Monitoring and reporting for Veeam Data Platform
Post Reply
Kazz
Expert
Posts: 162
Liked: 18 times
Joined: Feb 08, 2018 3:47 am
Full Name: Kazz Beck
Contact:

Group Managed Service Accounts (gMSA) for VBR connection

Post by Kazz »

Moderator split from post495280.html#p495280

Can Veeam One connect to VBR using gMSA to obtain backup reports?
HannesK
Product Manager
Posts: 14972
Liked: 3159 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Group Managed Service Accounts (gMSA) for VBR connection

Post by HannesK »

Hello,
no, that's not possible.

Best regards,
Hannes
Kazz
Expert
Posts: 162
Liked: 18 times
Joined: Feb 08, 2018 3:47 am
Full Name: Kazz Beck
Contact:

Re: Group Managed Service Accounts (gMSA) for VBR connection

Post by Kazz »

Technically not possible or dev didn't get to that feature request yet? I realize that VO can't connect to vCenter with gmsa, but why can't it connect to VBR?

My VO services are running as gmsas and SQL DB connection is with gmsa, but when I upgraded to 12.1 from 12.0 I was prompted to select a user for VO service accounts and gmsa is not an option during install or upgrade. I was able to switch back to gmsa after the upgrade. why do you limit us to using non gmsa accounts during upgrade or install?
HannesK
Product Manager
Posts: 14972
Liked: 3159 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: Group Managed Service Accounts (gMSA) for VBR connection

Post by HannesK »

Hello,
it's not implemented. It might be technically possible.

In general, we are moving to certificate-based authentication (e.g. between Enterprise Manager and VBR). That would probably also solve the goal of not storing passwords (I assume "not storing passwords" is the reason you ask). If my guess of the reason you ask for is wrong: what's the goal behind the request?

Best regards,
Hannes
Kazz
Expert
Posts: 162
Liked: 18 times
Joined: Feb 08, 2018 3:47 am
Full Name: Kazz Beck
Contact:

Re: Group Managed Service Accounts (gMSA) for VBR connection

Post by Kazz »

Hannes,

2 reasons actually.
1-Not storing the password is one, but not supper important.
2-Not having to change it every 30 days in Veeam. Our passwords for service accounts are rotated on autopilot every 30 days, is there a way to update a password in Veeam with powershell? If yes, we don't care how long you would take to add gmsa support or give us the option of cert authentication

Thanks
RomanK
Veeam Software
Posts: 762
Liked: 200 times
Joined: Nov 01, 2016 11:26 am
Contact:

Re: Group Managed Service Accounts (gMSA) for VBR connection

Post by RomanK »

Hello Kazz,

I will check with the QA team about the current behavior related to the gMSA.

Unfortunately, Veeam ONE does not have a PowerShell module to change the passwords.

We also discussed with teams a certificate-based authentication recently. Certificates are supported as a part of MFA. I cannot promise anything for now, but this is a known feature request.

Thanks
jorgedlcruz
Veeam Software
Posts: 1520
Liked: 661 times
Joined: Jul 17, 2015 6:54 pm
Full Name: Jorge de la Cruz
Contact:

Re: Group Managed Service Accounts (gMSA) for VBR connection

Post by jorgedlcruz »

Kazz wrote: Feb 01, 2024 1:46 pm Hannes,

2 reasons actually.
1-Not storing the password is one, but not supper important.
2-Not having to change it every 30 days in Veeam. Our passwords for service accounts are rotated on autopilot every 30 days, is there a way to update a password in Veeam with powershell? If yes, we don't care how long you would take to add gmsa support or give us the option of cert authentication

Thanks
Hello, for number 2, actually we have a private endpoint that we would love feedback about, and it is for that specific use-case, rotate Infrastructure credentials added to VONE, the endpoints to be used are the next. As said these are private and support could be limited, please let us know:

