG",
"region": "West US 2",
"proxyServer": {
"ip": "167.220.197.140",
"port": "34"
},
"servicePrincipal": {
"applicationId": "ad9bcd79-be9c-45ab-abd8-80ca1654a7d1",
"secret": "<secret>"
}
},
"authenticationDetails": {
"authenticationType": "awsCreds",
"awsAccessKeyId": "<awsAccessKeyId>",
"awsSecretAccessKey": "<awsSecretAccessKey>"
}
}
}
import com.azure.resourcemanager.security.models.AutoProvision;
import com.azure.resourcemanager.security.models.AwsCredsAuthenticationDetailsProperties;
import com.azure.resourcemanager.security.models.HybridComputeSettingsProperties;
import com.azure.resourcemanager.security.models.ProxyServerProperties;
import com.azure.resourcemanager.security.models.ServicePrincipalProperties;
/**
* Samples for Connectors CreateOrUpdate.
*/
public final class Main {
/*
* x-ms-original-file:
* specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/
* CreateUpdateAwsCredConnectorSubscription_example.json
*/
/**
* Sample code: AwsCred - Create a cloud account connector for a subscription.
*
* @param manager Entry point to SecurityManager.
*/
public static void awsCredCreateACloudAccountConnectorForASubscription(
com.azure.resourcemanager.security.SecurityManager manager) {
manager.connectors().define("aws_dev1")
.withHybridComputeSettings(new HybridComputeSettingsProperties().withAutoProvision(AutoProvision.ON)
.withResourceGroupName("AwsConnectorRG").withRegion("West US 2")
.withProxyServer(new ProxyServerProperties().withIp("167.220.197.140").withPort("34"))
.withServicePrincipal(new ServicePrincipalProperties()
.withApplicationId("ad9bcd79-be9c-45ab-abd8-80ca1654a7d1").withSecret("fakeTokenPlaceholder")))
.withAuthenticationDetails(new AwsCredsAuthenticationDetailsProperties()
.withAwsAccessKeyId("fakeTokenPlaceholder").withAwsSecretAccessKey("fakeTokenPlaceholder"))
.create();
}
}
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
package armsecurity_test
import (
"context"
"log"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity"
)
// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/9ac34f238dd6b9071f486b57e9f9f1a0c43ec6f6/specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/CreateUpdateAwsCredConnectorSubscription_example.json
func ExampleAccountConnectorsClient_CreateOrUpdate_awsCredCreateACloudAccountConnectorForASubscription() {
cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
log.Fatalf("failed to obtain a credential: %v", err)
}
ctx := context.Background()
clientFactory, err := armsecurity.NewClientFactory("<subscription-id>", cred, nil)
if err != nil {
log.Fatalf("failed to create client: %v", err)
}
res, err := clientFactory.NewAccountConnectorsClient().CreateOrUpdate(ctx, "aws_dev1", armsecurity.ConnectorSetting{
Properties: &armsecurity.ConnectorSettingProperties{
AuthenticationDetails: &armsecurity.AwsCredsAuthenticationDetailsProperties{
AuthenticationType: to.Ptr(armsecurity.AuthenticationTypeAwsCreds),
AwsAccessKeyID: to.Ptr("<awsAccessKeyId>"),
AwsSecretAccessKey: to.Ptr("<awsSecretAccessKey>"),
},
HybridComputeSettings: &armsecurity.HybridComputeSettingsProperties{
AutoProvision: to.Ptr(armsecurity.AutoProvisionOn),
ProxyServer: &armsecurity.ProxyServerProperties{
IP: to.Ptr("167.220.197.140"),
Port: to.Ptr("34"),
},
Region: to.Ptr("West US 2"),
ResourceGroupName: to.Ptr("AwsConnectorRG"),
ServicePrincipal: &armsecurity.ServicePrincipalProperties{
ApplicationID: to.Ptr("ad9bcd79-be9c-45ab-abd8-80ca1654a7d1"),
Secret: to.Ptr("<secret>"),
},
},
},
}, nil)
if err != nil {
log.Fatalf("failed to finish the request: %v", err)
}
// You could use response here. We use blank identifier for just demo purposes.
