Access keys

Prisma Cloud keys are required to access twistcli and the Compute API. They’re also required to set up the Jenkins plugin.
It’s critical that access keys are provisioned with the minimum permissions required for the job.
Prisma Cloud Enterprise has two major security modules:
  • Cloud Security Posture Management (CSPM) — Ensures continuous, correct, and compliant configuration of your resources in the public cloud.
  • Cloud Workload Protection Platform (CWPP) — Provides consistent visibility and control for physical machines, virtual machines, containers and serverless workloads, regardless of location, and protects the workloads they run from attacks.
The CSPM module is accessed through Prisma Cloud’s main interface (outer management interface). The CWPP module is accessed through the
Compute
tab (inner management interface, also known as Prisma Cloud Compute, or just Compute). User management, such as integrating single sign-on, setting up custom roles, and creating access keys, is handled by the outer interface.
The RBAC models for the Prisma Cloud outer interface (CSPM) and Prisma Cloud inner interface (CWPP) have different design goals. The CSPM RBAC model controls who has access to the various cloud accounts added to the system. The CWPP RBAC model controls who has access to policy and lets you segment who can see what data. For example, Assigned Collections let you segment views by namespace.
When you create an access key in Prisma Cloud (outer interface), the system automatically creates a no-privilege key for you in Prisma Cloud Compute. Then in the Prisma Cloud Compute interface, you must explicitly map the key to one of the Prisma Cloud Compute roles.
It’s critical that keys created for automated workflows are properly privileged on both sides.

Scanning in the CI/CD pipeline

When integrating the Jenkins plugin or twistcli into your CI/CD pipeline, configure a key with the CI User role on the Compute side. The scanner authenticates to the Compute Console’s API to assess vulnerability and compliance data. The CI User role is purpose built for this use case Its also the least privileged role in the system.

Compute API

For other automated workflows, consult the Compute API documentation. The documentation specifies the minimum role required to access each endpoint.

Provision an access key

When provisioning an access key for use in Compute workflows, first create a user with a very limited role in Prisma Cloud. Then log into Prisma Cloud as the limited user and create an access key. Prisma Cloud automatically imports the access key into Compute, but leaves it unmapped (no privileges). Log into Prisma Cloud with a user with System Admin level privileges, go to the Compute Console, and map a Compute role to the access key. Only users with System Admin can access the Compute tab, and only System Admins can alter settings in the Compute tab.
You can review the list of mapped and unmapped access keys in Compute under the
Manage > Authentication > Prisma Cloud Access Key Mapping
tab.
  1. Log into Prisma Cloud with a user that has the System Admin role.
    Only System Admins can manage users.
  2. Create a very limited role in Prisma Cloud that can’t do anything except log into Prisma Cloud.
    It will have read-only permissions with no access to any cloud account. This role will be assigned to your service account.
    1. In Prisma Cloud, go to
      Settings > Roles
      .
    2. Click
      Add New
      .
    3. In
      Name
      , enter an identifier, such as
      compute-svc-acct-role
      .
    4. In
      Permissions Group
      , select
      Account Group Read Only
      .
    5. Leave
      Account Groups
      with its default setting, which is
      0 Account Groups Selected
      .
    6. Click
      Save
      .
  3. Create a service account.
    1. In Prisma Cloud, go to
      Settings > Users
      .
    2. Click
      Add New
      .
    3. Enter a
      First Name
      ,
      Last Name
      , and
      Email
      .
    4. In
      Assign Role
      , select
      compute-svc-acct-role
      .
    5. Select
      Allow user to create API Access Keys
    6. Click
      Save
      .
  4. (Optional) Allow your service account to authenticate directly with Prisma Cloud.
    If you’ve integrated Prisma Cloud with a directory service, creating a new user in your underlying auth provider can be tedious in some enterprise environments. Prisma Cloud lets select users authenticate directly with Prisma Cloud using their email and a password that’s registered separately after the user account is created.
    1. In Prisma Cloud, go to
      Settings > SSO
      .
    2. Enable
      Allow select users to authenticate directly with Prisma Cloud
      .
    3. In
      Users
      , select the email address you configured for your service account.
    4. Click
      Save
      .
  5. Log out of Prisma Cloud.
  6. Log back into Prisma Cloud using your newly created service account.
    If you’re bypassing SSO, click
    Forgot Password
    to set a password.
  7. Create an access key for your service account.
    1. Go to
      Settings > Access Keys
      .
    2. Click
      Add New
      .
    3. In
      Name
      , enter
      compute-svc-acct-key
      .
    4. Set the expiration date based on use case.
    5. Click
      Create
      .
    6. Save your access key ID and secret key in a safe place.
  8. Sign out of Prisma Cloud.
  9. Sign back into Prisma Cloud as a System Admin.
  10. Provision a Compute role for your access key.
    1. Go to
      Compute > Manage > Authentication > Prisma Cloud Access Key Mapping
      .
    2. Find your service account’s key in the table.
    3. Click
      Actions
      , and then set a role.
      For integrating the Jenkins plugin or twistcli into your CI pipeline, select
      CI User
      . For other automated workflows, consult the Compute API to determine the minimum role required. The minimum role required depends on the endpoints your scripts will access.

Verify your access key

After provisioning your key, you can test that it can access the Compute API. Both the Jenkins plugin and twistcli wrap the API, so hitting the API directly lets you validate that your key has the proper permissions.
The path to the Compute Console API, whether you interface with it directly (e.g. curl) or indirectly (Jenkins, twistcli) is published in Compute Console itself. Get it from
Compute > Manage > System > Downloads
.
  1. Get the path to your Console.
    1. Go to
      Compute > Manage > System > Downloads
      .
    2. Under
      Path to Console
      , click
      Copy
      .
  2. Access an endpoint for which your key is authorized.
    CI Users have permission to download the twistcli binary from the API, so this is a good test when setting up your CI pipeline. You can authenticate to the API using basic auth. For the username and password, specify the access key ID and secret key respectively. Both of these were generated for you when you first created the key.
    $ curl -k \ -u <ACCESS_KEY_ID> -o twistcli <PATH_TO_CONSOLE>/api/v1/util/twistcli

Recommended For You