Pure Storage FlashArray Discovery
The Infracast Pure Storage plugin uses the FlashArray REST API (v2.x) to enumerate all-flash storage array configuration including volumes, connected hosts, and protection groups. Authentication is via an API token generated from the FlashArray management interface.
How It Works
- Infracast authenticates to the FlashArray management API over HTTPS using an API token
- Array identity information is collected (name, model, Purity version, capacity)
- Volumes are enumerated with their space usage, replication targets, and QoS settings
- Host objects and host-to-volume connections are discovered
- Protection groups (snapshot groups and replication groups) are collected
Prerequisites
- HTTPS access (TCP/443) from the Infracast collector to the FlashArray management IP
- Purity//FA 6.x or later (REST API v2)
- A read-only operator account or API token with
readonlyrole
Generating an API Token
Via the FlashArray GUI:
- Log into the FlashArray management UI
- Navigate to Storage → Arrays → [array name] → API Tokens
- Click Create API Token
- Set the description to
infracast-discovery - Set the role to
readonly - Set an expiration (optional but recommended — 1 year)
- Copy the generated token
Via the FlashArray CLI (SSH):
# SSH to the array
ssh pureuser@flasharray.example.com
# Create a read-only user (if one doesn't exist)
pureadmin create infracast --role readonly
# Generate an API token for the user
pureadmin create --api-token infracast
API tokens with the readonly role cannot modify any array configuration. Use a dedicated token per Infracast deployment and set a reasonable expiration date. Rotate tokens by generating a new one and updating the Infracast credential.
Registering the Credential in Infracast
infracast creds add \
--plugin pure-storage \
--name "flasharray-prod" \
--type api-token \
--host "flasharray.example.com" \
--api-token-file /run/secrets/pure-api-token
Configuring the Discovery Job
discovery:
jobs:
- name: pure-flasharray
plugin: pure-storage
credential: flasharray-prod
schedule: "0 */6 * * *" # every 6 hours
config:
host: "flasharray.example.com"
# verify_tls: set to "true" with a valid management cert
verify_tls: "false"
What Gets Discovered
| Resource Type | Description |
|---|---|
pure.flasharray.array | FlashArray appliance (name, model, Purity version, array ID, capacity, data reduction ratio) |
pure.flasharray.volume | Volume (name, size, used space, serial number, source snapshot, QoS limits, replication target) |
pure.flasharray.host | Host object (name, IQN/WWN/NQN, host group membership, OS type) |
pure.flasharray.protection_group | Protection group (name, source array, target arrays, replication schedule, retention policy) |
Edges link volumes to their parent array and to their host connections; protection groups are linked to their member volumes.
Troubleshooting
403 Forbidden or authentication error
Symptom: Error: API request failed: 403 Forbidden
Checks:
- Verify the API token is valid and has not expired
- Confirm the token was generated for a user with
readonlyrole - Test the API token manually:
curl -sk -H "x-auth-token: YOUR_TOKEN" \
"https://flasharray.example.com/api/2.x/array" | jq '.name'
TLS certificate error
Symptom: Error: x509: certificate signed by unknown authority
Fix: FlashArrays often ship with self-signed certificates. Set verify_tls: "false" for internal networks, or install a CA-signed certificate via Storage → Arrays → Certificates.
Volumes discovered but hosts missing
Symptom: Volumes appear but pure.flasharray.host resources are empty
Checks:
- Verify hosts are configured on the array: Storage → Hosts
- The
readonlyrole must have visibility into hosts — verify via the GUI that your user can see the hosts list
API version mismatch
Symptom: Error: unsupported API version
Fix: Purity//FA 6.x uses REST API v2.x. If you are on an older Purity version, check the supported API versions:
curl -sk https://flasharray.example.com/api/api_version | jq '.version'