Secrets Service API
API Endpoint
http://secrets.agilestacks.com/api/v1Secrets Service has protected HTTP API to provide access to all it’s functions, such as:
-
saving and retrieving secrets;
-
obtaining expiring tokens to access cloud accounts;
-
manage secrets permissions.
Please read design first.
There are several types of supported entities: cloud-accounts, environments, templates, instances,
applications, licenses, and service-accounts.
Supported types of kind field in secret object are: password, cloudAccount, cloudAccessKeys,
privateKey, certificate, sshKey, usernamePassword, text, license,
token, bearerToken, accessToken, refreshToken, and loginToken.
For kind = 'cloudAccount', Secrets Service will check secret object cloud field is one of:
aws, azure, gcp.
For cloud = 'aws' Secret Service additionally accept region and sts AWS endpoint in
https://sts(.region).amazonaws.com format.
Resource Group ¶
Secret ¶
Headers
X-Secrets-Token: user-tokenHeaders
Content-Type: application/json; charset=utf-8Body
{
"id": "02a669c0-543b-432f-a11d-fb21f29c7200",
"name": "component.postgresql.password",
"kind": "password",
"username": "automation-hub",
"password": "jai0eite3X"
}Retrieve SecretGET/secrets/{entityKind}/{entityId}/{secretId}
Reading cloud account entity returns original security-sensitive information masked.
The only way to use cloud account is to request session keys via /session-keys.
Password:
{
"id": "02a669c0-543b-432f-a11d-fb21f29c7200",
"name": "component.postgresql.password",
"kind": "usernamePassword",
"username": "automation-hub",
"password": "jai0eite3X"
}Cloud account entity:
{
"id": "4ae21e5e-c49f-4222-b164-ffb03d8448dd",
"name": "My AWS",
"kind": "cloudAccount",
"cloud": "aws",
"accessKey": "AKIA****************",
"secretKey": "IqCFm0**********************************"
}{
"id": "4ae21e5e-c49f-4222-b164-ffb03d8448dd",
"name": "My AWS",
"kind": "cloudAccount",
"cloud": "aws",
"roleArn": "arn:aws:iam::973998981304:role/xaccount-*********************",
"externalId": "4f60642506******************************",
"duration": 7200
}- entityKind
string(required) Example: environmentsEntity type identifier
- entityId
string(required) Example: 123ID of the Entity
- secretId
string(required) Example: 02a669c0-543b-432f-a11d-fb21f29c7200ID of the Secret
Headers
X-Secrets-Token: user-tokenBody
{
"purpose": "stack-k8s-aws deployment",
"duration": 4800
}Headers
Content-Type: application/json; charset=utf-8Body
{
"cloud": "aws",
"accessKey": "AKIA****************",
"secretKey": "IqCFm0**********************************",
"sessionToken": "...",
"ttl": 7200,
"_env": {
"AWS_ACCESS_KEY_ID": "...",
"AWS_SECRET_ACCESS_KEY": "...",
"AWS_SESSION_TOKEN": "..."
}
}Headers
Content-Type: application/json; charset=utf-8Body
"errors": [
{
"type": "badRequest",
"detail": "The requested secret is not `cloudAccount` kind",
"meta": {
"errors": {
"type": "badRequest",
"detail": "The requested secret is not `cloudAccount` kind",
"meta": {
"stack":"Error: The requested secret is not `cloudAccount` kind...js:76:19)"
}
}
}
}
]
}Headers
Content-Type: application/json; charset=utf-8Body
"errors": [
{
"type": "serverError",
"detail": "AWS STS error: ...",
"meta": {
"errors": {
"type": "serverError",
"detail": "AWS STS error: ...",
"meta": {
"stack":"Error: AWS STS error: ......js:76:19)"
}
}
}
}
]
}Retrieve Cloud Account SessionPOST/secrets/cloud-accounts/{cloudAccountId}/{secretId}/session-keys
Post to cloud account session endpoint returns cloud-specific credentials to access cloud account.
For AWS a set of temporary security credentials are issued. The keys are valid for duration of the request
or of the secret, or the STS default of 1 hour.
Optionally, send purpose to be included as part of role session name sent to STS.
Optionally, set region and sts (endpoint).
For Azure and GCP as set of static credentials are returned.
If AWS cloud account credentials are accessKey and secretKey pair, then is must be keys either of account
root user or IAM user with MFA disabled. The session keys obtained cannot call IAM API due to
restriction imposed by AWS, from STS GetSessionToken:
The temporary security credentials created by GetSessionToken can be used to make API calls to any AWS service with the following exceptions:
- You cannot call any IAM APIs unless MFA authentication information is included in the request.
- You cannot call any STS API except AssumeRole or GetCallerIdentity.
