Welcome to Knowledge Base

TABLE OF CONTENTS

• Introduction
• Aqua CSPM platform
• Aqua CSPM API vs. Aqua Enterprise API (Workload Protection)
• SSO Authentication
• How to collect the token from CSPM API to authenticate with Enterprise API (Workload Protection)
• How to connect to Enterprise API (Workload Protection) using the Bearer Token generated by the CSPM API
  • How to find the Aqua Enterprise (Workload Protection) API link
  • Authentication method
  • API call method for authentication with Aqua Enterprise
  • Response

Introduction

This article explains how to connect and authenticate to the Aqua Enterprise API in the CSPM platform.

Aqua CSPM platform

The Aqua CSPM platform is comprised of two integrated products:

• The Aqua CSPM platform, which is the comprehensive solution for multi-cloud security posture management (check the official link below for more information)
• The "Workload Protection" module (see image below) which is the integrated version of the Aqua Enterprise with the Aqua CSPM interface.

To learn more about CSPM, please go to https://www.aquasec.com/products/cspm/.

Aqua CSPM API vs. Aqua Enterprise API (Workload Protection)

There are two APIs present in this solution:

• Aqua CSPM API 
• Aqua Enterprise API (Workload Protection)

Although we use both APIs, the main idea would be to just use the first API (CSPM) to generate the token the authentication so we can access Aqua Enterprise API (Workload Protection).

SSO Authentication

Important: So far, authentication through the API for users who use SSO exclusively is not supported, and the authentication method described in this tutorial requires the user to authenticate to Aqua CSPM using a username and password.

For users who have chosen to use the SSO feature to authenticate themselves, there is a workaround that can be found at How to authenticate to Aqua CSPM API (api.cloudsploit.com) for users with SSO authentication method enabled.

How to collect the token from CSPM API to authenticate with Enterprise API (Workload Protection)

To create the token, first access the Aqua CSPM platform API through the link below:

https://api.cloudsploit.com/v2/signin

Now it is necessary to use the POST method using the curl command to send the variables email and password so that the API returns the Bearer Token necessary for authentication with the API of Aqua Enterprise API (Workload Protection).

API call to generate the bearer token

curl --location --request POST 'https://api.cloudsploit.com/v2/signin' \
    --header 'Content-Type: application/json' \
    --data-raw '{"email": "your_email@email.com","password": "your_password"}'

{
    "status": 200,
    "code": 0,
    "data": {
        "token": 
"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxODQ3NywiYWNjb3VudF9pZCI6NDg3MywiYWNjb3VudF9hZG1pbiI6dHJ1ZSwicGxhbiI6ImVudGVycHJpc2UiLCJ0cmlhbF9lbmQiOm51bGwsInVzZR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxODQ3NywiSJdLCJ1c2VyX2dyb3Vwc19hZG1pbiI6W10sImNzcF9lbmFibGVkIjp0cnVlLCJjc3BfbWV0YWRhdGEiOnsidXJscyI6eyJlc2VfdXJsIjoiZTR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxODQ3NywimNvbSIsImVzZV9nd191cmwiOiJlMTFkNTE1YmZiLWd3LmNsb3VkLmFxdWFzZWMuY29tIn19LCJjc3Bfcm9sZXMiOm51bGwsImNzcG1fdXJR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxODQ3NywiVhc2VjLmNvbSIsImV4cCI6MTYzNzY4MTY5MCwiYXVkaXQiOnRydWUsImlhdCI6MTYzNzY3ODA5MH0.e7TcRhxTwAMV9UaJoC-5d8_lFScQ7v4Ep9vKwyFHS9DoXQ57X5dDgJ_KNjLrtIwQTRxGLHm1lIVnmA93yTmH4yrRePs7AW4zDFA-fwaPW2901yqHsFhyYWhU7WDa4T8OpDow67EZ1kah7MqfUaFXO3aOWXyt7inI1VyRZnjPUkOqfkikGVuXn4LJ80hts_p-RdQRb1avC6vMzVPY5lWgSvWiqVaDHjFqJ96LJC6sbcOP_qUBG-yArZGPDReJGEB4Ri0teX5De0BTRUBN6hIN_eisD4B6z0RwSjuuB0C0Gew6wmQYNPbek-I3o7s7rNvmcuYETHxCXuYE56d2OUZQ",
        "account_id": 2273,
        "user_id": 13077,
        "account_admin": true,
        "trial_end": null,
        "email": "your_email@email.com"
    }
}

How to connect to Enterprise API (Workload Protection) using the Bearer Token generated by the CSPM API

How to find the Aqua Enterprise (Workload Protection) API link

Connect to the Aqua CSPM platform through the link https://cloud.aquasec.com, then select the option "Workload Protection", and once you access the Enterprise (Workload Protection) interface, collect the link to your Enterprise environment cloud so we can use it together with Bearer Token to authenticate so we can make API requests.

Authentication method

Once the previous Bearer Token creation process was executed successfully, it is necessary to send the token as a parameter in the header of the POST or GET method, as shown in the example below.

API call method for authentication with Aqua Enterprise

curl --location --request GET 'https://e11d5.cloud.aquasec.com/api/v1/registries' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxODQ3NywiYWNjb3VudF9pZCI6NDg3MywiYWNjb3VudF9hZG1pbiI6dHJ1ZSwicGxhbiI6ImVudGVycHJpc2UiLCJ0cmlhbF9lbmQiOm51bGwsInVzZXJfZ3JvdXBzX3VzZXIiOlsiNTQ2MSJdLCJ1c2VyX2dyb3Vwc19hZG1p'

Response