Approles

An approle is the way an application authenticate towards the system, and is handed privileges. Different policies and renewal parameters can be configured for different approles.

When an application wants to use the API it needs an access token, and to get an access token it needs to authenticate. It is not desirable to compile in username and password into the application. Instead approles are used. When an approle is created a role-id is also generated. This role-id should be compiled into the application. When the application (or container) is started by they system a unique secret-id is generated, a instance specific secret that typically has a short ttl and can usually only be used a few times. The application can login to the system using the role-id (which is also private) and the secret-id and gain an access token that, it turn, can be used when accessing the API.

If the same image is intended to be used on different systems, or multiple tenants, with different role-ids then a fixed role-id can be used. This is configurable using the fixed-role-id setting.

Create a new approle

SecurityaccessToken
Request
query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Request Body schema:
name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
fixed-role-id
string

The fixed-role-id setting can be used to hard-code a role-id for a role. This is useful when the same image is used by multiple tenants, or on multiple systems. Note that the same fixed-role-id should not be used by more than one approle for a given tenant.

bind-secret-id
boolean
Default: true

Require a secret-id to authenticate. If this is set to false then the application can authenticate with only the role-id.

weak-secret-id
boolean
Default: false

If this is set to true then the application can authenticate with only the secret-id. This avoids the need to compile in the role-id into the container. However, this setting should only be set to true during testing and development, not in production, since it will allow any container to authenticate towards the system without any knowledge of any other secret, ie the role-id.

secret-id-bound-cidrs
Array of strings <ip-address-and-prefix-length>
  • ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example 192.168.131.0/24.
  • ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example fe80::42:b6ff:feff:2f3/64. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version.

The secret-id is only valid when used from one of the subnets configured in this list.

secret-id-num-uses
integer <uint32>
Default: 1

Limits the number of times the secret-id can be used to authenticate towards the system. 0 indicates no limit.

secret-id-ttl
string <duration>
Default: "30m"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

It is possible to set a ttl on the secret-id. 0s indicates no limit.

token-ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

TTL of token. The lifetime can be extended using the renew operation.

token-max-ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Max TTL a token can have before renewal is required.

token-policies
Array of strings <name>

These policies are associated with the token that results from successful login, in addition to any policies specified in the entity-alias and the entity.

token-bound-cidrs
Array of strings <ip-address-and-prefix-length>
  • ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example 192.168.131.0/24.
  • ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example fe80::42:b6ff:feff:2f3/64. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version.

Limit the use of the token to specific subnets. The token will be invalid if the src ip address originates from a subnet not listed in the token-bound-cidrs. All subnets are accepted if the list is empty.

token-explicit-max-ttl
string <duration>
Default: "0s"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Limits the possible lifetime of a token and will override ttl and max-ttl, as well as the lifetime of a periodic token.

token-no-default-policy
boolean
Default: false

Do not add the default policy to the token if this is set to true.

token-num-uses
integer <uint32>

Limit the number of times the token can be used.

token-period
string <duration>
Default: "0s"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

It allows a token to have an unlimited lifetime if renewed within the period. The default renewal TTL will be the period. A periodic token can still have a maximum life time if explicit-max-ttl is set. The renewable property needs to be true as well.

token-type
string <token-type>
Default: "default"
  • service
  • default
token-renewable
boolean
Default: true

Should the refresh operation be allowed for this token or not.

to (object) or sites (object) or deployments (object)
Responses
201

Created

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

409

Conflict (instance exists)

503

Service Unavailable (strongbox sealed)

post/v1/config/strongbox/authentication/approles
Request samples
name: app
fixed-role-id: ba4bb5b7-f126-48f7-a2be-cae8aaacb4cf
bind-secret-id: true
weak-secret-id: false
secret-id-bound-cidrs:
  - 192.168.1.0/24
secret-id-num-uses: 0
secret-id-ttl: 0s
token-ttl: 1d
token-max-ttl: 30d
token-policies:
  - user
token-bound-cidrs:
  - 192.168.1.0/24
token-explicit-max-ttl: 0s
token-no-default-policy: false
token-num-uses: 1
token-period: 0s
token-type: default
token-renewable: true
distribute:
  to: all

Retrieve the configuration of all approles

SecurityaccessToken
Request
query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
keys
string <enumeration>