Response object _env: {} field includes cloud-specific set of OS environment variable that should be exported
to get cloud CLIs and SDKs working with the cloud account. Additionally, _envAsFiles: [] array indicates
which _env keys cannot be presented inline, but must be saved into file for native auth mechanism to pick-up
the settings, for example "_envAsFiles": ["GOOGLE_APPLICATION_CREDENTIALS"], "_envAsFiles": ["AZURE_CERTIFICATE_PATH"].
- cloudAccountId
string(required) Example: 123ID of the Cloud Account
- secretId
string(required) Example: 02a669c0-543b-432f-a11d-fb21f29c7200ID of the Secret
Headers
X-Secrets-Token: user-token
X-Via-Secrets-Token: via-user-tokenBody
{}Headers
Content-Type: application/json; charset=utf-8Body
{}Retrieve Cloud Account Session via intermediaryPOST/secrets/cloud-accounts/{cloudAccountId}/{secretId}/session-keys/via/cloud-accounts/{viaCloudAccountId}/{viaSecretId}
First retrieve viaSecretId session, then retreve and return secretId session using that.
This works for AWS only. X-Via-Secrets-Token is used to fetch Via Secret from Vault.
The use case is to have a set of static credentials to assume (cross-account) role. This allows (1) Secrets Service on-prem - without instance profile - to work with multiple AWS accounts; (2) Secrets Service in public cloud to issue GovCloud session and vice versa.
- cloudAccountId
string(required) Example: 123ID of the Cloud Account
- secretId
string(required) Example: 02a669c0-543b-432f-a11d-fb21f29c7200ID of the Secret
- viaCloudAccountId
string(required) Example: 456ID of the Via Cloud Account
- viaSecretId
string(required) Example: 4676a1a6-dd9c-4f86-b4fc-9c049c0674e7ID of the Via Secret
Headers
Content-Type: application/json; charset=utf-8
X-Secrets-Token: user-tokenBody
{
"name": "component.postgresql.password",
"kind": "usernamePassword",
"username": "automation-hub",
"password": "jai0eite3X"
}Headers
Content-Type: application/json; charset=utf-8
Location: /api/v1/environments/123/secrets/02a669c0-543b-432f-a11d-fb21f29c7200Body
{
"id": "02a669c0-543b-432f-a11d-fb21f29c7200"
}Headers
Content-Type: application/json; charset=utf-8Body
"errors": [
{
"type": "badRequest",
"detail": "Error parse JSON input",
"meta": {
"errors": {
"type": "badRequest",
"detail": "Error parse JSON input",
"meta": {
"stack":"Error: Error parse JSON input...js:76:19)"
}
}
}
}
]
}Create SecretPOST/secrets/{entityKind}/{entityId}
- entityKind
string(required) Example: environmentsEntity type identifier
- entityId
string(required) Example: 123ID of the Entity
Headers
Content-Type: application/json; charset=utf-8
X-Secrets-Token: user-tokenBody
{
"kind": "privateKey"
}Headers
Content-Type: application/json; charset=utf-8
Location: /api/v1/instances/123/secrets/02a669c0-543b-432f-a11d-fb21f29c7200Body
{
"id": "02a669c0-543b-432f-a11d-fb21f29c7200"
}Headers
Content-Type: application/json; charset=utf-8Body
"errors": [
{
"type": "badRequest",
"detail": "Error parse JSON input",
"meta": {
"errors": {
"type": "badRequest",
"detail": "Error parse JSON input",
"meta": {
"stack":"Error: Error parse JSON input...js:76:19)"
}
}
}
}
]
}Create Secret by examplePOST/secrets/{entityKind}/{entityId}/copy/{fromEntityKind}/{fromEntityId}/{fromId}
Create a new secret by copying existing secret, optionally changing or adding secret’s fields.
If supplied, kind must match source secret kind. If kind = 'cloudAccount' is presented in the body, then
cloud must be specified and must match source secret cloud.
- entityKind
string(required) Example: instancesEntity type identifier
- entityId
string(required) Example: 123ID of the Entity
- fromEntityKind
string(required) Example: instancesSource Entity type identifier
- fromEntityId
string(required) Example: 102Source ID of the Entity
- fromId
string(required) Example: 4b71b933-f1e0-4a63-a113-6fb813cfb4a7Source Secret ID
Headers
Content-Type: application/json; charset=utf-8
X-Secrets-Token: user-tokenBody
{
"name": "component.postgresql.password",
"kind": "password",
"username": "automation-hub",
"password": "jai0eite3X"
}Headers
Content-Type: application/json; charset=utf-8Body
"errors": [
{
"type": "badRequest",
"detail": "`password` field is not set",
"meta": {
"errors": {
"type": "badRequest",
"detail": "`password` field is not set",
"meta": {
"stack":"Error: `password` field is not set...js:76:19)"
}
}
}
}
]
}Headers
Content-Type: application/json; charset=utf-8Body
"errors": [
{
"type": "badRequest",
"detail": "`kind` doesn't match",
"meta": {
"errors": {
"type": "badRequest",
"detail": "`kind` doesn't match",
"meta": {
"stack":"Error: `kind` doesn't match...js:76:19)"
}
}
}
}
]
}Update SecretPUT/secrets/{entityKind}/{entityId}/{secretId}
The secret kind must match otherwise 409 Conflict will be returned.
