Approles

An approle is the way an application authenticate towards the system, and is handed privileges. Different policies and renewal parameters can be configured for different approles.

When an application wants to use the API it needs an access token, and to get an access token it needs to authenticate. It is not desirable to compile in username and password into the application. Instead approles are used. When an approle is created a role-id is also generated. This role-id should be compiled into the application. When the application (or container) is started by they system a unique secret-id is generated, a instance specific secret that typically has a short ttl and can usually only be used a few times. The application can login to the system using the role-id (which is also private) and the secret-id and gain an access token that, it turn, can be used when accessing the API.

If the same image is intended to be used on different systems, or multiple tenants, with different role-ids then a fixed role-id can be used. This is configurable using the fixed-role-id setting.

Create a new approle

SecurityaccessToken

Request

query Parameters

validate

string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"

Request Body schema:
application/yaml

name required	string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
fixed-role-id	string The `fixed-role-id` setting can be used to hard-code a `role-id` for a role. This is useful when the same image is used by multiple tenants, or on multiple systems. Note that the same fixed-role-id should not be used by more than one approle for a given tenant.
bind-secret-id	boolean Default: true Require a `secret-id` to authenticate. If this is set to `false` then the application can authenticate with only the `role-id`.
weak-secret-id	boolean Default: false If this is set to `true` then the application can authenticate with only the `secret-id`. This avoids the need to compile in the `role-id` into the container. However, this setting should only be set to `true` during testing and development, not in production, since it will allow any container to authenticate towards the system without any knowledge of any other secret, ie the `role-id`.
secret-id-bound-cidrs	Array of strings <ip-address-and-prefix-length> ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example `192.168.131.0/24`. ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example `fe80::42:b6ff:feff:2f3/64`. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version. The `secret-id` is only valid when used from one of the subnets configured in this list.
secret-id-num-uses	integer <uint32> Default: 1 Limits the number of times the `secret-id` can be used to authenticate towards the system. 0 indicates no limit.
secret-id-ttl	string <duration> Default: "30m" A duration in years, days, hours, minutes and seconds. Format is `[<digits>y][<digits>d][<digits>m][<digits>s]`. Examples: `1y2d5h`, `5h` or `10m30s` It is possible to set a ttl on the `secret-id`. 0s indicates no limit.
token-ttl	string <duration> A duration in years, days, hours, minutes and seconds. Format is `[<digits>y][<digits>d][<digits>m][<digits>s]`. Examples: `1y2d5h`, `5h` or `10m30s` TTL of token. The lifetime can be extended using the renew operation.
token-max-ttl	string <duration> A duration in years, days, hours, minutes and seconds. Format is `[<digits>y][<digits>d][<digits>m][<digits>s]`. Examples: `1y2d5h`, `5h` or `10m30s` Max TTL a token can have before renewal is required.
token-policies	Array of strings <name> These policies are associated with the token that results from successful login, in addition to any policies specified in the entity-alias and the entity.
token-auto-bound-cidrs	string <enumeration> Default: "host" enumeration: - `none`: Do not set bound-cidrs automatically. (default) - `host`: Set bound-cidrs to the host address when token is created. - `network`: Set bound-cidrs to the network from where the token was created. The prefix defaults to 24, unless the subnet is specified in the token-bound-cidrs setting, in which case the same network prefix is used as in token-bound-cidrs. Automatically set bound-cidrs of token to the host or network from where the token was created.
token-bound-cidrs	Array of strings <ip-address-and-prefix-length> ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example `192.168.131.0/24`. ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example `fe80::42:b6ff:feff:2f3/64`. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version. Limit the use of the token to specific subnets. The token will be invalid if the src ip address originates from a subnet not listed in the token-bound-cidrs. All subnets are accepted if the list is empty.
token-explicit-max-ttl	string <duration> Default: "0s" A duration in years, days, hours, minutes and seconds. Format is `[<digits>y][<digits>d][<digits>m][<digits>s]`. Examples: `1y2d5h`, `5h` or `10m30s` Limits the possible lifetime of a token and will override ttl and max-ttl, as well as the lifetime of a periodic token.
token-no-default-policy	boolean Default: false Do not add the `default` policy to the token if this is set to `true`.
token-num-uses	integer <uint32> Limit the number of times the token can be used.
token-period	string <duration> Default: "0s" A duration in years, days, hours, minutes and seconds. Format is `[<digits>y][<digits>d][<digits>m][<digits>s]`. Examples: `1y2d5h`, `5h` or `10m30s` It allows a token to have an unlimited lifetime if renewed within the period. The default renewal TTL will be the period. A periodic token can still have a maximum life time if explicit-max-ttl is set. The renewable property needs to be true as well.
token-type	string <token-type> Default: "default" `service` `default`
token-renewable	boolean Default: true Should the `refresh` operation be allowed for this token or not.
	to (object) or sites (object) or deployments (object)