Retrieve only the keys for the list

Value: "true"
count
string <enumeration>

Retrieve only the number of elements in the list

Value: "true"
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

get/v1/config/strongbox/authentication/approles
Response samples
- name: app
  fixed-role-id: ba4bb5b7-f126-48f7-a2be-cae8aaacb4cf
  bind-secret-id: true
  weak-secret-id: false
  secret-id-bound-cidrs:
    - 192.168.1.0/24
  secret-id-num-uses: 0
  secret-id-ttl: 0s
  token-ttl: 1d
  token-max-ttl: 30d
  token-policies:
    - user
  token-bound-cidrs:
    - 192.168.1.0/24
  token-explicit-max-ttl: 0s
  token-no-default-policy: false
  token-num-uses: 1
  token-period: 0s
  token-type: default
  token-renewable: true
  distribute:
    to: all
  

Update an approle

SecurityaccessToken
Request
path Parameters
approle-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of approle

query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Request Body schema:
name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
fixed-role-id
string

The fixed-role-id setting can be used to hard-code a role-id for a role. This is useful when the same image is used by multiple tenants, or on multiple systems. Note that the same fixed-role-id should not be used by more than one approle for a given tenant.

bind-secret-id
boolean
Default: true

Require a secret-id to authenticate. If this is set to false then the application can authenticate with only the role-id.

weak-secret-id
boolean
Default: false

If this is set to true then the application can authenticate with only the secret-id. This avoids the need to compile in the role-id into the container. However, this setting should only be set to true during testing and development, not in production, since it will allow any container to authenticate towards the system without any knowledge of any other secret, ie the role-id.

secret-id-bound-cidrs
Array of strings <ip-address-and-prefix-length>
  • ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example 192.168.131.0/24.
  • ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example fe80::42:b6ff:feff:2f3/64. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version.

The secret-id is only valid when used from one of the subnets configured in this list.

secret-id-num-uses
integer <uint32>
Default: 1

Limits the number of times the secret-id can be used to authenticate towards the system. 0 indicates no limit.

secret-id-ttl
string <duration>
Default: "30m"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

It is possible to set a ttl on the secret-id. 0s indicates no limit.

token-ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

TTL of token. The lifetime can be extended using the renew operation.

token-max-ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Max TTL a token can have before renewal is required.

token-policies
Array of strings <name>

These policies are associated with the token that results from successful login, in addition to any policies specified in the entity-alias and the entity.

token-bound-cidrs
Array of strings <ip-address-and-prefix-length>
  • ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example 192.168.131.0/24.
  • ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example fe80::42:b6ff:feff:2f3/64. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version.

Limit the use of the token to specific subnets. The token will be invalid if the src ip address originates from a subnet not listed in the token-bound-cidrs. All subnets are accepted if the list is empty.

token-explicit-max-ttl
string <duration>
Default: "0s"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Limits the possible lifetime of a token and will override ttl and max-ttl, as well as the lifetime of a periodic token.

token-no-default-policy
boolean
Default: false

Do not add the default policy to the token if this is set to true.

token-num-uses
integer <uint32>

Limit the number of times the token can be used.

token-period
string <duration>
Default: "0s"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

It allows a token to have an unlimited lifetime if renewed within the period. The default renewal TTL will be the period. A periodic token can still have a maximum life time if explicit-max-ttl is set. The renewable property needs to be true as well.

token-type
string <token-type>
Default: "default"
  • service
  • default
token-renewable
boolean
Default: true

Should the refresh operation be allowed for this token or not.

to (object) or sites (object) or deployments (object)
Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

patch/v1/config/strongbox/authentication/approles/{approle-name}
Request samples
name: app
fixed-role-id: ba4bb5b7-f126-48f7-a2be-cae8aaacb4cf
bind-secret-id: true
weak-secret-id: false
secret-id-bound-cidrs:
  - 192.168.1.0/24
secret-id-num-uses: 0
secret-id-ttl: 0s
token-ttl: 1d
token-max-ttl: 30d
token-policies:
  - user
token-bound-cidrs:
  - 192.168.1.0/24
token-explicit-max-ttl: 0s
token-no-default-policy: false
token-num-uses: 1
token-period: 0s
token-type: default
token-renewable: true
distribute:
  to: all

Delete an approle

SecurityaccessToken
Request
path Parameters
approle-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of approle

query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

delete/v1/config/strongbox/authentication/approles/{approle-name}

Replace or create a new approle

SecurityaccessToken
Request
path Parameters
approle-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of approle

query Parameters
validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Request Body schema:
name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$
fixed-role-id
string

The fixed-role-id setting can be used to hard-code a role-id for a role. This is useful when the same image is used by multiple tenants, or on multiple systems. Note that the same fixed-role-id should not be used by more than one approle for a given tenant.

bind-secret-id
boolean
Default: true

Require a secret-id to authenticate. If this is set to false then the application can authenticate with only the role-id.

weak-secret-id
boolean
Default: false

If this is set to true then the application can authenticate with only the secret-id. This avoids the need to compile in the role-id into the container. However, this setting should only be set to true during testing and development, not in production, since it will allow any container to authenticate towards the system without any knowledge of any other secret, ie the role-id.

secret-id-bound-cidrs
Array of strings <ip-address-and-prefix-length>
  • ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example 192.168.131.0/24.
  • ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example fe80::42:b6ff:feff:2f3/64. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version.