Code: Select all

        "/api/v2.2/credentials": {
            "get": {
                "tags": [
                    "Credentials Manager"
                ],
                "summary": "Get Credential Sets",
                "description": "Returns a collection resource representations of all credential sets.",
                "operationId": "Credentials_GetCredentials",
                "parameters": [
                    {
                        "name": "Offset",
                        "in": "query",
                        "description": "Number of first resources in the output that are excluded.",
                        "schema": {
                            "type": "integer",
                            "format": "int32",
                            "default": 0
                        }
                    },
                    {
                        "name": "Limit",
                        "in": "query",
                        "description": "Number of first resources in the output that are returned.",
                        "schema": {
                            "type": "integer",
                            "format": "int32",
                            "default": 100
                        }
                    },
                    {
                        "name": "Filter",
                        "in": "query",
                        "description": "Conditions that a resource must meet to be included in the output.",
                        "schema": {
                            "type": "string"
                        }
                    },
                    {
                        "name": "Sort",
                        "in": "query",
                        "description": "Order in which resources are returned.",
                        "schema": {
                            "type": "string"
                        }
                    },
                    {
                        "name": "Select",
                        "in": "query",
                        "description": "Property that must be explicitly returned in a response.",
                        "schema": {
                            "type": "string"
                        }
                    }
                ],
                "responses": {
                    "200": {
                        "description": "Success",
                        "content": {
                            "application/json": {
                                "schema": {
                                    "$ref": "#/components/schemas/CredentialInfoPage"
                                }
                            }
                        }
                    },
                    "403": {
                        "description": "Forbidden",
                        "content": {
                            "application/json": {
                                "schema": {
                                    "$ref": "#/components/schemas/ProblemDetails"
                                }
                            }
                        }
                    }
                }
            },
            "post": {
                "tags": [
                    "Credentials Manager"
                ],
                "summary": "Create Credential Set",
                "description": "Creates a new credential set.",
                "operationId": "Credentials_SaveCredentials",
                "requestBody": {
                    "content": {
                        "application/json": {
                            "schema": {
                                "allOf": [
                                    {
                                        "$ref": "#/components/schemas/CredentialSaveRequest"
                                    }
                                ]
                            }
                        }
                    }
                },
                "responses": {
                    "200": {
                        "description": "Success",
                        "content": {
                            "application/json": {
                                "schema": {
                                    "$ref": "#/components/schemas/CredentialInfo"
                                }
                            }
                        }
                    },
                    "403": {
                        "description": "Forbidden",
                        "content": {
                            "application/json": {
                                "schema": {
                                    "$ref": "#/components/schemas/ProblemDetails"
                                }
                            }
                        }
                    }
                }
            }
        },
        "/api/v2.2/credentials/{credentialId}/assign/host": {
            "get": {
                "tags": [
                    "Credentials Manager"
                ],
                "summary": "Get Hosts Accessed with Credential Set",
                "description": "Returns a collection resource representation of hosts that are accessed with the credential set with the specified ID.",
                "operationId": "Credentials_GetHostAssignCredentialInfo",
                "parameters": [
                    {
                        "name": "credentialId",
                        "in": "path",
                        "required": true,
                        "schema": {
                            "type": "integer",
                            "format": "int64"
                        }
                    }
                ],
                "responses": {
                    "200": {
                        "description": "Success",
                        "content": {
                            "application/json": {
                                "schema": {
                                    "$ref": "#/components/schemas/HostAssignInfoCredentialAssignInfo"
                                }
                            }
                        }
                    },
                    "403": {
                        "description": "Forbidden",
                        "content": {
                            "application/json": {
                                "schema": {
                                    "$ref": "#/components/schemas/ProblemDetails"
                                }
                            }
                        }
                    }
                }
            },
            "post": {
                "tags": [
                    "Credentials Manager"
                ],
                "summary": "Assign Credentials to Host",
                "description": "Assigns a credential set to a host with the specified ID.",
                "operationId": "Credentials_AssignHostCredentials",
                "parameters": [
                    {
                        "name": "credentialId",
                        "in": "path",
                        "required": true,
                        "schema": {
                            "type": "integer",
                            "format": "int64"
                        }
                    }
                ],
                "requestBody": {
                    "content": {
                        "application/json": {
                            "schema": {
                                "allOf": [
                                    {
                                        "$ref": "#/components/schemas/CredentialAssignHostRequest"
                                    }
                                ]
                            }
                        }
                    }
                },
                "responses": {
                    "200": {
                        "description": "Success",
                        "content": {
                            "application/json": {
                                "schema": {
                                    "$ref": "#/components/schemas/HostAssignInfoCredentialAssignInfo"
                                }
                            }
                        }
                    },
                    "403": {
                        "description": "Forbidden",
                        "content": {
                            "application/json": {
                                "schema": {
                                    "$ref": "#/components/schemas/ProblemDetails"
                                }
                            }
                        }
                    }
                }
            }
        },
        "/api/v2.2/credentials/{credentialId}/assign/guest": {
            "get": {
                "tags": [
                    "Credentials Manager"
                ],
                "summary": "Get VMs Accessed with Credential Set",
                "description": "Returns a collection resource representation of VMs that are accessed with the guest OS credential set with the specified ID.",
                "operationId": "Credentials_GetGuestOsAssignCredentialInfo",
                "parameters": [
                    {
                        "name": "credentialId",
                        "in": "path",
                        "required": true,
                        "schema": {
                            "type": "integer",
                            "format": "int64"
                        }
                    }
                ],
                "responses": {
                    "200": {
                        "description": "Success",
                        "content": {
                            "application/json": {
                                "schema": {
                                    "$ref": "#/components/schemas/GuestAssignInfoCredentialAssignInfo"
                                }
