Manage Policy APIs from Secrets Manager
- Print
- PDF
Manage Policy APIs from Secrets Manager
- Print
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
- The condition field used in the following APIs can be a string or a JSON object.
"condition": "{\"ipAddress\":\"0.0.0.0/8,10.10.25.15\",\"timeOfAccess\":{\"dateSchedule\":{\"fromDate\":\"2023-07-31 00:00:00\",\"toDate\":\"2023-12-15 00:00:00\",\"timezone\":\"Pacific/Honolulu\"},\"daysSchedule\":{\"fromTime\":\"01:00:00\",\"toTime\":\"23:30:00\",\"timezone\":\"Pacific/Honolulu\",\"days\":[\"MONDAY\",\"TUESDAY\",\"WEDNESDAY\",\"THURSDAY\"]}},\"approval\":{\"approvers\":{\"userIds\":[\"vaishali\"]},\"validFor\":4,\"isValidForInDays\":true,\"timeToApprove\":60,\"notificationMedium\":[\"Email Only\",\"teams-vw\",\"Slack - Arpita\"]}}""condition": { "approval": { "notificationMedium": "12051835-cdf3-494b-a07e-923cb945b97b", "timeToApprove": 300, "validFor": 300, "isValidForInDays": true, "approvers": { "userIds": [ "CCy1O21HXuzSNzCp8vWI" ] } } } - notificationMedium inside the condition field can be either a string or an array.
- Only one notification medium can be specified when used as a string.NotificationMedium as a string
"notificationMedium\":\"12051835-cdf3-494b-a07e-923cb945b97b\" - Multiple notification mediums can be specified when used as an array.NotificationMedium as an array
"notificationMedium\":[\"44d45a37-f28b-4e51-8eef-4d5ff9e15aa9\",\"b438ae73-2930-41d9-b736-f80e072af753\"]
- Only one notification medium can be specified when used as a string.
1. Get all Resource Specific Policies
This GET method returns a list of all policies for a specified resource.
Note: To execute this API, the user should have permission assigned (through policy) with action as authz.policy.list.
| GET | {{url}}/api/v1/policy-admin/policies?resource=<resource_id>&consumer=secretmanager |
Request Parameters
The request parameters used in this method are shown in the following table:
| Parameter | Description | Data Type | Required |
consumer | Specifies that the policy must be created for this consumer. In case of Secrets Manager, this value is 'secretmanager'. | String | Mandatory |
pageToken | Autogenerated token for next page of records in case the results are more than one page. Append this token in the requested API URL to access the next set of pages. | String | Optional |
resource | Specifies the resource/path for which policies need to listed. | String | Optional |
Request Example
curl -X GET '{{url}}/api/v1/policy-admin/policies?resource=/&consumer=secretmanager'Response Example
| Status: 200 Ok |
{
"result": [
{
"id": "2f06ac6a-e5dd-4d34-8ed0-9741af1f8a9e",
"name": "TenantAuditorPolicy",
"description": "Grants view only access on the platform.",
"isActive": true,
"isDraft": false,
"isReadOnly": true,
"resources": [
"*"
],
"accessType": "Allow"
},
{
"id": "93f7e80a-aaef-4845-be98-d3d45b81ceea",
"name": "SMAdminPolicy",
"description": "Grants administrative access to \"Secret Manager\" module",
"isActive": true,
"isDraft": false,
"isReadOnly": true,
"resources": [
"*",
"/"
],
"accessType": "Allow"
},
{
"id": "95c4fe32-883e-47e9-b997-09ccbeffcbb8",
"name": "TenantAdminPolicy",
"description": "Grants administrative access to all modules. Tenant Root user is part of this policy by default.",
"isActive": true,
"isDraft": false,
"isReadOnly": true,
"resources": [
"*",
"/"
],
"accessType": "Allow"
},
{
"id": "73885bfe-7313-4b27-a4d8-0ba63067c19e",
"name": "SMAuditorPolicy",
"description": "Grants view access to \"Secret Manager\" module",
"isActive": true,
"isDraft": false,
"isReadOnly": true,
"resources": [
"*"
],
"accessType": "Allow"
},
{
"id": "c12f63df-241c-4e3b-83dd-a91d44ebaf08",
"name": "AuthzAuditorPolicy",
"description": "Grants view access to \"Identity Management\", Security and \"Role and Policy Management\" modules.",
"isActive": true,
"isDraft": false,
"isReadOnly": true,
"resources": [
"*"
],
"accessType": "Allow"
},
],
"pagination": {
"next": "",
"prev": ""
}
}2. Get All Resource Specific Policies with Filter
This GET method returns all policies for a specified resource filtered by a name of policy,
Note: To execute this API, the user should have permission assigned (through policy) with action as authz.policy.list.