Responses

201

Created

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

409

Conflict (instance exists)

503

Service Unavailable (strongbox sealed)

post/v1/config/strongbox/authentication/approles

Request samples

Payload

name: app
fixed-role-id: ba4bb5b7-f126-48f7-a2be-cae8aaacb4cf
bind-secret-id: true
weak-secret-id: false
secret-id-bound-cidrs:
  - 192.168.1.0/24
secret-id-num-uses: 0
secret-id-ttl: 0s
token-ttl: 1d
token-max-ttl: 30d
token-policies:
  - user
token-auto-bound-cidrs: host
token-bound-cidrs:
  - 192.168.1.0/24
token-explicit-max-ttl: 0s
token-no-default-policy: false
token-num-uses: 1
token-period: 0s
token-type: default
token-renewable: true
distribute:
  to: all

Retrieve the configuration of all approles

SecurityaccessToken

Request

query Parameters

fields	string Retrieve only requested fields from the resource See section fields
validate	string <enumeration> Validate the request but do not actually perform the requested operation Value: "true"
keys	string <enumeration> Retrieve only the keys for the list Value: "true"
count	string <enumeration> Retrieve only the number of elements in the list Value: "true"

Responses

200

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

get/v1/config/strongbox/authentication/approles

Response samples

- name: app
  fixed-role-id: ba4bb5b7-f126-48f7-a2be-cae8aaacb4cf
  bind-secret-id: true
  weak-secret-id: false
  secret-id-bound-cidrs:
    - 192.168.1.0/24
  secret-id-num-uses: 0
  secret-id-ttl: 0s
  token-ttl: 1d
  token-max-ttl: 30d
  token-policies:
    - user
  token-auto-bound-cidrs: host
  token-bound-cidrs:
    - 192.168.1.0/24
  token-explicit-max-ttl: 0s
  token-no-default-policy: false
  token-num-uses: 1
  token-period: 0s
  token-type: default
  token-renewable: true
  distribute:
    to: all

Update an approle

SecurityaccessToken

Request

path Parameters

approle-name

required

string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of approle

query Parameters

validate

string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"