_ = res
// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
// res.ConnectorSetting = armsecurity.ConnectorSetting{
// Name: to.Ptr("aws_dev1"),
// Type: to.Ptr("Microsoft.Security/connectors"),
// ID: to.Ptr("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/connectors/aws_dev1"),
// Properties: &armsecurity.ConnectorSettingProperties{
// AuthenticationDetails: &armsecurity.AwsCredsAuthenticationDetailsProperties{
// AuthenticationProvisioningState: to.Ptr(armsecurity.AuthenticationProvisioningStateValid),
// AuthenticationType: to.Ptr(armsecurity.AuthenticationTypeAwsCreds),
// GrantedPermissions: []*armsecurity.PermissionProperty{
// to.Ptr(armsecurity.PermissionPropertyAWSAWSSecurityHubReadOnlyAccess),
// to.Ptr(armsecurity.PermissionPropertyAWSSecurityAudit),
// to.Ptr(armsecurity.PermissionPropertyAWSAmazonSSMAutomationRole)},
// AccountID: to.Ptr("922315681122"),
// AwsAccessKeyID: to.Ptr(""),
// AwsSecretAccessKey: to.Ptr(""),
// },
// HybridComputeSettings: &armsecurity.HybridComputeSettingsProperties{
// AutoProvision: to.Ptr(armsecurity.AutoProvisionOn),
// HybridComputeProvisioningState: to.Ptr(armsecurity.HybridComputeProvisioningStateValid),
// ProxyServer: &armsecurity.ProxyServerProperties{
// IP: to.Ptr("287.221.107.152"),
// Port: to.Ptr("34"),
// },
// Region: to.Ptr("West US 2"),
// ResourceGroupName: to.Ptr("AwsConnectorRG"),
// ServicePrincipal: &armsecurity.ServicePrincipalProperties{
// ApplicationID: to.Ptr("ad9bcd79-be9c-45ab-abd8-80ca1654a7d1"),
// },
// },
// },
// }
}
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
const { SecurityCenter } = require("@azure/arm-security");
const { DefaultAzureCredential } = require("@azure/identity");
/**
* This sample demonstrates how to Create a cloud account connector or update an existing one. Connect to your cloud account. For AWS, use either account credentials or role-based authentication. For GCP, use account organization credentials.
*
* @summary Create a cloud account connector or update an existing one. Connect to your cloud account. For AWS, use either account credentials or role-based authentication. For GCP, use account organization credentials.
* x-ms-original-file: specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/CreateUpdateAwsCredConnectorSubscription_example.json
*/
async function awsCredCreateACloudAccountConnectorForASubscription() {
const subscriptionId =
process.env["SECURITY_SUBSCRIPTION_ID"] || "20ff7fc3-e762-44dd-bd96-b71116dcdc23";
const connectorName = "aws_dev1";
const connectorSetting = {
authenticationDetails: {
authenticationType: "awsCreds",
awsAccessKeyId: "AKIARPZCNODDNAEQFSOE",
awsSecretAccessKey: "<awsSecretAccessKey>",
},
hybridComputeSettings: {
autoProvision: "On",
proxyServer: { ip: "167.220.197.140", port: "34" },
region: "West US 2",
resourceGroupName: "AwsConnectorRG",
servicePrincipal: {
applicationId: "ad9bcd79-be9c-45ab-abd8-80ca1654a7d1",
secret: "<secret>",
},
},
};
const credential = new DefaultAzureCredential();
const client = new SecurityCenter(credential, subscriptionId);
const result = await client.connectors.createOrUpdate(connectorName, connectorSetting);
console.log(result);
}
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
using Azure;
using Azure.ResourceManager;
using System;
using System.Threading.Tasks;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager.Resources;
using Azure.ResourceManager.SecurityCenter.Models;
using Azure.ResourceManager.SecurityCenter;
// Generated from example definition: specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/CreateUpdateAwsCredConnectorSubscription_example.json
// this example is just showing the usage of "Connectors_CreateOrUpdate" operation, for the dependent resources, they will have to be created separately.
// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);
// this example assumes you already have this SubscriptionResource created on azure
// for more information of creating SubscriptionResource, please refer to the document of SubscriptionResource
string subscriptionId = "20ff7fc3-e762-44dd-bd96-b71116dcdc23";
ResourceIdentifier subscriptionResourceId = SubscriptionResource.CreateResourceIdentifier(subscriptionId);
SubscriptionResource subscriptionResource = client.GetSubscriptionResource(subscriptionResourceId);
// get the collection of this SecurityCloudConnectorResource
SecurityCloudConnectorCollection collection = subscriptionResource.GetSecurityCloudConnectors();
// invoke the operation
string connectorName = "aws_dev1";
SecurityCloudConnectorData data = new SecurityCloudConnectorData
{
HybridComputeSettings = new HybridComputeSettingsProperties(AutoProvisionState.On)
{
ResourceGroupName = "AwsConnectorRG",
Region = "West US 2",
ProxyServer = new ProxyServerProperties
{
IP = "167.220.197.140",
Port = "34",
},
ServicePrincipal = new ServicePrincipalProperties
{
ApplicationId = Guid.Parse("ad9bcd79-be9c-45ab-abd8-80ca1654a7d1"),
Secret = "<secret>",
},
},
AuthenticationDetails = new AwsCredsAuthenticationDetailsProperties("AKIARPZCNODDNAEQFSOE", "<awsSecretAccessKey>"),
};
ArmOperation<SecurityCloudConnectorResource> lro = await collection.CreateOrUpdateAsync(WaitUntil.Completed, connectorName, data);
SecurityCloudConnectorResource result = lro.Value;
// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
SecurityCloudConnectorData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
Sample response
{
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/connectors/aws_dev1",
"name": "aws_dev1",
"type": "Microsoft.Security/connectors",
"properties": {
"hybridComputeSettings": {
"hybridComputeProvisioningState": "Valid",
"autoProvision": "On",
"resourceGroupName": "AwsConnectorRG",
"region": "West US 2",
"proxyServer": {
"ip": "287.221.107.152",
"port": "34"
},
"servicePrincipal": {
"applicationId": "ad9bcd79-be9c-45ab-abd8-80ca1654a7d1"
}
},
"authenticationDetails": {
"authenticationProvisioningState": "Valid",
"grantedPermissions": [
"AWS::AWSSecurityHubReadOnlyAccess",
"AWS::SecurityAudit",
"AWS::AmazonSSMAutomationRole"
],
"authenticationType": "awsCreds",
"accountId": "922315681122",
"awsAccessKeyId": "",
"awsSecretAccessKey": ""
}
}
}
gcpCredentials - Create a cloud account connector for a subscription
Sample request
PUT https://management.azure.com/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/connectors/gcp_dev?api-version=2020-01-01-preview
{
"properties": {
"hybridComputeSettings": {
"autoProvision": "Off"
},
"authenticationDetails": {
"authenticationType": "gcpCredentials",
"organizationId": "AscDemoOrg",
"type": "service_account",
"projectId": "asc-project-1234",
"privateKeyId": "6efg587hra2568as34d22326b044cc20dc2af",
"privateKey": "******",
"clientEmail": "asc-135@asc-project-1234.iam.gserviceaccount.com",
"clientId": "105889053725632919854",
"authUri": "https://accounts.google.com/o/oauth2/auth",
"tokenUri": "https://oauth2.googleapis.com/token",
"authProviderX509CertUrl": "https://www.googleapis.com/oauth2/v1/certs",
"clientX509CertUrl": "https://www.googleapis.com/robot/v1/metadata/x509/asc-135%40asc-project-1234.iam.gserviceaccount.com"
}
}
}
import com.azure.resourcemanager.security.models.AutoProvision;
import com.azure.resourcemanager.security.models.GcpCredentialsDetailsProperties;
import com.azure.resourcemanager.security.models.HybridComputeSettingsProperties;
/**
* Samples for Connectors CreateOrUpdate.
*/
public final class Main {
/*
* x-ms-original-file:
* specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/
* CreateUpdateGcpCredentialsConnectorSubscription_example.json
*/
/**
* Sample code: gcpCredentials - Create a cloud account connector for a subscription.
*
* @param manager Entry point to SecurityManager.