                            }
                        }
                    },
                    "403": {
                        "description": "Forbidden",
                        "content": {
                            "application/json": {
                                "schema": {
                                    "$ref": "#/components/schemas/ProblemDetails"
                                }
                            }
                        }
                    }
                }
            },
            "post": {
                "tags": [
                    "Credentials Manager"
                ],
                "summary": "Assign Credentials to VM",
                "description": "Assigns a credential set to a guest OS of a VM with the specified ID.",
                "operationId": "Credentials_AssignGuestOsCredentials",
                "parameters": [
                    {
                        "name": "credentialId",
                        "in": "path",
                        "required": true,
                        "schema": {
                            "type": "integer",
                            "format": "int64"
                        }
                    }
                ],
                "requestBody": {
                    "content": {
                        "application/json": {
                            "schema": {
                                "allOf": [
                                    {
                                        "$ref": "#/components/schemas/CredentialAssignGuestRequest"
                                    }
                                ]
                            }
                        }
                    }
                },
                "responses": {
                    "200": {
                        "description": "Success",
                        "content": {
                            "application/json": {
                                "schema": {
                                    "$ref": "#/components/schemas/GuestAssignInfoCredentialAssignInfo"
                                }
                            }
                        }
                    },
                    "403": {
                        "description": "Forbidden",
                        "content": {
                            "application/json": {
                                "schema": {
                                    "$ref": "#/components/schemas/ProblemDetails"
                                }
                            }
                        }
                    }
                }
            }
        },
        "/api/v2.2/credentials/{credentialId}": {
            "delete": {
                "tags": [
                    "Credentials Manager"
                ],
                "summary": "Delete Credentials",
                "description": "Deletes an unassigned credential set with the specified ID.",
                "operationId": "Credentials_DeleteCredential",
                "parameters": [
                    {
                        "name": "credentialId",
                        "in": "path",
                        "required": true,
                        "schema": {
                            "type": "integer",
                            "format": "int64"
                        }
                    }
                ],
                "responses": {
                    "200": {
                        "description": "Success"
                    },
                    "403": {
                        "description": "Forbidden",
                        "content": {
                            "application/json": {
                                "schema": {
                                    "$ref": "#/components/schemas/ProblemDetails"
                                }
                            }
                        }
                    }
                }
            },
            "patch": {
                "tags": [
                    "Credentials Manager"
                ],
                "summary": "Patch Credentials",
                "description": "Modifies a credential set with the specified ID.",
                "operationId": "Credentials_UpdateCredential",
                "parameters": [
                    {
                        "name": "credentialId",
                        "in": "path",
                        "required": true,
                        "schema": {
                            "type": "integer",
                            "format": "int64"
                        }
                    }
                ],
                "requestBody": {
                    "content": {
                        "application/json": {
                            "schema": {
                                "allOf": [
                                    {
                                        "$ref": "#/components/schemas/CredentialSaveRequest"
                                    }
                                ]
                            }
                        }
                    }
                },
                "responses": {
                    "200": {
                        "description": "Success",
                        "content": {
                            "application/json": {
                                "schema": {
                                    "$ref": "#/components/schemas/CredentialInfo"
                                }
                            }
                        }
                    },
                    "403": {
                        "description": "Forbidden",
                        "content": {
                            "application/json": {
                                "schema": {
                                    "$ref": "#/components/schemas/ProblemDetails"
                                }
                            }
                        }
                    }
                }
            }
        },
        "/api/v2.2/credentials/checkvbradmin": {
            "post": {
                "tags": [
                    "Credentials Manager"
                ],
                "operationId": "Credentials_IsVbrAdmin",
                "requestBody": {
                    "content": {
                        "application/json": {
                            "schema": {
                                "allOf": [
                                    {
                                        "$ref": "#/components/schemas/CheckVbrAdminRequest"
                                    }
                                ]
                            }
                        }
                    }
                },
                "responses": {
                    "200": {
                        "description": "Success",
                        "content": {
                            "application/json": {
                                "schema": {
                                    "type": "boolean"
                                }
                            }
                        }
                    },
                    "400": {
                        "description": "Bad Request",
                        "content": {
                            "application/json": {
                                "schema": {
                                    "$ref": "#/components/schemas/ProblemDetails"
                                }
                            }
                        }
                    },
                    "403": {
                        "description": "Forbidden",
                        "content": {
                            "application/json": {
                                "schema": {
                                    "$ref": "#/components/schemas/ProblemDetails"
                                }
                            }
                        }
                    }
                }
            }
        },
        "/api/v2.2/credentials/object/{objectId}": {
            "get": {
                "tags": [
                    "Credentials Manager"
                ],
                "summary": "Get Credentials Assigned to Object",
                "description": "Returns a resource representation of credential set that is used to access an object with the specified ID.",
                "operationId": "Credentials_GetEntityCredentials",
                "parameters": [
                    {
                        "name": "objectId",
                        "in": "path",
                        "required": true,
                        "schema": {
                            "type": "integer",
                            "format": "int64"
                        }
                    }
                ],
                "responses": {
                    "200": {
                        "description": "Success",
                        "content": {
                            "application/json": {
                                "schema": {
                                    "type": "array",
                                    "items": {
                                        "$ref": "#/components/schemas/EntityCredentialsInfo"
                                    }
                                }
                            }
                        }
                    },
                    "403": {
                        "description": "Forbidden",
                        "content": {
                            "application/json": {
                                "schema": {
                                    "$ref": "#/components/schemas/ProblemDetails"
                                }
                            }
                        }
                    }
                }
            }
        },
And visually:
Image