Request Body schema:
application/yaml

name required	string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
fixed-role-id	string The `fixed-role-id` setting can be used to hard-code a `role-id` for a role. This is useful when the same image is used by multiple tenants, or on multiple systems. Note that the same fixed-role-id should not be used by more than one approle for a given tenant.
bind-secret-id	boolean Default: true Require a `secret-id` to authenticate. If this is set to `false` then the application can authenticate with only the `role-id`.
weak-secret-id	boolean Default: false If this is set to `true` then the application can authenticate with only the `secret-id`. This avoids the need to compile in the `role-id` into the container. However, this setting should only be set to `true` during testing and development, not in production, since it will allow any container to authenticate towards the system without any knowledge of any other secret, ie the `role-id`.
secret-id-bound-cidrs	Array of strings <ip-address-and-prefix-length> ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example `192.168.131.0/24`. ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example `fe80::42:b6ff:feff:2f3/64`. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version. The `secret-id` is only valid when used from one of the subnets configured in this list.
secret-id-num-uses	integer <uint32> Default: 1 Limits the number of times the `secret-id` can be used to authenticate towards the system. 0 indicates no limit.
secret-id-ttl	string <duration> Default: "30m" A duration in years, days, hours, minutes and seconds. Format is `[<digits>y][<digits>d][<digits>m][<digits>s]`. Examples: `1y2d5h`, `5h` or `10m30s` It is possible to set a ttl on the `secret-id`. 0s indicates no limit.
token-ttl	string <duration> A duration in years, days, hours, minutes and seconds. Format is `[<digits>y][<digits>d][<digits>m][<digits>s]`. Examples: `1y2d5h`, `5h` or `10m30s` TTL of token. The lifetime can be extended using the renew operation.
token-max-ttl	string <duration> A duration in years, days, hours, minutes and seconds. Format is `[<digits>y][<digits>d][<digits>m][<digits>s]`. Examples: `1y2d5h`, `5h` or `10m30s` Max TTL a token can have before renewal is required.
token-policies	Array of strings <name> These policies are associated with the token that results from successful login, in addition to any policies specified in the entity-alias and the entity.
token-auto-bound-cidrs	string <enumeration> Default: "host" enumeration: - `none`: Do not set bound-cidrs automatically. (default) - `host`: Set bound-cidrs to the host address when token is created. - `network`: Set bound-cidrs to the network from where the token was created. The prefix defaults to 24, unless the subnet is specified in the token-bound-cidrs setting, in which case the same network prefix is used as in token-bound-cidrs. Automatically set bound-cidrs of token to the host or network from where the token was created.
token-bound-cidrs	Array of strings <ip-address-and-prefix-length> ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example `192.168.131.0/24`. ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example `fe80::42:b6ff:feff:2f3/64`. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version. Limit the use of the token to specific subnets. The token will be invalid if the src ip address originates from a subnet not listed in the token-bound-cidrs. All subnets are accepted if the list is empty.
token-explicit-max-ttl	string <duration> Default: "0s" A duration in years, days, hours, minutes and seconds. Format is `[<digits>y][<digits>d][<digits>m][<digits>s]`. Examples: `1y2d5h`, `5h` or `10m30s` Limits the possible lifetime of a token and will override ttl and max-ttl, as well as the lifetime of a periodic token.
token-no-default-policy	boolean Default: false Do not add the `default` policy to the token if this is set to `true`.
token-num-uses	integer <uint32> Limit the number of times the token can be used.
token-period	string <duration> Default: "0s" A duration in years, days, hours, minutes and seconds. Format is `[<digits>y][<digits>d][<digits>m][<digits>s]`. Examples: `1y2d5h`, `5h` or `10m30s` It allows a token to have an unlimited lifetime if renewed within the period. The default renewal TTL will be the period. A periodic token can still have a maximum life time if explicit-max-ttl is set. The renewable property needs to be true as well.
token-type	string <token-type> Default: "default" `service` `default`
token-renewable	boolean Default: true Should the `refresh` operation be allowed for this token or not.
	to (object) or sites (object) or deployments (object)

Responses

204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

patch/v1/config/strongbox/authentication/approles/{approle-name}

Request samples

Payload

name: app
fixed-role-id: ba4bb5b7-f126-48f7-a2be-cae8aaacb4cf
bind-secret-id: true
weak-secret-id: false
secret-id-bound-cidrs:
  - 192.168.1.0/24
secret-id-num-uses: 0
secret-id-ttl: 0s
token-ttl: 1d
token-max-ttl: 30d
token-policies:
  - user
token-auto-bound-cidrs: host
token-bound-cidrs:
  - 192.168.1.0/24
token-explicit-max-ttl: 0s
token-no-default-policy: false
token-num-uses: 1
token-period: 0s
token-type: default
token-renewable: true
distribute:
  to: all

Delete an approle

SecurityaccessToken

Request

path Parameters

approle-name

required

string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of approle

query Parameters

validate

string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"

Responses

204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

delete/v1/config/strongbox/authentication/approles/{approle-name}

Replace or create a new approle

SecurityaccessToken

Request

path Parameters

approle-name

required

string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of approle

query Parameters

validate

string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"

