Manage Policy APIs from Secrets Manager
    • PDF

    Manage Policy APIs from Secrets Manager

    • PDF

    Article Summary

    • The condition field used in the following APIs can be a string or a JSON object. 
      "condition": "{\"ipAddress\":\"0.0.0.0/8,10.10.25.15\",\"timeOfAccess\":{\"dateSchedule\":{\"fromDate\":\"2023-07-31 00:00:00\",\"toDate\":\"2023-12-15 00:00:00\",\"timezone\":\"Pacific/Honolulu\"},\"daysSchedule\":{\"fromTime\":\"01:00:00\",\"toTime\":\"23:30:00\",\"timezone\":\"Pacific/Honolulu\",\"days\":[\"MONDAY\",\"TUESDAY\",\"WEDNESDAY\",\"THURSDAY\"]}},\"approval\":{\"approvers\":{\"userIds\":[\"vaishali\"]},\"validFor\":4,\"isValidForInDays\":true,\"timeToApprove\":60,\"notificationMedium\":[\"Email Only\",\"teams-vw\",\"Slack - Arpita\"]}}"
      "condition": {
       "approval": {
       "notificationMedium": "12051835-cdf3-494b-a07e-923cb945b97b",
       "timeToApprove": 300,
       "validFor": 300,
       "isValidForInDays": true,
       "approvers": {
       "userIds": [
       "CCy1O21HXuzSNzCp8vWI"
       ]
       }
       }
      }
    • notificationMedium inside the condition field can be either a string or an array.
      • Only one notification medium can be specified when used as a string.
        NotificationMedium as a string
        "notificationMedium\":\"12051835-cdf3-494b-a07e-923cb945b97b\"

      • Multiple notification mediums can be specified when used as an array.
        NotificationMedium as an array
        "notificationMedium\":[\"44d45a37-f28b-4e51-8eef-4d5ff9e15aa9\",\"b438ae73-2930-41d9-b736-f80e072af753\"]

    1. Get all Resource Specific Policies

    This GET method returns a list of all policies for a specified resource.

    Note: To execute this API, the user should have permission assigned (through policy) with action as authz.policy.list.

    GET
    {{url}}/api/v1/policy-admin/policies?resource=<resource_id>&consumer=secretmanager

    Request Parameters

    The request parameters used in this method are shown in the following table:

    ParameterDescriptionData TypeRequired

    consumer

    Specifies that the policy must be created for this consumer. In case of Secrets Manager, this value is 'secretmanager'.StringMandatory

    pageToken

    Autogenerated token for next page of records in case the results are more than one page. Append this token in the requested API URL to access the next set of pages.StringOptional

    resource

    Specifies the resource/path for which policies need to listed.StringOptional

    Request Example

    curl -X GET '{{url}}/api/v1/policy-admin/policies?resource=/&consumer=secretmanager'

    Response Example 

    Status: 200 Ok
    {
        "result": [
             {
                "id": "2f06ac6a-e5dd-4d34-8ed0-9741af1f8a9e",
                "name": "TenantAuditorPolicy",
                "description": "Grants view only access on the platform.",
                "isActive": true,
                "isDraft": false,
                "isReadOnly": true,
                "resources": [
                    "*"
                ],
                "accessType": "Allow"
            },
            {
                "id": "93f7e80a-aaef-4845-be98-d3d45b81ceea",
                "name": "SMAdminPolicy",
                "description": "Grants administrative access to \"Secret Manager\" module",
                "isActive": true,
                "isDraft": false,
                "isReadOnly": true,
                "resources": [
                    "*",
                    "/"
                ],
                "accessType": "Allow"
            },
            {
                "id": "95c4fe32-883e-47e9-b997-09ccbeffcbb8",
                "name": "TenantAdminPolicy",
                "description": "Grants administrative access to all modules. Tenant Root user is part of this policy by default.",
                "isActive": true,
                "isDraft": false,
                "isReadOnly": true,
                "resources": [
                    "*",
                    "/"
                ],
                "accessType": "Allow"
            },
            {
                "id": "73885bfe-7313-4b27-a4d8-0ba63067c19e",
                "name": "SMAuditorPolicy",
                "description": "Grants view access to \"Secret Manager\" module",
                "isActive": true,
                "isDraft": false,
                "isReadOnly": true,
                "resources": [
                    "*"
                ],
                "accessType": "Allow"
            },
            {
                "id": "c12f63df-241c-4e3b-83dd-a91d44ebaf08",
                "name": "AuthzAuditorPolicy",
                "description": "Grants view access to \"Identity Management\", Security and \"Role and Policy Management\" modules.",
                "isActive": true,
                "isDraft": false,
                "isReadOnly": true,
                "resources": [
                    "*"
                ],
                "accessType": "Allow"
            },
        ],
        "pagination": {
            "next": "",
            "prev": ""
        }
    }

    2. Get All Resource Specific Policies with Filter

    This GET method returns all policies for a specified resource filtered by a name of policy,

    Note: To execute this API, the user should have permission assigned (through policy) with action as authz.policy.list.

