TABLE OF CONTENTS


Introduction


This article explains how to connect and authenticate to the Aqua Enterprise API in the CSPM platform.


Aqua CSPM platform


The Aqua CSPM platform is comprised of two integrated products:

  • The Aqua CSPM platform, which is the comprehensive solution for multi-cloud security posture management (check the official link below for more information)
  • The "Workload Protection" module (see image below) which is the integrated version of the Aqua Enterprise with the Aqua CSPM interface.





To learn more about CSPM, please go to https://www.aquasec.com/products/cspm/.



Aqua CSPM API vs. Aqua Enterprise API (Workload Protection)


There are two APIs present in this solution:

  • Aqua CSPM API 
  • Aqua Enterprise API (Workload Protection)

Although we use both APIs, the main idea would be to just use the first API (CSPM) to generate the token the authentication so we can access Aqua Enterprise API (Workload Protection).



SSO Authentication



Important: This step cannot be done manually by the user and, for that, the user must create a ticket directly with Aqua support for this option to be modified according to the customer's request.

For users who have chosen to use the SSO feature to authenticate themselves, there is a workaround that can be found at How to authenticate to Aqua CSPM API (api.cloudsploit.com) for users with SSO authentication method enabled.



How to collect the token from CSPM API to authenticate with Enterprise API (Workload Protection)


To create the token, first access the Aqua CSPM platform API through the link below:


https://api.cloudsploit.com/v2/signin


Now it is necessary to use the POST method using the curl command to send the variables email and password so that the API returns the Bearer Token necessary for authentication with the API of Aqua Enterprise API (Workload Protection).


API call to generate the bearer token


curl --location --request POST 'https://api.cloudsploit.com/v2/signin' \
    --header 'Content-Type: application/json' \
    --data-raw '{"email": "your_email@email.com","password": "your_password"}'


Response


{
    "status": 200,
    "code": 0,
    "data": {
        "token": 
"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxODQ3NywiYWNjb3VudF9pZCI6NDg3MywiYWNjb3VudF9hZG1pbiI6dHJ1ZSwicGxhbiI6ImVudGVycHJpc2UiLCJ0cmlhbF9lbmQiOm51bGwsInVzZR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxODQ3NywiSJdLCJ1c2VyX2dyb3Vwc19hZG1pbiI6W10sImNzcF9lbmFibGVkIjp0cnVlLCJjc3BfbWV0YWRhdGEiOnsidXJscyI6eyJlc2VfdXJsIjoiZTR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxODQ3NywimNvbSIsImVzZV9nd191cmwiOiJlMTFkNTE1YmZiLWd3LmNsb3VkLmFxdWFzZWMuY29tIn19LCJjc3Bfcm9sZXMiOm51bGwsImNzcG1fdXJR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxODQ3NywiVhc2VjLmNvbSIsImV4cCI6MTYzNzY4MTY5MCwiYXVkaXQiOnRydWUsImlhdCI6MTYzNzY3ODA5MH0.e7TcRhxTwAMV9UaJoC-5d8_lFScQ7v4Ep9vKwyFHS9DoXQ57X5dDgJ_KNjLrtIwQTRxGLHm1lIVnmA93yTmH4yrRePs7AW4zDFA-fwaPW2901yqHsFhyYWhU7WDa4T8OpDow67EZ1kah7MqfUaFXO3aOWXyt7inI1VyRZnjPUkOqfkikGVuXn4LJ80hts_p-RdQRb1avC6vMzVPY5lWgSvWiqVaDHjFqJ96LJC6sbcOP_qUBG-yArZGPDReJGEB4Ri0teX5De0BTRUBN6hIN_eisD4B6z0RwSjuuB0C0Gew6wmQYNPbek-I3o7s7rNvmcuYETHxCXuYE56d2OUZQ",
        "account_id": 2273,
        "user_id": 13077,
        "account_admin": true,
        "trial_end": null,
        "email": "your_email@email.com"
    }
}


How to connect to Enterprise API (Workload Protection) using the Bearer Token generated by the CSPM API



Connect to the Aqua CSPM platform through the link https://cloud.aquasec.com, then select the option "Workload Protection", and once you access the Enterprise (Workload Protection) interface, collect the link to your Enterprise environment cloud so we can use it together with Bearer Token to authenticate so we can make API requests.








Authentication method


Once the previous Bearer Token creation process was executed successfully, it is necessary to send the token as a parameter in the header of the POST or GET method, as shown in the example below.


API call method for authentication with Aqua Enterprise


curl --location --request GET 'https://e11d5.cloud.aquasec.com/api/v1/registries' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxODQ3NywiYWNjb3VudF9pZCI6NDg3MywiYWNjb3VudF9hZG1pbiI6dHJ1ZSwicGxhbiI6ImVudGVycHJpc2UiLCJ0cmlhbF9lbmQiOm51bGwsInVzZXJfZ3JvdXBzX3VzZXIiOlsiNTQ2MSJdLCJ1c2VyX2dyb3Vwc19hZG1p'


Response