*/
public static void gcpCredentialsCreateACloudAccountConnectorForASubscription(
com.azure.resourcemanager.security.SecurityManager manager) {
manager.connectors().define("gcp_dev")
.withHybridComputeSettings(new HybridComputeSettingsProperties().withAutoProvision(AutoProvision.OFF))
.withAuthenticationDetails(new GcpCredentialsDetailsProperties().withOrganizationId("AscDemoOrg")
.withType("service_account").withProjectId("asc-project-1234").withPrivateKeyId("fakeTokenPlaceholder")
.withPrivateKey("fakeTokenPlaceholder")
.withClientEmail("asc-135@asc-project-1234.iam.gserviceaccount.com")
.withClientId("105889053725632919854").withAuthUri("https://accounts.google.com/o/oauth2/auth")
.withTokenUri("fakeTokenPlaceholder")
.withAuthProviderX509CertUrl("https://www.googleapis.com/oauth2/v1/certs").withClientX509CertUrl(
"https://www.googleapis.com/robot/v1/metadata/x509/asc-135%40asc-project-1234.iam.gserviceaccount.com"))
.create();
}
}
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
package armsecurity_test
import (
"context"
"log"
"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity"
)
// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/9ac34f238dd6b9071f486b57e9f9f1a0c43ec6f6/specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/CreateUpdateGcpCredentialsConnectorSubscription_example.json
func ExampleAccountConnectorsClient_CreateOrUpdate_gcpCredentialsCreateACloudAccountConnectorForASubscription() {
cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
log.Fatalf("failed to obtain a credential: %v", err)
}
ctx := context.Background()
clientFactory, err := armsecurity.NewClientFactory("<subscription-id>", cred, nil)
if err != nil {
log.Fatalf("failed to create client: %v", err)
}
res, err := clientFactory.NewAccountConnectorsClient().CreateOrUpdate(ctx, "gcp_dev", armsecurity.ConnectorSetting{
Properties: &armsecurity.ConnectorSettingProperties{
AuthenticationDetails: &armsecurity.GcpCredentialsDetailsProperties{
AuthenticationType: to.Ptr(armsecurity.AuthenticationTypeGcpCredentials),
Type: to.Ptr("service_account"),
AuthProviderX509CertURL: to.Ptr("https://www.googleapis.com/oauth2/v1/certs"),
AuthURI: to.Ptr("https://accounts.google.com/o/oauth2/auth"),
ClientEmail: to.Ptr("asc-135@asc-project-1234.iam.gserviceaccount.com"),
ClientID: to.Ptr("105889053725632919854"),
ClientX509CertURL: to.Ptr("https://www.googleapis.com/robot/v1/metadata/x509/asc-135%40asc-project-1234.iam.gserviceaccount.com"),
OrganizationID: to.Ptr("AscDemoOrg"),
PrivateKey: to.Ptr("******"),
PrivateKeyID: to.Ptr("6efg587hra2568as34d22326b044cc20dc2af"),
ProjectID: to.Ptr("asc-project-1234"),
TokenURI: to.Ptr("https://oauth2.googleapis.com/token"),
},
HybridComputeSettings: &armsecurity.HybridComputeSettingsProperties{
AutoProvision: to.Ptr(armsecurity.AutoProvisionOff),
},
},
}, nil)
if err != nil {
log.Fatalf("failed to finish the request: %v", err)
}
// You could use response here. We use blank identifier for just demo purposes.
_ = res
// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
// res.ConnectorSetting = armsecurity.ConnectorSetting{
// Name: to.Ptr("gcp_dev"),
// Type: to.Ptr("Microsoft.Security/connectors"),
// ID: to.Ptr("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/connectors/gcp_dev"),
// Properties: &armsecurity.ConnectorSettingProperties{
// AuthenticationDetails: &armsecurity.GcpCredentialsDetailsProperties{
// AuthenticationProvisioningState: to.Ptr(armsecurity.AuthenticationProvisioningStateValid),
// AuthenticationType: to.Ptr(armsecurity.AuthenticationTypeGcpCredentials),
// GrantedPermissions: []*armsecurity.PermissionProperty{
// to.Ptr(armsecurity.PermissionPropertyGCPSecurityCenterAdminViewer)},
// Type: to.Ptr(""),
// AuthProviderX509CertURL: to.Ptr(""),
// AuthURI: to.Ptr(""),
// ClientEmail: to.Ptr(""),
// ClientID: to.Ptr(""),
// ClientX509CertURL: to.Ptr(""),
// OrganizationID: to.Ptr("AscDemoOrg"),
// PrivateKey: to.Ptr(""),
// PrivateKeyID: to.Ptr(""),
// ProjectID: to.Ptr(""),
// TokenURI: to.Ptr(""),
// },
// HybridComputeSettings: &armsecurity.HybridComputeSettingsProperties{
// AutoProvision: to.Ptr(armsecurity.AutoProvisionOff),
// HybridComputeProvisioningState: to.Ptr(armsecurity.HybridComputeProvisioningStateInvalid),
// Region: to.Ptr(""),
// ResourceGroupName: to.Ptr(""),
// },
// },
// }
}
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
const { SecurityCenter } = require("@azure/arm-security");
const { DefaultAzureCredential } = require("@azure/identity");
/**
* This sample demonstrates how to Create a cloud account connector or update an existing one. Connect to your cloud account. For AWS, use either account credentials or role-based authentication. For GCP, use account organization credentials.