    GET
    {{url}}/api/v1/policy-admin/policies?filter=name<policy_name>&resource=<resource_id>&consumer=secretmanager

    Request Parameters

    The request parameters used in this method are shown in the following table:

    ParameterDescriptionData TypeRequired

    consumer

    Specifies that the policy must be created for this consumer. In case of Secrets Manager, this value is 'secretmanager'.String Mandatory 

    pageToken

    Autogenerated token for next page of records in case the results are more than one page. Append this token in requested API URL to access the next set of pages.StringOptional

    filter

    Filter the nodes based on the name of a policy. The supported operators are 'eq', 'sm' and 'co'. 

    An example format is given here: name eq TestPolicy

    StringOptional

    resource

    Specifies the resource/path for which policies need to listed.StringOptional

    Request Example

    curl -X GET '{{url}}/api/v1/policy-admin/policies?filter=&resource=/&consumer=secretmanager'

    Response Example 

    Status: 200 OK
    {
        "result": [
            {
                "id": "93f7e80a-aaef-4845-be98-d3d45b81ceea",
                "name": "SMAdminPolicy",
                "description": "Grants administrative access to \"Secret Manager\" module",
                "isActive": true,
                "isDraft": false,
                "isReadOnly": true,
                "members": {
                    "users": [
                        {
                            "id": null,
                            "name": null
                        }
                    ]
                },
                "resources": [
                    "*",
                    "/"
                ],
                "accessType": "Allow"
            }
        ],
        "pagination": {
            "next": "",
            "prev": ""
        }
    }

    3. Get Policy Details

    This GET method returns details of a policy specified by <policy_id>.

    NoteTo execute this API, the user should have permission assigned (through policy) with action as authz.policy.list.

    GET{{url}}/api/v1/policy-admin/policies/<policy_id>?conditionJson=true&resource=<resource_id>&consumer=secretmanager

    Request Parameters

    The request parameters used in this method are shown in the following table:

    ParameterDescriptionData TypeRequired

    consumer

    Specifies that the policy must be fetched for this consumer. In the case of Secrets Manager, this value is 'secretmanager'.StringMandatory

    resource

    Specifies the resource/path for which a policy needs to be listed.StringOptional

    conditionJson


    The condition is returned as JSON when TRUE otherwise condition is returned as a string.
    BooleanOptional

    Request Example

    curl -X GET '{{url}}/api/v1/policy-admin/policies/<policy_id>?resource=/&conditionJson=true&consumer=secretmanager'