I am working with a few Enterprises using it, and so far feedback have been phenomenal.

Thank you!
Jorge de la Cruz
Senior Product Manager | Veeam ONE @ Veeam Software

@jorgedlcruz
https://www.jorgedelacruz.es / https://jorgedelacruz.uk
vExpert 2014-2024 / InfluxAce / Grafana Champion
Kazz
Expert
Posts: 162
Liked: 18 times
Joined: Feb 08, 2018 3:47 am
Full Name: Kazz Beck
Contact:

Re: Group Managed Service Accounts (gMSA) for VBR connection

Post by Kazz »

Jorge,

This would be an ideal solution for us. Does VBR have the same API?
jorgedlcruz
Veeam Software
Posts: 1520
Liked: 661 times
Joined: Jul 17, 2015 6:54 pm
Full Name: Jorge de la Cruz
Contact:

Re: Group Managed Service Accounts (gMSA) for VBR connection

Post by jorgedlcruz »

Hello Kazz,
Let me summon @oleg.feoktistov :)
Jorge de la Cruz
Senior Product Manager | Veeam ONE @ Veeam Software

@jorgedlcruz
https://www.jorgedelacruz.es / https://jorgedelacruz.uk
vExpert 2014-2024 / InfluxAce / Grafana Champion
oleg.feoktistov
Veeam Software
Posts: 2015
Liked: 671 times
Joined: Sep 25, 2019 10:32 am
Full Name: Oleg Feoktistov
Contact:

Re: Group Managed Service Accounts (gMSA) for VBR connection

Post by oleg.feoktistov »

@Kazz,

Yes, check this VBR REST section. No support for gMSA accounts though yet.

As for VBR Powershell, it supports adding gMSA accounts. See Add-VBRCredentials cmdlet with -Type ManagedSvcAccount.

Best regards,
Oleg
RomanK
Veeam Software
Posts: 762
Liked: 200 times
Joined: Nov 01, 2016 11:26 am
Contact:

Re: Group Managed Service Accounts (gMSA) for VBR connection

Post by RomanK »

Dear all,

I have got the results from the Veeam ONE QA team. It was not fully tested and as you have mentioned the setup (or upgrade) required the account.
So, officially it is not supported. Even taking into account the workaround above, we have no information if everything works as it should everywhere. In any case, this is a good feature for future versions.

Thanks
Kazz
Expert
Posts: 162
Liked: 18 times
Joined: Feb 08, 2018 3:47 am
Full Name: Kazz Beck
Contact:

Re: Group Managed Service Accounts (gMSA) for VBR connection

Post by Kazz » 1 person likes this post

Thank you guys!

I am all set, will report back once I get some automation working via VO or VBR API
Post Reply

Who is online

Users browsing this forum: No registered users and 6 guests