*
* @summary Create a cloud account connector or update an existing one. Connect to your cloud account. For AWS, use either account credentials or role-based authentication. For GCP, use account organization credentials.
* x-ms-original-file: specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/CreateUpdateGcpCredentialsConnectorSubscription_example.json
*/
async function gcpCredentialsCreateACloudAccountConnectorForASubscription() {
const subscriptionId =
process.env["SECURITY_SUBSCRIPTION_ID"] || "20ff7fc3-e762-44dd-bd96-b71116dcdc23";
const connectorName = "gcp_dev";
const connectorSetting = {
authenticationDetails: {
type: "service_account",
authProviderX509CertUrl: "https://www.googleapis.com/oauth2/v1/certs",
authUri: "https://accounts.google.com/o/oauth2/auth",
authenticationType: "gcpCredentials",
clientEmail: "asc-135@asc-project-1234.iam.gserviceaccount.com",
clientId: "105889053725632919854",
clientX509CertUrl:
"https://www.googleapis.com/robot/v1/metadata/x509/asc-135%40asc-project-1234.iam.gserviceaccount.com",
organizationId: "AscDemoOrg",
privateKey: "******",
privateKeyId: "6efg587hra2568as34d22326b044cc20dc2af",
projectId: "asc-project-1234",
tokenUri: "https://oauth2.googleapis.com/token",
},
hybridComputeSettings: { autoProvision: "Off" },
};
const credential = new DefaultAzureCredential();
const client = new SecurityCenter(credential, subscriptionId);
const result = await client.connectors.createOrUpdate(connectorName, connectorSetting);
console.log(result);
}
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
using Azure;
using Azure.ResourceManager;
using System;
using System.Threading.Tasks;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager.Resources;
using Azure.ResourceManager.SecurityCenter.Models;
using Azure.ResourceManager.SecurityCenter;
// Generated from example definition: specification/security/resource-manager/Microsoft.Security/preview/2020-01-01-preview/examples/Connectors/CreateUpdateGcpCredentialsConnectorSubscription_example.json
// this example is just showing the usage of "Connectors_CreateOrUpdate" operation, for the dependent resources, they will have to be created separately.
// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);
// this example assumes you already have this SubscriptionResource created on azure
// for more information of creating SubscriptionResource, please refer to the document of SubscriptionResource
string subscriptionId = "20ff7fc3-e762-44dd-bd96-b71116dcdc23";
ResourceIdentifier subscriptionResourceId = SubscriptionResource.CreateResourceIdentifier(subscriptionId);
SubscriptionResource subscriptionResource = client.GetSubscriptionResource(subscriptionResourceId);
// get the collection of this SecurityCloudConnectorResource
SecurityCloudConnectorCollection collection = subscriptionResource.GetSecurityCloudConnectors();
// invoke the operation
string connectorName = "gcp_dev";
SecurityCloudConnectorData data = new SecurityCloudConnectorData
{
HybridComputeSettings = new HybridComputeSettingsProperties(AutoProvisionState.Off),
AuthenticationDetails = new GcpCredentialsDetailsProperties(
"AscDemoOrg",
"service_account",
"asc-project-1234",
"6efg587hra2568as34d22326b044cc20dc2af",
"******",
"asc-135@asc-project-1234.iam.gserviceaccount.com",
"105889053725632919854",
new Uri("https://accounts.google.com/o/oauth2/auth"),
new Uri("https://oauth2.googleapis.com/token"),
new Uri("https://www.googleapis.com/oauth2/v1/certs"),
new Uri("https://www.googleapis.com/robot/v1/metadata/x509/asc-135%40asc-project-1234.iam.gserviceaccount.com")),
};
ArmOperation<SecurityCloudConnectorResource> lro = await collection.CreateOrUpdateAsync(WaitUntil.Completed, connectorName, data);
SecurityCloudConnectorResource result = lro.Value;
// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
SecurityCloudConnectorData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");
To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue
Sample response
{