    Response Example 

    Status: 200 Ok
    {
        "id": "4c423a7f-564f-469b-9f62-343ec3036367",
        "name": "Aj-string",
        "description": "test string-1",
        "isActive": true,
        "isDraft": false,
        "isReadOnly": false,
        "condition": {
            "ipAddress": "10.1.1.167",
            "approval": {
                "approvers": {
                    "userIds": [
                        "utEVQDSvec4SwjJGAzSq"
                    ]
                },
                "validFor": 10,
                "isValidForInDays": true,
                "timeToApprove": 305,
                "notificationMedium": [
                    "44d45a37-f28b-4e51-8eef-4d5ff9e15aa9"
                ]
            }
        },
        "permissions": [
            {
                "id": "b27b6929-cc4a-4ee7-815b-c87b2e2504e1",
                "name": "Aj-test-321_PM_0",
                "description": "List permission for parent nodes in vault",
                "consumer": "secretmanager",
                "actions": [
                    "sm.node.list"
                ],
                "resources": [
                    "Deleted resource/s"
                ],
                "isInline": true,
                "isReadOnly": false
            },
            {
                "id": "a99a51ff-383a-41d4-b204-926a07235bff",
                "name": "Aj-test-321_PM_1",
                "description": "Administrative permission for nodes and secrets in vault",
                "consumer": "secretmanager",
                "actions": [
                    "authz.policy.create",
                    "authz.policy.delete",
                    "authz.policy.list",
                    "authz.policy.read",
                    "authz.policy.update",
                    "sm.node.create",
                    "sm.node.delete",
                    "sm.node.list",
                    "sm.secret.read",
                    "sm.secret.update"
                ],
                "resources": [
                    "Deleted resource/s"
                ],
                "isInline": true,
                "isReadOnly": false
            },
            {
                "id": "c351f5eb-4fcc-44f0-93e5-29895c7b354e",
                "name": "Aj-test-321_PM_2",
                "description": "Administrative permission for static secret templates and password policies, View permission for vault.",
                "consumer": "secretmanager",
                "actions": [
                    "sm.passwordpolicy.create",
                    "sm.passwordpolicy.delete",
                    "sm.passwordpolicy.list",
                    "sm.passwordpolicy.read",
                    "sm.passwordpolicy.update",
                    "sm.secrettemplate.create",
                    "sm.secrettemplate.delete",
                    "sm.secrettemplate.list",
                    "sm.secrettemplate.read",
                    "sm.secrettemplate.update",
                    "sm.vault.list",
                    "sm.vault.read"
                ],
                "resources": [
                    "*"
                ],
                "isInline": true,
                "isReadOnly": false
            },
            {
                "id": "016240ee-90af-4236-a32f-cc9a191fbcd8",
                "name": "Aj-test-321_PM_3",
                "description": "View Permission for Identity",
                "consumer": "identity",
                "actions": [
                    "identity.user.list",
                    "identity.user.view"
                ],
                "resources": [
                    "*"
                ],
                "isInline": true,
                "isReadOnly": false
            },
            {
                "id": "5428198d-2732-4e42-b082-6a27588be617",
                "name": "Aj-test-321_PM_4",
                "description": "View Permission for Security",
                "consumer": "securityadmin",
                "actions": [
                    "securityadmin.security.list",
                    "securityadmin.security.view"
                ],
                "resources": [
                    "*"
                ],
                "isInline": true,
                "isReadOnly": false
            },
            {
                "id": "580a6237-7224-4f42-b682-916d4696a93e",
                "name": "Aj-test-321_PM_5",
                "description": "List Permission for Consumer",
                "consumer": "authz",
                "actions": [
                    "authz.consumer.list"
                ],
                "resources": [
                    "*"
                ],
                "isInline": true,
                "isReadOnly": false
            },
            {
                "id": "ebc3c2df-34bb-4a63-9db7-f1cef5da9292",
                "name": "Aj-test-321_PM_6",
                "description": "View Permission for notification",
                "consumer": "notificationmanager",
                "actions": [
                    "nm.channels.list",
                    "nm.notification.list",
                    "nm.notification.read"
                ],
                "resources": [
                    "*"
                ],
                "isInline": true,
                "isReadOnly": false
            }
        ],
        "members": {
            "users": [
                {
                    "id": "utEVQDSvec4SwjJGAzSq",
                    "name": "alex.gudanis-demo@britive.com"
                }
            ]
        },
        "accessLevel": "SM_Manage",
        "resource": "/*",
        "consumer": "secretmanager",
        "accessType": "Allow"
    }

    4. Delete Policy

    This DELETE method deletes a policy for a specified <policy_id>.

    Note: To execute this API, the user should have permission assigned (through policy) with action as authz.policy.delete.

    DELETE{{url}}/api/v1/policy-admin/policies/<policy_id>?resource=/&consumer=secretmanager

    Request Parameters

    The request parameters used in this method are shown in the following table:

    ParameterDescriptionData TypeRequired

    consumer

    Specifies that the policy must be created for this consumer. In case of Secrets Manager, this value is 'secretmanager'.String Mandatory  

    resource

    Specifies the resource/path for which policy needs to deleted.StringOptional

    Request Example

    curl -X DELETE '{{url}}/api/v1/policy-admin/policies?resource=/&consumer=secretmanager'

    Response Example 

    Status: 204 No Content

    5. Create a Policy 

    This POST method creates a policy under a specified resource.

    Note: To execute this API, the user should have permission assigned (through policy) with action as authz.policy.create. 

    POST
    {{url}}/api/v1/policy-admin/policies?resource=/&consumer=secretmanager

    Request Parameters

    The request parameters used in this method are shown in the following table:

    ParameterDescriptionData TypeRequired

    consumer

    Specifies that the policy must be created for this consumer. In case of Secrets Manager, this value is 'secretmanager'.String Mandatory

    resource

    Specifies the resource/path for which policy needs to created.StringOptional

    Request Example

    curl -X POST '{{url}}/api/v1/policy-admin/policies'
    -H 'Authorization: Bearer ' 
    -d
    '{
        "name": "VW_13dec_1",
        "description": "testing 4:15",
        "isActive": true,
        "isDraft": false,
        "isReadOnly": false,
        "condition": {
            "approval": {
                "notificationMedium": "12051835-cdf3-494b-a07e-923cb945b97b",
                "timeToApprove": 300,
                "validFor": 300,
                "isValidForInDays": true,
                "approvers": {
                    "userIds": [
                        "CCy1O21HXuzSNzCp8vWI"
                    ]
                }
            }
        },
        "members": {
            "users": [
                {
                    "id": "hsut62cvkgeeggn00zh0"
                }
            ],
            "tags": [],
            "tokens": [],
            "serviceIdentities": []
        },
        "accessLevel": "SM_View",
        "resource": "/*",
        "consumer": "secretmanager",
        "accessType": "Allow"
    }

