It’s been a while, but I’m back after a couple years of semi-retirement from writing PowerShell.

The 1st item on my list to address is those of you who have been using my Rubrik scripting all this time, and it finally broke with the upgrade to CDM 8.0.2. The reason your script broke is due to security improvements and this is a good thing. No point automating anything if you have nothing to automate! The change is CDM now requires you to use the new service account client ID and secret authentication mechanism, far more secure than user accounts without MFA or a token that periodically needs refreshing.

So, how do we fix your script to use the new authentication mechanism? Really simple actually, we switch back to username and password but we are actually storing your serviceAccountId and secret. Rather than go back and update each script on my blog I think it’s easier to take you through the required edits 1 by 1, so you know how to do it too.

Follow the instructions below to update your script:

1. Delete your existing credentials file. Open your script and find your credentials prompt:

$RubrikCredentials = Get-Credential -Message "Enter Rubrik login credentials"

And change it to this (as PowerShell doesn’t support the colons, we will hard code it):

$RubrikCredentials = Get-Credential -Message "Enter client ID in user (without User:::) and client secret in password"

2. Find the session URL:

$RubrikSessionURL = $v1BaseURL + "session"

And change it the new URL for creating a session token:

$RubrikSessionURL = $v1BaseURL + "service_account/session"

3. Find the session header:

$Header = @{"Authorization" = "Basic "+[System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($RubrikUser+":"+$RubrikPassword))}

And change it to this, as we now auth using body vs header:

$RubrikAuthHeader = @{'Content-Type' = 'application/json';'Accept' = 'application/json';}

4. Add the below to create a new auth body containing our new user and secret, put this before the Invoke-RestMethod:

$RubrikAuthBody =
"{
""secret"": ""$RubrikPassword"",
""serviceAccountId"": ""User:::$RubrikUser""
}"

5. Find the session authentication API call:

$RubrikSessionResponse = Invoke-RestMethod -Uri $RubrikSessionURL -Headers $Header -Method POST -ContentType $Type

Change it use the new auth body and header:

$RubrikSessionResponse = Invoke-RestMethod -Uri $RubrikSessionURL -Body $RubrikAuthBody -Headers $RubrikAuthHeader -Method POST -ContentType $Type

6. Run your script, you will be prompted to enter your new service account credentials (if you don’t have this, go create a new service account on the cluster). Enter your serviceAccountId in user, don’t forget you should NOT include User::: as it isn’t accepted by PowerShell, and your secret in the password field.

And that’s it! You should now be able to authenticate again, and the rest of your script will function as before. Hope you found this useful and happy scripting,