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/connectors/gcp_dev",
"name": "gcp_dev",
"type": "Microsoft.Security/connectors",
"properties": {
"hybridComputeSettings": {
"hybridComputeProvisioningState": "Invalid",
"autoProvision": "Off",
"resourceGroupName": "",
"region": "",
"proxyServer": null,
"servicePrincipal": null
},
"authenticationDetails": {
"authenticationProvisioningState": "Valid",
"grantedPermissions": [
"GCP::Security Center Admin Viewer"
],
"authenticationType": "gcpCredentials",
"organizationId": "AscDemoOrg",
"type": "",
"projectId": "",
"privateKeyId": "",
"privateKey": "",
"clientEmail": "",
"clientId": "",
"authUri": "",
"tokenUri": "",
"authProviderX509CertUrl": "",
"clientX509CertUrl": ""
}
}
}
Definitions
authenticationProvisioningState
Enumeration
State of the multi-cloud connector
| Value |
Description |
|
Valid
|
Valid connector
|
|
Invalid
|
Invalid connector
|
|
Expired
|
the connection has expired
|
|
IncorrectPolicy
|
Incorrect policy of the connector
|
autoProvision
Enumeration
Whether or not to automatically install Azure Arc (hybrid compute) agents on machines
| Value |
Description |
|
On
|
Install missing Azure Arc agents on machines automatically
|
|
Off
|
Do not install Azure Arc agent on the machines automatically
|
AwAssumeRoleAuthenticationDetailsProperties
Object
AWS cloud account connector based assume role, the role enables delegating access to your AWS resources. The role is composed of role Amazon Resource Name (ARN) and external ID. For more details, refer to Creating a Role to Delegate Permissions to an IAM User (write only)
| Name |
Type |
Description |
|
accountId
|
string
|
The ID of the cloud account
|
|
authenticationProvisioningState
|
authenticationProvisioningState
|
State of the multi-cloud connector
|
|
authenticationType
|
string:
awsAssumeRole
|
Connect to your cloud account, for AWS use either account credentials or role-based authentication. For GCP use account organization credentials.
|
|
awsAssumeRoleArn
|
string
|
Assumed role ID is an identifier that you can use to create temporary security credentials.
|
|
awsExternalId
|
string
|
A unique identifier that is required when you assume a role in another account.
|
|
grantedPermissions
|
PermissionProperty[]
|
The permissions detected in the cloud account.
|
AwsCredsAuthenticationDetailsProperties
Object
AWS cloud account connector based credentials, the credentials is composed of access key ID and secret key, for more details, refer to Creating an IAM User in Your AWS Account (write only)
| Name |
Type |
Description |
|
accountId
|
string
|
The ID of the cloud account
|
|
authenticationProvisioningState
|
authenticationProvisioningState
|
State of the multi-cloud connector
|
|
authenticationType
|
string:
awsCreds
|
Connect to your cloud account, for AWS use either account credentials or role-based authentication. For GCP use account organization credentials.
|
|
awsAccessKeyId
|
string
|
Public key element of the AWS credential object (write only)
|
|
awsSecretAccessKey
|
string
|
Secret key element of the AWS credential object (write only)
|
|
grantedPermissions
|
PermissionProperty[]
|
The permissions detected in the cloud account.
|
CloudError
Object
Common error response for all Azure Resource Manager APIs to return error details for failed operations. (This also follows the OData error response format.).
| Name |
Type |
Description |
|
error.additionalInfo
|
ErrorAdditionalInfo[]
|
The error additional info.
|
|
error.code
|
string
|
The error code.
|
|
error.details
|
CloudErrorBody[]
|
The error details.
|
|
error.message
|
string
|
The error message.
|
|
error.target
|
string
|
The error target.
|
CloudErrorBody
Object
The error detail.
| Name |
Type |
Description |
|
additionalInfo
|
ErrorAdditionalInfo[]
|
The error additional info.
|
|
code
|
string
|
The error code.
|
|
details
|
CloudErrorBody[]
|
The error details.
|
|
message
|
string
|
The error message.
|
|
target
|
string
|
The error target.