The secret-id is only valid when used from one of the subnets configured in this list.

secret-id-num-uses
integer <uint32>
Default: 1

Limits the number of times the secret-id can be used to authenticate towards the system. 0 indicates no limit.

secret-id-ttl
string <duration>
Default: "30m"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

It is possible to set a ttl on the secret-id. 0s indicates no limit.

token-ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

TTL of token. The lifetime can be extended using the renew operation.

token-max-ttl
string <duration>

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Max TTL a token can have before renewal is required.

token-policies
Array of strings <name>

These policies are associated with the token that results from successful login, in addition to any policies specified in the entity-alias and the entity.

token-bound-cidrs
Array of strings <ip-address-and-prefix-length>
  • ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example 192.168.131.0/24.
  • ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example fe80::42:b6ff:feff:2f3/64. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version.

Limit the use of the token to specific subnets. The token will be invalid if the src ip address originates from a subnet not listed in the token-bound-cidrs. All subnets are accepted if the list is empty.

token-explicit-max-ttl
string <duration>
Default: "0s"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

Limits the possible lifetime of a token and will override ttl and max-ttl, as well as the lifetime of a periodic token.

token-no-default-policy
boolean
Default: false

Do not add the default policy to the token if this is set to true.

token-num-uses
integer <uint32>

Limit the number of times the token can be used.

token-period
string <duration>
Default: "0s"

A duration in years, days, hours, minutes and seconds.

Format is [<digits>y][<digits>d][<digits>m][<digits>s].

Examples: 1y2d5h, 5h or 10m30s

It allows a token to have an unlimited lifetime if renewed within the period. The default renewal TTL will be the period. A periodic token can still have a maximum life time if explicit-max-ttl is set. The renewable property needs to be true as well.

token-type
string <token-type>
Default: "default"
  • service
  • default
token-renewable
boolean
Default: true

Should the refresh operation be allowed for this token or not.

to (object) or sites (object) or deployments (object)
Responses
201

Created

204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

put/v1/config/strongbox/authentication/approles/{approle-name}
Request samples
name: app
fixed-role-id: ba4bb5b7-f126-48f7-a2be-cae8aaacb4cf
bind-secret-id: true
weak-secret-id: false
secret-id-bound-cidrs:
  - 192.168.1.0/24
secret-id-num-uses: 0
secret-id-ttl: 0s
token-ttl: 1d
token-max-ttl: 30d
token-policies:
  - user
token-bound-cidrs:
  - 192.168.1.0/24
token-explicit-max-ttl: 0s
token-no-default-policy: false
token-num-uses: 1
token-period: 0s
token-type: default
token-renewable: true
distribute:
  to: all

Retrieve the configuration of an approle

SecurityaccessToken
Request
path Parameters
approle-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of approle

query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

validate
string <enumeration>

Validate the request but do not actually perform the requested operation

Value: "true"
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

412

Precondition Failed

503

Service Unavailable (strongbox sealed)

get/v1/config/strongbox/authentication/approles/{approle-name}
Response samples
name: app
fixed-role-id: ba4bb5b7-f126-48f7-a2be-cae8aaacb4cf
bind-secret-id: true
weak-secret-id: false
secret-id-bound-cidrs:
  - 192.168.1.0/24
secret-id-num-uses: 0
secret-id-ttl: 0s
token-ttl: 1d
token-max-ttl: 30d
token-policies:
  - user
token-bound-cidrs:
  - 192.168.1.0/24
token-explicit-max-ttl: 0s
token-no-default-policy: false
token-num-uses: 1
token-period: 0s
token-type: default
token-renewable: true
distribute:
  to: all