    Response Example 

    Status: 201 Created
    {
        "id": "7fecfb64-8d6a-4899-9323-3bea7f135a57",
        "name": "VW_13dec_1",
        "description": "testing 4:15",
        "isActive": true,
        "isDraft": false,
        "isReadOnly": false,
        "condition": {
            "ipAddress": null,
            "timeOfAccess": null,
            "approval": {
                "approvers": {
                    "userIds": [
                        "CCy1O21HXuzSNzCp8vWI"
                    ]
                },
                "validFor": 300,
                "isValidForInDays": true,
                "timeToApprove": 300,
                "notificationMedium": "12051835-cdf3-494b-a07e-923cb945b97b"
            }
        },
        "permissions": [
            {
                "id": "da3ab952-f10a-466d-95de-9d8f0344f80c",
                "name": "VW_13dec_1_PV_0",
                "description": "List permission for parent nodes in vault",
                "consumer": "secretmanager",
                "actions": [
                    "sm.node.list"
                ],
                "resources": [
                    "/"
                ],
                "isInline": true,
                "isReadOnly": false
            },
            {
                "id": "3d4b0227-8175-47cf-b124-66c97c4a021c",
                "name": "VW_13dec_1_PV_1",
                "description": "View permission for nodes and secrets in vault",
                "consumer": "secretmanager",
                "actions": [
                    "sm.node.list",
                    "sm.secret.read"
                ],
                "resources": [
                    "/*"
                ],
                "isInline": true,
                "isReadOnly": false
            },
            {
                "id": "da62143a-d646-47de-9a3f-37ad3f207367",
                "name": "VW_13dec_1_PV_2",
                "description": "View permission for static secret templates and vault",
                "consumer": "secretmanager",
                "actions": [
                    "sm.secrettemplate.list",
                    "sm.secrettemplate.read",
                    "sm.vault.list",
                    "sm.vault.read"
                ],
                "resources": [
                    "*"
                ],
                "isInline": true,
                "isReadOnly": false
            }
        ],
        "members": {
            "users": [
                {
                    "id": "hsut62cvkgeeggn00zh0",
                    "name": "priyanka.shinde@britive.com"
                }
            ]
        },
        "accessLevel": "SM_View",
        "resource": "/*",
        "consumer": "secretmanager",
        "accessType": "Allow"
    }

    6. Update Policy 

    This PATCH method updates policy details for a specified policy under a specified resource.

    Note: To execute this API, user should have permission assigned (through policy) with action as authz.policy.update.

    PATCH{{url}}/api/v1/policy-admin/policies/<id>?resource=/&consumer=secretmanager

    Request Parameters

    The request parameters used in this method are shown in the following table:

    ParameterDescriptionData TypeRequired

    consumer

    Specifies that the policy must be created for this consumer. In case of Secrets Manager, this value is 'secretmanager'.String Mandatory  

    resource

    Specifies the resource/path for which policy needs to updated.StringOptional

    Request Example

    curl -X PATCH ‘{{url}}/api/v1/policy-admin/policies/<id>?resource=/&consumer=secretmanager'
    -H 'Authorization: Bearer <token>' -H 'content-type: application/json'
    -d
    '{
        "id": "4091333b-d769-4199-8a5b-75fe4b58141c",
        "name": "policy_14apr",
        "description": "updated on 14 april 11am",
        "members": {
            "users": [
                {
                    "id": "nkmhwgshyusxg0x6ljpq"
                }
            ],
            "tags": [],
            "tokens": [],
            "serviceIdentities": []
        },
        "isActive": true,
        "condition": "{\"ipAddress\":\"0.0.0.0/8,10.10.25.13\",\"timeOfAccess\":{\"dateSchedule\":{\"fromDate\":\"2023-04-16 02:00:00\",\"toDate\":\"2023-04-20 02:30:00\",\"timezone\":\"Pacific/Honolulu\"},\"daysSchedule\":{\"fromTime\":\"12:30:00\",\"toTime\":\"13:30:00\",\"timezone\":\"Pacific/Honolulu\",\"days\":[\"MONDAY\",\"TUESDAY\",\"WEDNESDAY\",\"THURSDAY\"]}},\"approval\":{\"notificationMedium\":\"44d45a37-f28b-4e51-8eef-4d5ff9e15aa9\",\"timeToApprove\":60,\"validFor\":4,\"isValidForInDays\":true,\"approvers\":{\"userIds\":[\"k9hv0lowfsg803spfijy\"]}}}",
        "isDraft": false,
        "accessLevel": "SM_View",
        "consumer": "secretmanager",
        "resource": "/ProjectVW/secret_12apr"
    }'
    

    Response Example 

    Status: 204 No Content



    Was this article helpful?