New-RubrikAPIToken returns Invoke-WebRequest : Request needs authentication!

[MahdiEslami]

Current Behavior:
When using Connect-Rubrik and Toekn to conenct to Rubrik cluster and trying to create new Token in same session,
The command New-RubrikAPIToken fails and returns "Invoke-WebRequest : Request needs authentication!"

Provide information about the failure by issuing the command using the -Verbose command. Ensure that any identifiable information (server names, tokens, passwords) is removed from your logs before sharing this on GitHub.

1. $RubrikAPIToken = Get-AzKeyVaultSecret -VaultName $AKV -Name $SecretName -AsPlainText
2. Connect-Rubrik -Server $RubrikClusterName -Token $RubrikAPIToken (Successfull)
3. Get-RubrikAPIToken -Verbose (Sucessfull)
4. New-RubrikAPIToken -Tag "TestToken-01" -Expiration 100 -Verbose (ERROR)

Paste the verbose output from the command here

New-RubrikAPIToken -Tag "TestToken-01" -Expiration 100 -Verbose
VERBOSE: Validate the Rubrik token exists
VERBOSE: Found a Rubrik token for authentication
VERBOSE: Gather API Data for New-RubrikAPIToken
VERBOSE: Selected 5.0 API Data for New-RubrikAPIToken
VERBOSE: Load API data for New-RubrikAPIToken
VERBOSE: Description: Create an API Token
VERBOSE: Build the URI
VERBOSE: URI = https://rubrikcluster.mydomain.com/api/internal/session
VERBOSE: Build the query parameters for
VERBOSE: URI = https://rubrikcluster.mydomain.com/api/internal/session
VERBOSE: Body = {
"initParams": {
"apiToken": {
"tag": "TestToken-01",
"expiration": 100
}
}
}
VERBOSE: Submitting the request
VERBOSE: Submitting "Post" request as "text/plain; charset=utf-8"
VERBOSE: Invoking request with a custom timeout of 100 seconds
VERBOSE: POST https://rubrikcluster.mydomain.com/api/internal/session with -1-byte payload
Invoke-WebRequest : Request needs authentication!
At C:\Users\UserName\Documents\WindowsPowerShell\Modules\Rubrik\Private\Invoke-RubrikWebRequest.ps1:36 char:23

• ... $result = Invoke-WebRequest -UseBasicParsing -TimeoutSec $rubrikOpt ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
  • FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

Expected Behavior:

New-RubrikAPIToken uses curernt Token as authentication and don't requests authenticatino again.

Steps to Reproduce:

Please provide detailed steps for reproducing the issue.

1. Step 1 Connect-Rubrik -Server $RubrikClusterName -Token $RubrikAPIToken (Successfull)
2. Step 2 New-RubrikAPIToken -Tag "TestToken-01" -Expiration 100 -Verbose
3. Step 3 (and so on)

Context:

Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions.

• Rubrik PowerShell Module Version: Use Get-Module -ListAvailable Rubrik
• 6.0.1
• PowerShell Version: Use $PSVersiontable.PSVersion
• 5.1
• Operating System: Use $PSVersiontable.PSVersion on PowerShell 6 and later, use (Get-WMIObject win32_operatingsystem).Name for Windows PowerShell
• Microsoft Windows Server 2019

Failure Logs

Please include any relevant log snippets or files here, IMPORTANT all information will be visible publicly on GitHub. Do not include computer or user names, passwords, API tokens or any identifiable information when submitting failure logs.

[MahdiEslami]

.EXAMPLE
New-RubrikAPIToken -Expiration 10080 -Tag "Dev Org Weekly Token" -OrganizationId "Organization:::11111111-2222-3333-4444-555555555555"
This will generate a new API Token named "Dev Org Weekly Token" that lasts for 10080 minutes (7 days) in the organization matching id value "Organization:::11111111-2222-3333-4444-555555555555".
This assumes that the current session that is requested the token has authority in that organization.

What authority or role is needed for New-RubrikAPIToken?

[supersjimmie]

We see the same issue here.
Also tried with more direct API calls:

$$token = …(my current token)…
$headers = @{
         'Authorization' = "Bearer $($token)"
       }

$par = @{
       'initParams'= @{
         'apiToken'= @{
            'expiration'= '3600'
            'tag'= 'API Generated Token'
         }
       }
    }

Then use Get-RubrikUser to fetch my User_ID
And then:

$res = invoke-webrequest -Headers $headers -Method POST -Uri "https://rubrika.mydomain.com/api/internal/session?user_id=...(user_ID)..." -Body $par

invoke-webrequest : Request needs authentication!

[gabriellus]

I'm attempting to use a Service Account (with Administrator Role), and have the same problem/error message. It is unlikely an authority issue.

[labradoe]

Any work around for this issue?

[ESOGenics]

I have ran into the same issue. I have tried passing creds several different ways. If you make the call manually using the api address and passing creds it will return the key. However, if you're using this powershell command it has the error.

VERBOSE: Validate the Rubrik token exists
VERBOSE: Found a Rubrik token for authentication
VERBOSE: Gather API Data for New-RubrikAPIToken
VERBOSE: Selected 5.0 API Data for New-RubrikAPIToken
VERBOSE: Load API data for New-RubrikAPIToken
VERBOSE: Description: Create an API Token
VERBOSE: Build the URI
VERBOSE: URI = https://servername/api/internal/session
VERBOSE: Build the query parameters for <null>
VERBOSE: URI = https://servername/api/internal/session
VERBOSE: Body = {
"initParams": {
"apiToken": {
"tag": "1 Day Token",
"expiration": 1440
}
}
}
VERBOSE: Submitting the request
VERBOSE: Submitting "Post" request as "text/plain; charset=utf-8"
VERBOSE: Invoking request with a custom timeout of 100 seconds
VERBOSE: POST with -1-byte payload