Retrieve the state of all approles

SecurityaccessToken
Request
query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

site
string

Send the request to the specfifed site

content
string <enumeration>

Filter descendant nodes in the response

Enum: "config" "nonconfig"
keys
string <enumeration>

Retrieve only the keys for the list

Value: "true"
count
string <enumeration>

Retrieve only the number of elements in the list

Value: "true"
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

get/v1/state/strongbox/authentication/approles
Response samples
- name: app
  role-id: ba4bb5b7-f126-48f7-a2be-cae8aaacb4cf
  fixed-role-id: ba4bb5b7-f126-48f7-a2be-cae8aaacb4cf
  creation-time: 2022-01-13T08:44:30.264864Z
  bind-secret-id: true
  weak-secret-id: false
  secret-id-bound-cidrs:
    - 192.168.1.0/24
  secret-id-num-uses: 0
  secret-id-ttl: 0s
  token-ttl: 1d
  token-max-ttl: 30d
  token-policies:
    - user
  token-bound-cidrs:
    - 192.168.1.0/24
  token-explicit-max-ttl: 0s
  token-no-default-policy: false
  token-num-uses: 1
  token-period: 0s
  token-type: default
  token-renewable: true
  distribute:
    to: all
  distribution-status:
    to: all
  

Retrieve the state of an approle

SecurityaccessToken
Request
path Parameters
approle-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of approle

query Parameters
fields
string

Retrieve only requested fields from the resource

See section fields

site
string

Send the request to the specfifed site

content
string <enumeration>

Filter descendant nodes in the response

Enum: "config" "nonconfig"
Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

get/v1/state/strongbox/authentication/approles/{approle-name}
Response samples
name: app
role-id: ba4bb5b7-f126-48f7-a2be-cae8aaacb4cf
fixed-role-id: ba4bb5b7-f126-48f7-a2be-cae8aaacb4cf
creation-time: 2022-01-13T08:44:30.264864Z
bind-secret-id: true
weak-secret-id: false
secret-id-bound-cidrs:
  - 192.168.1.0/24
secret-id-num-uses: 0
secret-id-ttl: 0s
token-ttl: 1d
token-max-ttl: 30d
token-policies:
  - user
token-bound-cidrs:
  - 192.168.1.0/24
token-explicit-max-ttl: 0s
token-no-default-policy: false
token-num-uses: 1
token-period: 0s
token-type: default
token-renewable: true
distribute:
  to: all
distribution-status:
  to: all

Invoke the create-secret-id operation

Create a secret-id to be associated with a given role-id. This is done automatically by the scheduler when starting a container but can also be done manually. Note that the secret-id is only valid on the local site and cannot be used on other sites, ie, it is not possible to perform an approle-login on another site using a secret-id created at, for example, the top site.

SecurityaccessToken
Request
path Parameters
approle-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of approle

query Parameters
site
string

Send the request to the specfifed site

Request Body schema:
object

Metadata such as application name, instance id, etc can be associated with the token resulting from an approle-login.

bound-cidrs
Array of strings <ip-address-and-prefix-length>
  • ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example 192.168.131.0/24.
  • ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example fe80::42:b6ff:feff:2f3/64. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version.

This field can be used to limit the IP addresses that are allowed to use the secret-id.

token-bound-cidrs
Array of strings <ip-address-and-prefix-length>
  • ipv4-address-and-prefix-length: The ipv4-address-and-prefix-length type represents a combination of an IPv4 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 32. For example 192.168.131.0/24.
  • ipv6-address-and-prefix-length: The ipv6-address-and-prefix-length type represents a combination of an IPv6 address and a prefix length. The prefix length is given by the number following the slash character and must be less than or equal to 128. For example fe80::42:b6ff:feff:2f3/64. The ip-address-and-prefix-length type represents a combination of an IP address and a prefix length and is IP version neutral. The format of the textual representations implies the IP version.

This field can be used to limit the IP addresses that are allowed to use the token resulting from an approle-login.

Responses
200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/authentication/approles/{approle-name}/create-secret-id
Request samples
meta:
  username: joe@acme.com
bound-cidrs:
  - 192.168.0.0/24
token-bound-cidrs:
  - 192.168.0.0/24
Response samples
secret-id: b4673065-7632-4b3c-b691-431cf2d7b268
secret-id-accessor: 20bb4855-574a-4be5-a1c1-e1efd8488181

Invoke the delete-secret-id operation

Cancels a secret-id by its accessor.

SecurityaccessToken
Request
path Parameters
approle-name
required
string <name> ^[a-z0-9]([a-z0-9\-]*[a-z0-9])?$

name of approle

query Parameters
site
string

Send the request to the specfifed site

Request Body schema:
secret-id-accessor
required
string
Responses
204

No Content

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

503

Service Unavailable (strongbox sealed)

post/v1/state/strongbox/authentication/approles/{approle-name}/delete-secret-id
Request samples
secret-id-accessor: 601ab2f4-9e3a-4e1e-9a99-81aff088cf0e