Request Body schema:
application/yaml

name required	string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
fixed-role-id	string The `fixed-role-id` setting can be used to hard-code a `role-id` for a role. This is useful when the same image is used by multiple tenants, or on multiple systems. Note that the same fixed-role-id should not be used by more than one approle for a given tenant.
bind-secret-id	boolean Default: true Require a `secret-id` to authenticate. If this is set to `false` then the application can authenticate with only the `role-id`.
weak-secret-id	boolean Default: false If this is set to `true` then the application can authenticate with only the `secret-id`. This avoids the need to compile in the `role-id` into the container. However, this setting should only be set to `true` during testing and development, not in production, since it will allow any container to authenticate towards the system without any knowledge of any other secret, ie the `role-id`.
secret-id-bound-cidrs	Array of strings <ip-address-and-prefix-length> ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example `192.168.131.0/24`. ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example `fe80::42:b6ff:feff:2f3/64`. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version. The `secret-id` is only valid when used from one of the subnets configured in this list.
secret-id-num-uses	integer <uint32> Default: 1 Limits the number of times the `secret-id` can be used to authenticate towards the system. 0 indicates no limit.
secret-id-ttl	string <duration> Default: "30m" A duration in years, days, hours, minutes and seconds. Format is `[<digits>y][<digits>d][<digits>m][<digits>s]`. Examples: `1y2d5h`, `5h` or `10m30s` It is possible to set a ttl on the `secret-id`. 0s indicates no limit.
token-ttl	string <duration> A duration in years, days, hours, minutes and seconds. Format is `[<digits>y][<digits>d][<digits>m][<digits>s]`. Examples: `1y2d5h`, `5h` or `10m30s` TTL of token. The lifetime can be extended using the renew operation.
token-max-ttl	string <duration> A duration in years, days, hours, minutes and seconds. Format is `[<digits>y][<digits>d][<digits>m][<digits>s]`. Examples: `1y2d5h`, `5h` or `10m30s` Max TTL a token can have before renewal is required.
token-policies	Array of strings <name> These policies are associated with the token that results from successful login, in addition to any policies specified in the entity-alias and the entity.
token-auto-bound-cidrs	string <enumeration> Default: "host" enumeration: - `none`: Do not set bound-cidrs automatically. (default) - `host`: Set bound-cidrs to the host address when token is created. - `network`: Set bound-cidrs to the network from where the token was created. The prefix defaults to 24, unless the subnet is specified in the token-bound-cidrs setting, in which case the same network prefix is used as in token-bound-cidrs. Automatically set bound-cidrs of token to the host or network from where the token was created.
token-bound-cidrs	Array of strings <ip-address-and-prefix-length> ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example `192.168.131.0/24`. ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example `fe80::42:b6ff:feff:2f3/64`. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version. Limit the use of the token to specific subnets. The token will be invalid if the src ip address originates from a subnet not listed in the token-bound-cidrs. All subnets are accepted if the list is empty.
token-explicit-max-ttl	string <duration> Default: "0s" A duration in years, days, hours, minutes and seconds. Format is `[<digits>y][<digits>d][<digits>m][<digits>s]`. Examples: `1y2d5h`, `5h` or `10m30s` Limits the possible lifetime of a token and will override ttl and max-ttl, as well as the lifetime of a periodic token.
token-no-default-policy	boolean Default: false Do not add the `default` policy to the token if this is set to `true`.
token-num-uses	integer <uint32> Limit the number of times the token can be used.
token-period	string <duration> Default: "0s" A duration in years, days, hours, minutes and seconds. Format is `[<digits>y][<digits>d][<digits>m][<digits>s]`. Examples: `1y2d5h`, `5h` or `10m30s` It allows a token to have an unlimited lifetime if renewed within the period. The default renewal TTL will be the period. A periodic token can still have a maximum life time if explicit-max-ttl is set. The renewable property needs to be true as well.
token-type	string <token-type> Default: "default" `service` `default`
token-renewable	boolean Default: true Should the `refresh` operation be allowed for this token or not.
	to (object) or sites (object) or deployments (object)

