Starting with the Pure1 PowerShell SDK

In the previous blog post, I explored the Python SDK authentication methods for FlashArray and Everpure Cloud ( formerly Pure Cloud Block Store). This time, we are going to shift our focus to Pure1 and the PowerShell SDK that enables you to interact with the Pure1 REST API.

Introduction

Pure1 is Pure Storage’s cloud-based management and support platform. It provides fleet-level visibility into all your arrays, including configuration state, performance metrics, subscription details, and more. The Pure1 REST API allows you to programmatically access this data, and the PowerShell SDK makes that interaction seamless.

The module is called PureStorage.Pure1 and is maintained as an open-source project on GitHub. It was originally written by Cody Hosterman and can be installed directly from the PowerShell Gallery.

One thing worth noting is that authentication to Pure1 is different from authenticating to a FlashArray or FlashBlade. Pure1 uses a public REST API endpoint, so instead of username/password or API tokens, it relies on RSA key pair (certificate-based) authentication with JSON Web Tokens (JWTs). Let’s first go through the installation steps:

Installation

The PureStorage.Pure1 module supports PowerShell 5.x and PowerShell 7.x (Core), and works on Windows, Linux, and macOS.

To install the module from the PowerShell Gallery:

Install-Module PureStorage.Pure1

To load the module:

Import-Module PureStorage.Pure1

To update to the latest version:

Update-Module PureStorage.Pure1

You can verify the installation by listing available commands:

Get-Command -Module PureStorage.Pure1

This will return the full list of cmdlets available in the module, including:

Authentication

Unlike FlashArray where you can use an API Token or OAuth2, Pure1 authentication follows a certificate-based JWT flow. The process involves:

1. Generate an RSA key pair (private key + public key) on your local machine.
2. Register the public key in Pure1 to create an API Application.
3. Copy the Application ID from Pure1.
4. Authenticate using the private key and Application ID.

The PowerShell SDK handles the JWT creation and token exchange automatically behind the scenes once you provide the Application ID and private key. This is one of the big advantages of using the SDK over raw REST API calls.

In an upcoming blog, I will be sharing how to obtain JWT and interact with REST API call directly. For this instance, let go through all the steps required to start using the PowerShell SDK module:

Step 1: Generate an RSA Key Pair

The first step is to create a certificate (RSA key pair) using the built-in cmdlet.

Windows

New-PureOneCertificate

On Windows, this creates a self-signed certificate stored in the local certificate store. You can chain the output to immediately get the public key:

New-PureOneCertificate | Get-PureOnePublicKey

This will output the public key in PEM format:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv1MC+nW1FOy4tMMO51Cj
Sf20gBO1UeLFj89uoF+KXMlaxzZ7FgVCXqdUfzOgHk96R0CLuavE92qvEQG3a88p
...
cwIDAQAB
-----END PUBLIC KEY-----

Linux / macOS

On Linux or macOS, you need to have PowerShell Core installed first. Then:

New-PureOneCertificate

This will prompt you for a password to protect the private key:

Please enter a password to be used for the private key: *********

Name                           Value
----                           -----
PrivateKey                     /Users/amazouz/PureOnePrivate.pem
PublicKey                      /Users/amazouz/PureOnePublic.pem

Then retrieve the public key:

Get-PureOnePublicKey -PrivateKeyFileLocation /Users/amazouz/PureOnePrivate.pem

This will prompt for the private key password and then return the public key.

Step 2: Register the Public Key in Pure1

Once you have the public key, you need to register it in Pure1:

1. Login to iam.purestorage.com. If you login to Pure1 main portal, you can you use the app switcher on the top-right side to switch to IAM.
2. Navigate to API Keys on the left-hand side.
3. Click on Register API Key.
4. Give the application a descriptive name (e.g., “PowerShell Automation”).
5. Paste the full public key (including the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- lines).
6. Click Next: Access Details, then select the role: Resource Operator or Resource Viewer depending on your needs.
7. Click Register API Key.

After registration, Pure1 will provide you with an Application ID that looks like:

pure1:apikey:PZoggxxxxx

Copy and save this Application ID. You will need it for authentication.

Step 3: Authenticate with Pure1

Now you can connect to Pure1 using the New-PureOneConnection cmdlet.

Windows

On Windows, the SDK automatically finds the certificate you created earlier:

New-PureOneConnection -PureAppID pure1:apikey:PZoggxxxxx

Linux / macOS

On Linux or macOS, you can either specify the private key file location or let the SDK auto-discover it from the default path (~/PureOnePrivate.pem):

New-PureOneConnection -PureAppID pure1:apikey:PZoggxxxxx

Or, if you stored the key in a custom location:

New-PureOneConnection -PrivateKeyFileLocation /home/amazouz/.ssh/PureOnePrivate.pem -PureAppID pure1:apikey:PZoggxxxxx

This will prompt for the private key password if one was set.

Once authenticated, all subsequent cmdlets in the session will work without needing to re-authenticate.

Step 4: Start Querying Pure1

With the connection established, you can now use the full range of cmdlets. Here are a few examples.

List All Arrays

Get-PureOneArray

Example output:

_as_of  : 1775502486000
id      : f8f939d9-9ce4-493d-b1f7-ae735646c1e2
name    : slc6-x50r3-n2-b22-29
fqdn    : slc6-x50r3-n2-b22-29.puretec.purestorage.com
model   : FA-X50R3
os      : Purity//FA
version : 6.10.3

Filter Arrays by Name

Get-PureOneArray | Where-Object { $_.name -like "*prod*" }

Get Array Load Metrics

$metric_name = "array_total_load"
$array_name = "slc6-x50r3-n2-b22-29"
Get-PureOneMetric -MetricName $metric_name -ObjectType $array_name

Get and Set Array Tags

# Get tags for a specific array
Get-PureOneArrayTag -ArrayName "slc6-x50r3-n2-b22-29"

# Set a tag on an array
Set-PureOneArrayTag -ArrayName "slc6-x50r3-n2-b22-29" -TagKey "environment" -TagValue "production"

(Optional) Generate a JWT Manually

In some cases, you might need a JWT without establishing a full connection. For example, authenticating Pure1 in the vSphere Client plugin, or getting access token in Pure1 swagger.

New-PureOneJwt -PureAppID pure1:apikey:PZogg6xxxxxxx

The output is a JWT string that can be used for direct REST API calls or passed to integrations.

Tips and Gotchas

• Admin role is required for API registration. If you don’t have an Admin role, contact your Pure1 organization admin.
• PowerShell 7 is preferred. While PowerShell 5.x is supported, some features and error handling work better on PowerShell 7.
• Default key location matters. The SDK looks for PureOnePrivate.pem in your home directory by default. If you store it elsewhere, use the -PrivateKeyFileLocation parameter.
• Copy the full public key. When registering in Pure1, include the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- lines. Missing or extra whitespace is a common source of errors.
• Moving certificates between machines. If you need to use the same certificate on a different machine, check out Cody Hosterman’s guide on exporting certificates.

What’s ahead

In this blog, We explored how to authenticate and interact with Pure1 using the PureStorage.Pure1 PowerShell SDK. The authentication process is based on RSA key pairs and JWTs, which the SDK handles automatically once you provide the Application ID and private key.

In the upcoming blogs, I will cover the new cmdlets I have added to the module, how to query it for metrics, and other user cases, so stay tuned.

• ← Previous Post