An approle is the way an application authenticate towards the system, and is handed privileges. Different policies and renewal parameters can be configured for different approles.
When an application wants to use the API it needs an access
token, and to get an access token it needs to authenticate. It
is not desirable to compile in username and password into the
application. Instead approles are used. When an approle is
created a role-id
is also generated. This role-id
should be
compiled into the application. When the application (or
container) is started by they system a unique secret-id
is
generated, a instance specific secret that typically has a
short ttl and can usually only be used a few times. The
application can login to the system using the role-id
(which is
also private) and the secret-id
and gain an access token that,
it turn, can be used when accessing the API.
If the same image is intended to be used on different systems, or multiple tenants, with different role-ids then a fixed role-id can be used. This is configurable using the fixed-role-id setting.
Created
Bad Request
Unauthorized
Forbidden
Not Found
Conflict (instance exists)
Service Unavailable (strongbox sealed)
name: app fixed-role-id: ba4bb5b7-f126-48f7-a2be-cae8aaacb4cf bind-secret-id: true weak-secret-id: false secret-id-bound-cidrs: - 192.168.1.0/24 secret-id-num-uses: 0 secret-id-ttl: 0s token-ttl: 1d token-max-ttl: 30d token-policies: - user token-bound-cidrs: - 192.168.1.0/24 token-explicit-max-ttl: 0s token-no-default-policy: false token-num-uses: 1 token-period: 0s token-type: default token-renewable: true distribute: to: all
fields | string Retrieve only requested fields from the resource See section fields |
validate | string <enumeration> Validate the request but do not actually perform the requested operation |
keys | string <enumeration> Retrieve only the keys for the list |
count | string <enumeration> Retrieve only the number of elements in the list |
OK
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
- name: app fixed-role-id: ba4bb5b7-f126-48f7-a2be-cae8aaacb4cf bind-secret-id: true weak-secret-id: false secret-id-bound-cidrs: - 192.168.1.0/24 secret-id-num-uses: 0 secret-id-ttl: 0s token-ttl: 1d token-max-ttl: 30d token-policies: - user token-bound-cidrs: - 192.168.1.0/24 token-explicit-max-ttl: 0s token-no-default-policy: false token-num-uses: 1 token-period: 0s token-type: default token-renewable: true distribute: to: all
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
name: app fixed-role-id: ba4bb5b7-f126-48f7-a2be-cae8aaacb4cf bind-secret-id: true weak-secret-id: false secret-id-bound-cidrs: - 192.168.1.0/24 secret-id-num-uses: 0 secret-id-ttl: 0s token-ttl: 1d token-max-ttl: 30d token-policies: - user token-bound-cidrs: - 192.168.1.0/24 token-explicit-max-ttl: 0s token-no-default-policy: false token-num-uses: 1 token-period: 0s token-type: default token-renewable: true distribute: to: all
Created
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
name: app fixed-role-id: ba4bb5b7-f126-48f7-a2be-cae8aaacb4cf bind-secret-id: true weak-secret-id: false secret-id-bound-cidrs: - 192.168.1.0/24 secret-id-num-uses: 0 secret-id-ttl: 0s token-ttl: 1d token-max-ttl: 30d token-policies: - user token-bound-cidrs: - 192.168.1.0/24 token-explicit-max-ttl: 0s token-no-default-policy: false token-num-uses: 1 token-period: 0s token-type: default token-renewable: true distribute: to: all
fields | string Retrieve only requested fields from the resource See section fields |
validate | string <enumeration> Validate the request but do not actually perform the requested operation |
OK
Bad Request
Unauthorized
Forbidden
Not Found
Precondition Failed
Service Unavailable (strongbox sealed)
name: app fixed-role-id: ba4bb5b7-f126-48f7-a2be-cae8aaacb4cf bind-secret-id: true weak-secret-id: false secret-id-bound-cidrs: - 192.168.1.0/24 secret-id-num-uses: 0 secret-id-ttl: 0s token-ttl: 1d token-max-ttl: 30d token-policies: - user token-bound-cidrs: - 192.168.1.0/24 token-explicit-max-ttl: 0s token-no-default-policy: false token-num-uses: 1 token-period: 0s token-type: default token-renewable: true distribute: to: all
fields | string Retrieve only requested fields from the resource See section fields |
site | string Send the request to the specfifed site |
content | string <enumeration> Filter descendant nodes in the response |
keys | string <enumeration> Retrieve only the keys for the list |
count | string <enumeration> Retrieve only the number of elements in the list |
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
- name: app role-id: ba4bb5b7-f126-48f7-a2be-cae8aaacb4cf fixed-role-id: ba4bb5b7-f126-48f7-a2be-cae8aaacb4cf creation-time: 2022-01-13T08:44:30.264864Z bind-secret-id: true weak-secret-id: false secret-id-bound-cidrs: - 192.168.1.0/24 secret-id-num-uses: 0 secret-id-ttl: 0s token-ttl: 1d token-max-ttl: 30d token-policies: - user token-bound-cidrs: - 192.168.1.0/24 token-explicit-max-ttl: 0s token-no-default-policy: false token-num-uses: 1 token-period: 0s token-type: default token-renewable: true distribute: to: all distribution-status: to: all
fields | string Retrieve only requested fields from the resource See section fields |
site | string Send the request to the specfifed site |
content | string <enumeration> Filter descendant nodes in the response |
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
name: app role-id: ba4bb5b7-f126-48f7-a2be-cae8aaacb4cf fixed-role-id: ba4bb5b7-f126-48f7-a2be-cae8aaacb4cf creation-time: 2022-01-13T08:44:30.264864Z bind-secret-id: true weak-secret-id: false secret-id-bound-cidrs: - 192.168.1.0/24 secret-id-num-uses: 0 secret-id-ttl: 0s token-ttl: 1d token-max-ttl: 30d token-policies: - user token-bound-cidrs: - 192.168.1.0/24 token-explicit-max-ttl: 0s token-no-default-policy: false token-num-uses: 1 token-period: 0s token-type: default token-renewable: true distribute: to: all distribution-status: to: all
Create a secret-id
to be associated with a given
role-id
. This is done automatically by the scheduler
when starting a container but can also be done
manually. Note that the secret-id
is only valid on the
local site and cannot be used on other sites, ie, it is
not possible to perform an approle-login
on another
site using a secret-id
created at, for example, the top
site.
OK
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
meta: username: joe@acme.com bound-cidrs: - 192.168.0.0/24 token-bound-cidrs: - 192.168.0.0/24
secret-id: b4673065-7632-4b3c-b691-431cf2d7b268 secret-id-accessor: 20bb4855-574a-4be5-a1c1-e1efd8488181
Cancels a secret-id by its accessor.
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Service Unavailable (strongbox sealed)
secret-id-accessor: 601ab2f4-9e3a-4e1e-9a99-81aff088cf0e