Responses

201

Created

204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

put/v1/config/strongbox/authentication/approles/{approle-name}

Request samples

Payload

name: app
fixed-role-id: ba4bb5b7-f126-48f7-a2be-cae8aaacb4cf
bind-secret-id: true
weak-secret-id: false
secret-id-bound-cidrs:
  - 192.168.1.0/24
secret-id-num-uses: 0
secret-id-ttl: 0s
token-ttl: 1d
token-max-ttl: 30d
token-policies:
  - user
token-auto-bound-cidrs: host
token-bound-cidrs:
  - 192.168.1.0/24
token-explicit-max-ttl: 0s
token-no-default-policy: false
token-num-uses: 1
token-period: 0s
token-type: default
token-renewable: true
distribute:
  to: all

Retrieve the configuration of an approle

SecurityaccessToken

Request

path Parameters

approle-name

required

string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of approle

query Parameters

fields	string Retrieve only requested fields from the resource See section fields
validate	string <enumeration> Validate the request but do not actually perform the requested operation Value: "true"

Responses

200

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

get/v1/config/strongbox/authentication/approles/{approle-name}

Response samples

name: app
fixed-role-id: ba4bb5b7-f126-48f7-a2be-cae8aaacb4cf
bind-secret-id: true
weak-secret-id: false
secret-id-bound-cidrs:
  - 192.168.1.0/24
secret-id-num-uses: 0
secret-id-ttl: 0s
token-ttl: 1d
token-max-ttl: 30d
token-policies:
  - user
token-auto-bound-cidrs: host
token-bound-cidrs:
  - 192.168.1.0/24
token-explicit-max-ttl: 0s
token-no-default-policy: false
token-num-uses: 1
token-period: 0s
token-type: default
token-renewable: true
distribute:
  to: all

Retrieve the state of all approles

SecurityaccessToken

Request

query Parameters

fields	string Retrieve only requested fields from the resource See section fields
site	string Send the request to the specfifed site
content	string <enumeration> Filter descendant nodes in the response Enum: "config" "nonconfig"
keys	string <enumeration> Retrieve only the keys for the list Value: "true"
count	string <enumeration> Retrieve only the number of elements in the list Value: "true"

Responses

200

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

get/v1/state/strongbox/authentication/approles

Response samples

- name: app
  role-id: ba4bb5b7-f126-48f7-a2be-cae8aaacb4cf
  fixed-role-id: ba4bb5b7-f126-48f7-a2be-cae8aaacb4cf
  creation-time: 2022-01-13T08:44:30.264864Z
  bind-secret-id: true
  weak-secret-id: false
  secret-id-bound-cidrs:
    - 192.168.1.0/24
  secret-id-num-uses: 0
  secret-id-ttl: 0s
  token-ttl: 1d
  token-max-ttl: 30d
  token-policies:
    - user
  token-auto-bound-cidrs: host
  token-bound-cidrs:
    - 192.168.1.0/24
  token-explicit-max-ttl: 0s
  token-no-default-policy: false
  token-num-uses: 1
  token-period: 0s
  token-type: default
  token-renewable: true
  distribute:
    to: all
  distribution-status:
    to: all

Retrieve the state of an approle

SecurityaccessToken

Request

path Parameters

approle-name

required

string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of approle

query Parameters

fields	string Retrieve only requested fields from the resource See section fields
site	string Send the request to the specfifed site
content	string <enumeration> Filter descendant nodes in the response Enum: "config" "nonconfig"