| GET | {{url}}/api/v1/policy-admin/policies?filter=name<policy_name>&resource=<resource_id>&consumer=secretmanager |
Request Parameters
The request parameters used in this method are shown in the following table:
| Parameter | Description | Data Type | Required |
consumer | Specifies that the policy must be created for this consumer. In case of Secrets Manager, this value is 'secretmanager'. | String | Mandatory |
pageToken | Autogenerated token for next page of records in case the results are more than one page. Append this token in requested API URL to access the next set of pages. | String | Optional |
filter | Filter the nodes based on the name of a policy. The supported operators are 'eq', 'sm' and 'co'. An example format is given here: name eq TestPolicy | String | Optional |
resource | Specifies the resource/path for which policies need to listed. | String | Optional |
Request Example
curl -X GET '{{url}}/api/v1/policy-admin/policies?filter=&resource=/&consumer=secretmanager'Response Example
| Status: 200 OK |
{
"result": [
{
"id": "93f7e80a-aaef-4845-be98-d3d45b81ceea",
"name": "SMAdminPolicy",
"description": "Grants administrative access to \"Secret Manager\" module",
"isActive": true,
"isDraft": false,
"isReadOnly": true,
"members": {
"users": [
{
"id": null,
"name": null
}
]
},
"resources": [
"*",
"/"
],
"accessType": "Allow"
}
],
"pagination": {
"next": "",
"prev": ""
}
}3. Get Policy Details
This GET method returns details of a policy specified by <policy_id>.
Note: To execute this API, the user should have permission assigned (through policy) with action as authz.policy.list.
| GET | {{url}}/api/v1/policy-admin/policies/<policy_id>?conditionJson=true&resource=<resource_id>&consumer=secretmanager |
Request Parameters
The request parameters used in this method are shown in the following table:
| Parameter | Description | Data Type | Required |
consumer | Specifies that the policy must be fetched for this consumer. In the case of Secrets Manager, this value is 'secretmanager'. | String | Mandatory |
resource | Specifies the resource/path for which a policy needs to be listed. | String | Optional |
conditionJson | The condition is returned as JSON when TRUE otherwise condition is returned as a string. | Boolean | Optional |
Request Example
curl -X GET '{{url}}/api/v1/policy-admin/policies/<policy_id>?resource=/&conditionJson=true&consumer=secretmanager'Response Example
| Status: 200 Ok |
{
"id": "4c423a7f-564f-469b-9f62-343ec3036367",
"name": "Aj-string",
"description": "test string-1",
"isActive": true,
"isDraft": false,
"isReadOnly": false,
"condition": {
"ipAddress": "10.1.1.167",
"approval": {
"approvers": {
"userIds": [
"utEVQDSvec4SwjJGAzSq"
]
},
"validFor": 10,
"isValidForInDays": true,
"timeToApprove": 305,
"notificationMedium": [
"44d45a37-f28b-4e51-8eef-4d5ff9e15aa9"
]
}
},
"permissions": [
{
"id": "b27b6929-cc4a-4ee7-815b-c87b2e2504e1",
"name": "Aj-test-321_PM_0",
"description": "List permission for parent nodes in vault",
"consumer": "secretmanager",
"actions": [
"sm.node.list"
],
"resources": [
"Deleted resource/s"
],
"isInline": true,
"isReadOnly": false
},
{
"id": "a99a51ff-383a-41d4-b204-926a07235bff",
"name": "Aj-test-321_PM_1",
"description": "Administrative permission for nodes and secrets in vault",