|
ConnectorSetting
Object
The connector setting
| Name |
Type |
Description |
|
id
|
string
|
Resource Id
|
|
name
|
string
|
Resource name
|
|
properties.authenticationDetails
|
AuthenticationDetailsProperties:
|
Settings for authentication management, these settings are relevant only for the cloud connector.
|
|
properties.hybridComputeSettings
|
HybridComputeSettingsProperties
|
Settings for hybrid compute management. These settings are relevant only for Arc autoProvision (Hybrid Compute).
|
|
type
|
string
|
Resource type
|
ErrorAdditionalInfo
Object
The resource management error additional info.
| Name |
Type |
Description |
|
info
|
object
|
The additional info.
|
|
type
|
string
|
The additional info type.
|
GcpCredentialsDetailsProperties
Object
GCP cloud account connector based service to service credentials, the credentials are composed of the organization ID and a JSON API key (write only)
| Name |
Type |
Description |
|
authProviderX509CertUrl
|
string
|
Auth provider x509 certificate URL field of the API key (write only)
|
|
authUri
|
string
|
Auth URI field of the API key (write only)
|
|
authenticationProvisioningState
|
authenticationProvisioningState
|
State of the multi-cloud connector
|
|
authenticationType
|
string:
gcpCredentials
|
Connect to your cloud account, for AWS use either account credentials or role-based authentication. For GCP use account organization credentials.
|
|
clientEmail
|
string
|
Client email field of the API key (write only)
|
|
clientId
|
string
|
Client ID field of the API key (write only)
|
|
clientX509CertUrl
|
string
|
Client x509 certificate URL field of the API key (write only)
|
|
grantedPermissions
|
PermissionProperty[]
|
The permissions detected in the cloud account.
|
|
organizationId
|
string
|
The organization ID of the GCP cloud account
|
|
privateKey
|
string
|
Private key field of the API key (write only)
|
|
privateKeyId
|
string
|
Private key ID field of the API key (write only)
|
|
projectId
|
string
|
Project ID field of the API key (write only)
|
|
tokenUri
|
string
|
Token URI field of the API key (write only)
|
|
type
|
string
|
Type field of the API key (write only)
|
hybridComputeProvisioningState
Enumeration
State of the service principal and its secret
| Value |
Description |
|
Valid
|
Valid service principal details.
|
|
Invalid
|
Invalid service principal details.
|
|
Expired
|
the service principal details are expired
|
HybridComputeSettingsProperties
Object
Settings for hybrid compute management
| Name |
Type |
Description |
|
autoProvision
|
autoProvision
|
Whether or not to automatically install Azure Arc (hybrid compute) agents on machines
|
|
hybridComputeProvisioningState
|
hybridComputeProvisioningState
|
State of the service principal and its secret
|
|
proxyServer
|
ProxyServerProperties
|
For a non-Azure machine that is not connected directly to the internet, specify a proxy server that the non-Azure machine can use.
|
|
region
|
string
|
The location where the metadata of machines will be stored
|
|
resourceGroupName
|
string
|
The name of the resource group where Arc (Hybrid Compute) connectors are connected.
|
|
servicePrincipal
|
ServicePrincipalProperties
|
An object to access resources that are secured by an Azure AD tenant.
|
PermissionProperty
Enumeration
A permission detected in the cloud account.
| Value |
Description |
|
AWS::AWSSecurityHubReadOnlyAccess
|
This permission provides read only access to AWS Security Hub resources.
|
|
AWS::SecurityAudit
|
This permission grants access to read security configuration metadata.
|
|
AWS::AmazonSSMAutomationRole
|
The permission provides for EC2 Automation service to execute activities defined within Automation documents.
|
|
GCP::Security Center Admin Viewer
|
This permission provides read only access to GCP Security Command Center.
|
ProxyServerProperties
Object
For a non-Azure machine that is not connected directly to the internet, specify a proxy server that the non-Azure machine can use.
| Name |
Type |
Description |
|
ip
|
string
|
Proxy server IP
|
|
port
|
string
|
Proxy server port
|
ServicePrincipalProperties
Object
Details of the service principal.
| Name |
Type |
Description |
|
applicationId
|
string
|
Application ID of service principal.
|
|
secret
|
string
|
A secret string that the application uses to prove its identity, also can be referred to as application password (write only).
|