Responses

200

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

get/v1/state/strongbox/authentication/approles/{approle-name}

Response samples

name: app
role-id: ba4bb5b7-f126-48f7-a2be-cae8aaacb4cf
fixed-role-id: ba4bb5b7-f126-48f7-a2be-cae8aaacb4cf
creation-time: 2022-01-13T08:44:30.264864Z
bind-secret-id: true
weak-secret-id: false
secret-id-bound-cidrs:
  - 192.168.1.0/24
secret-id-num-uses: 0
secret-id-ttl: 0s
token-ttl: 1d
token-max-ttl: 30d
token-policies:
  - user
token-auto-bound-cidrs: host
token-bound-cidrs:
  - 192.168.1.0/24
token-explicit-max-ttl: 0s
token-no-default-policy: false
token-num-uses: 1
token-period: 0s
token-type: default
token-renewable: true
distribute:
  to: all
distribution-status:
  to: all

Invoke the create-secret-id operation

Create a secret-id to be associated with a given role-id. This is done automatically by the scheduler when starting a container but can also be done manually. Note that the secret-id is only valid on the local site and cannot be used on other sites, ie, it is not possible to perform an approle-login on another site using a secret-id created at, for example, the top site.

SecurityaccessToken

Request

path Parameters

approle-name

required

string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of approle

query Parameters

site	string Send the request to the specfifed site

Request Body schema:
application/yaml

	object Metadata such as application name, instance id, etc can be associated with the token resulting from an `approle-login`.
bound-cidrs	Array of strings <ip-address-and-prefix-length> ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example `192.168.131.0/24`. ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example `fe80::42:b6ff:feff:2f3/64`. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version. This field can be used to limit the IP addresses that are allowed to use the `secret-id`.
token-auto-bound-cidrs	string <enumeration> Default: "none" enumeration: - `none`: Do not set bound-cidrs automatically. - `host`: Set bound-cidrs to the host address when token is created. - `network`: Set bound-cidrs to the network from where the token was created. The prefix defaults to 24, unless the subnet is specified in the token-bound-cidrs setting, in which case the same network prefix is used as in token-bound-cidrs. Automatically set bound-cidrs of token to the host or network from where the token was created.
token-bound-cidrs	Array of strings <ip-address-and-prefix-length> ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example `192.168.131.0/24`. ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example `fe80::42:b6ff:feff:2f3/64`. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version. This field can be used to limit the IP addresses that are allowed to use the token resulting from an `approle-login`.

Responses

200

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/authentication/approles/{approle-name}/create-secret-id

Request samples

Payload

meta:
  username: joe@acme.com
bound-cidrs:
  - 192.168.0.0/24
token-auto-bound-cidrs: host
token-bound-cidrs:
  - 192.168.0.0/24

Response samples

secret-id: b4673065-7632-4b3c-b691-431cf2d7b268
secret-id-accessor: 20bb4855-574a-4be5-a1c1-e1efd8488181

Invoke the delete-secret-id operation

Cancels a secret-id by its accessor.

SecurityaccessToken

Request

path Parameters

approle-name

required

string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of approle

query Parameters

site	string Send the request to the specfifed site

Request Body schema:
application/yaml

secret-id-accessor

required

string

Responses

204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/authentication/approles/{approle-name}/delete-secret-id

Request samples

Payload

secret-id-accessor: 601ab2f4-9e3a-4e1e-9a99-81aff088cf0e

➔ Next to Audit

Approles

Create a new approle

query Parameters

Request Body schema: application/yamlapplication/jsonapplication/yaml

Retrieve the configuration of all approles

query Parameters

Update an approle

path Parameters

query Parameters

Request Body schema: application/yamlapplication/jsonapplication/yaml

Delete an approle

path Parameters

query Parameters

Replace or create a new approle

path Parameters

query Parameters

Request Body schema: application/yamlapplication/jsonapplication/yaml

Retrieve the configuration of an approle

path Parameters

query Parameters

Retrieve the state of all approles

query Parameters

Retrieve the state of an approle

path Parameters

query Parameters

Invoke the create-secret-id operation

path Parameters

query Parameters

Request Body schema: application/yamlapplication/jsonapplication/yaml

Invoke the delete-secret-id operation

path Parameters

query Parameters

Request Body schema: application/yamlapplication/jsonapplication/yaml

Request Body schema:
application/yaml

Request Body schema:
application/yaml

Request Body schema:
application/yaml

Request Body schema:
application/yaml

Request Body schema:
application/yaml