"consumer": "secretmanager",
"actions": [
"authz.policy.create",
"authz.policy.delete",
"authz.policy.list",
"authz.policy.read",
"authz.policy.update",
"sm.node.create",
"sm.node.delete",
"sm.node.list",
"sm.secret.read",
"sm.secret.update"
],
"resources": [
"Deleted resource/s"
],
"isInline": true,
"isReadOnly": false
},
{
"id": "c351f5eb-4fcc-44f0-93e5-29895c7b354e",
"name": "Aj-test-321_PM_2",
"description": "Administrative permission for static secret templates and password policies, View permission for vault.",
"consumer": "secretmanager",
"actions": [
"sm.passwordpolicy.create",
"sm.passwordpolicy.delete",
"sm.passwordpolicy.list",
"sm.passwordpolicy.read",
"sm.passwordpolicy.update",
"sm.secrettemplate.create",
"sm.secrettemplate.delete",
"sm.secrettemplate.list",
"sm.secrettemplate.read",
"sm.secrettemplate.update",
"sm.vault.list",
"sm.vault.read"
],
"resources": [
"*"
],
"isInline": true,
"isReadOnly": false
},
{
"id": "016240ee-90af-4236-a32f-cc9a191fbcd8",
"name": "Aj-test-321_PM_3",
"description": "View Permission for Identity",
"consumer": "identity",
"actions": [
"identity.user.list",
"identity.user.view"
],
"resources": [
"*"
],
"isInline": true,
"isReadOnly": false
},
{
"id": "5428198d-2732-4e42-b082-6a27588be617",
"name": "Aj-test-321_PM_4",
"description": "View Permission for Security",
"consumer": "securityadmin",
"actions": [
"securityadmin.security.list",
"securityadmin.security.view"
],
"resources": [
"*"
],
"isInline": true,
"isReadOnly": false
},
{
"id": "580a6237-7224-4f42-b682-916d4696a93e",
"name": "Aj-test-321_PM_5",
"description": "List Permission for Consumer",
"consumer": "authz",
"actions": [
"authz.consumer.list"
],
"resources": [
"*"
],
"isInline": true,
"isReadOnly": false
},
{
"id": "ebc3c2df-34bb-4a63-9db7-f1cef5da9292",
"name": "Aj-test-321_PM_6",
"description": "View Permission for notification",
"consumer": "notificationmanager",
"actions": [
"nm.channels.list",
"nm.notification.list",
"nm.notification.read"
],
"resources": [
"*"
],
"isInline": true,
"isReadOnly": false
}
],
"members": {
"users": [
{
"id": "utEVQDSvec4SwjJGAzSq",
"name": "alex.gudanis-demo@britive.com"
}
]
},
"accessLevel": "SM_Manage",
"resource": "/*",
"consumer": "secretmanager",
"accessType": "Allow"
}4. Delete Policy
This DELETE method deletes a policy for a specified <policy_id>.
Note: To execute this API, the user should have permission assigned (through policy) with action as authz.policy.delete.
| DELETE | {{url}}/api/v1/policy-admin/policies/<policy_id>?resource=/&consumer=secretmanager |
Request Parameters
The request parameters used in this method are shown in the following table:
| Parameter | Description | Data Type | Required |
consumer | Specifies that the policy must be created for this consumer. In case of Secrets Manager, this value is 'secretmanager'. | String | Mandatory |
resource | Specifies the resource/path for which policy needs to deleted. | String | Optional |
Request Example
curl -X DELETE '{{url}}/api/v1/policy-admin/policies?resource=/&consumer=secretmanager'Response Example
| Status: 204 No Content |
5. Create a Policy
This POST method creates a policy under a specified resource.
Note: To execute this API, the user should have permission assigned (through policy) with action as authz.policy.create.
| POST | {{url}}/api/v1/policy-admin/policies?resource=/&consumer=secretmanager |
Request Parameters
The request parameters used in this method are shown in the following table:
| Parameter | Description | Data Type | Required |
consumer | Specifies that the policy must be created for this consumer. In case of Secrets Manager, this value is 'secretmanager'. | String | Mandatory |
resource | Specifies the resource/path for which policy needs to created. | String | Optional |
Request Example
curl -X POST '{{url}}/api/v1/policy-admin/policies'
-H 'Authorization: Bearer '
-d
'{
"name": "VW_13dec_1",
"description": "testing 4:15",
"isActive": true,
"isDraft": false,
"isReadOnly": false,
"condition": {
"approval": {
"notificationMedium": "12051835-cdf3-494b-a07e-923cb945b97b",
"timeToApprove": 300,
"validFor": 300,
"isValidForInDays": true,
"approvers": {
"userIds": [
"CCy1O21HXuzSNzCp8vWI"
]
}
}
},
"members": {
"users": [
{
"id": "hsut62cvkgeeggn00zh0"
}
],
"tags": [],
"tokens": [],
"serviceIdentities": []
},
"accessLevel": "SM_View",
"resource": "/*",
"consumer": "secretmanager",
"accessType": "Allow"
}Response Example
| Status: 201 Created |
{
"id": "7fecfb64-8d6a-4899-9323-3bea7f135a57",
"name": "VW_13dec_1",
"description": "testing 4:15",
"isActive": true,
"isDraft": false,
"isReadOnly": false,
"condition": {
"ipAddress": null,
"timeOfAccess": null,
"approval": {
"approvers": {
"userIds": [
"CCy1O21HXuzSNzCp8vWI"
]
},
"validFor": 300,
"isValidForInDays": true,
"timeToApprove": 300,
"notificationMedium": "12051835-cdf3-494b-a07e-923cb945b97b"
}
},
"permissions": [
{
"id": "da3ab952-f10a-466d-95de-9d8f0344f80c",
"name": "VW_13dec_1_PV_0",
"description": "List permission for parent nodes in vault",
"consumer": "secretmanager",
"actions": [
"sm.node.list"
],
"resources": [
"/"
],
"isInline": true,
"isReadOnly": false
},
{
"id": "3d4b0227-8175-47cf-b124-66c97c4a021c",
"name": "VW_13dec_1_PV_1",
"description": "View permission for nodes and secrets in vault",
"consumer": "secretmanager",
"actions": [
"sm.node.list",
"sm.secret.read"
],
"resources": [
"/*"
],
"isInline": true,
"isReadOnly": false
},
{
"id": "da62143a-d646-47de-9a3f-37ad3f207367",
"name": "VW_13dec_1_PV_2",
"description": "View permission for static secret templates and vault",
"consumer": "secretmanager",
"actions": [
"sm.secrettemplate.list",
"sm.secrettemplate.read",
"sm.vault.list",
"sm.vault.read"
],
"resources": [
"*"
],
"isInline": true,
"isReadOnly": false
}
],
"members": {
"users": [
{
"id": "hsut62cvkgeeggn00zh0",
"name": "priyanka.shinde@britive.com"
}
]
},
"accessLevel": "SM_View",
"resource": "/*",
"consumer": "secretmanager",
"accessType": "Allow"
}6. Update Policy
This PATCH method updates policy details for a specified policy under a specified resource.
Note: To execute this API, user should have permission assigned (through policy) with action as authz.policy.update.
| PATCH | {{url}}/api/v1/policy-admin/policies/<id>?resource=/&consumer=secretmanager |
Request Parameters
The request parameters used in this method are shown in the following table:
| Parameter | Description | Data Type | Required |
consumer | Specifies that the policy must be created for this consumer. In case of Secrets Manager, this value is 'secretmanager'. | String | Mandatory |
resource | Specifies the resource/path for which policy needs to updated. | String | Optional |
Request Example
curl -X PATCH ‘{{url}}/api/v1/policy-admin/policies/<id>?resource=/&consumer=secretmanager'
-H 'Authorization: Bearer <token>' -H 'content-type: application/json'
-d
'{
"id": "4091333b-d769-4199-8a5b-75fe4b58141c",
"name": "policy_14apr",
"description": "updated on 14 april 11am",
"members": {
"users": [
{
"id": "nkmhwgshyusxg0x6ljpq"
}
],
"tags": [],
"tokens": [],
"serviceIdentities": []
},
"isActive": true,
"condition": "{\"ipAddress\":\"0.0.0.0/8,10.10.25.13\",\"timeOfAccess\":{\"dateSchedule\":{\"fromDate\":\"2023-04-16 02:00:00\",\"toDate\":\"2023-04-20 02:30:00\",\"timezone\":\"Pacific/Honolulu\"},\"daysSchedule\":{\"fromTime\":\"12:30:00\",\"toTime\":\"13:30:00\",\"timezone\":\"Pacific/Honolulu\",\"days\":[\"MONDAY\",\"TUESDAY\",\"WEDNESDAY\",\"THURSDAY\"]}},\"approval\":{\"notificationMedium\":\"44d45a37-f28b-4e51-8eef-4d5ff9e15aa9\",\"timeToApprove\":60,\"validFor\":4,\"isValidForInDays\":true,\"approvers\":{\"userIds\":[\"k9hv0lowfsg803spfijy\"]}}}",
"isDraft": false,
"accessLevel": "SM_View",
"consumer": "secretmanager",
"resource": "/ProjectVW/secret_12apr"
}'
Response Example
| Status: 204 No Content |
Was this article helpful?