- entityKind
string(required) Example: environmentsEntity type identifier
- entityId
string(required) Example: 123ID of the Entity
- secretId
string(required) Example: 02a669c0-543b-432f-a11d-fb21f29c7200ID of the Secret
Headers
X-Secrets-Token: user-tokenDelete SecretDELETE/secrets/{entityKind}/{entityId}/{secretId}
- entityKind
string(required) Example: environmentsEntity type identifier
- entityId
string(required) Example: 123ID of the Entity
- secretId
string(required) Example: 02a669c0-543b-432f-a11d-fb21f29c7200ID of the Secret
Headers
X-Secrets-Token: user-tokenDelete all Entity SecretsDELETE/secrets/{entityKind}/{entityId}
Recursively delete all secrets under specific path.
- entityKind
string(required) Example: instancesEntity type identifier
- entityId
string(required) Example: 123ID of the Entity
User ¶
User is currently an Okta user and is addressed by Okta user Id with prefix okta-, e.g. okta-00ub0oNGTSWTBKOLGLNR.
Headers
X-Secrets-Token: high-privilege-auth-service-tokenHeaders
Content-Type: application/json; charset=utf-8Body
{
"roleId": "f2db06c7-1b3c-9262-1116-fa1842a5c567"
}Create UserPUT/users/{userId}
Returned roleId must be saved by calling service for use with /login. This method is idempotent and it will reset the
policies associated with the role in case role already exist. (Policies controls access to Environment, Cloud
Account, etc. secrets)
- userId
string(required) Example: okta-00ub0oNGTSWTBKOLGLNRID of the User
Headers
X-Secrets-Token: high-privilege-auth-service-tokenDelete UserDELETE/users/{userId}
- userId
string(required) Example: okta-00ub0oNGTSWTBKOLGLNRID of the User
Headers
Content-Type: application/json; charset=utf-8
X-Secrets-Token: high-privilege-automation-hub-token | high-privilege-auth-service-token?Body
{
"environments": [
"env id 1",
"env id 2"
],
"cloudAccounts": [
"cloud account id 1",
"cloud account id 2"
],
"etc.": []
}Headers
Content-Type: application/json; charset=utf-8Body
"errors": [
{
"type": "badRequest",
"detail": "`environments` field is not set",
"meta": {
"errors": {
"type": "badRequest",
"detail": "`environments` field is not set",
"meta": {
"stack":"Error: `environments` field is not set...js:76:19)"
}
}
}
}
]
}Update User access to secretsPUT/users/{userId}/{entityKind}
Put a list of entityKind Id-s the user has access to.
Only one corresponding key must be specified in request body.
- userId
string(required) Example: okta-00ub0oNGTSWTBKOLGLNRID of the User
- entityKind
string(required) Example: environmentsEntity type identifier
Headers
Content-Type: application/json; charset=utf-8
X-Secrets-Token: low-privilege-auth-service-tokenBody
{
"roleId": "0dcc3856-c11b-9673-bd30-b083cbae4987"
}Headers
Content-Type: application/json; charset=utf-8Body
{
"token": "c9086cfc-c1a4-4609-546d-1f9d860c8ac3",
"ttl": 3600
}Headers
Content-Type: application/json; charset=utf-8Body
{
"errors": [
{
"type": "badRequest",
"detail": "Either `highPrivRoleId` or `lowPrivRoleId` field is not set",
"meta": {
"errors": {
"type": "badRequest",
"detail": "Either `highPrivRoleId` or `lowPrivRoleId` field is not set",
"meta": {
"stack": "Error: Either `highPrivRoleId` or `lowPrivRoleId`...js:76:19)"
}
}
}
}
]
}Login User to obtain Secrets TokenPOST/users/{userId}/login
Login to obtain user-token.
- userId
string(required) Example: okta-00ub0oNGTSWTBKOLGLNRID of the User
Apps ¶
Currently recognised apps are:
-
Authentication Service with Id
authentication-service; -
Automation Hub with Id
automation-hub.
Request source IP CIDR will be checked too.
Headers
Content-Type: application/json; charset=utf-8Body
{
"highPrivRoleId": "f696ed85-eab6-484f-8f1b-adac94cffc08",
"lowPrivRoleId": "41bc5ff3-077c-4613-9419-77fe89267113"
}Headers
Content-Type: application/json; charset=utf-8Body
{
"highPrivToken": "89b144e3-d785-46b4-ac3f-5cc504bfc624",
"lowPrivToken": "4f5b5510-a6ac-41e1-b4bc-bcff4f522769",
"ttl": 3600
}Headers
Content-Type: application/json; charset=utf-8Body
{
"errors": [
{
"type": "badRequest",
"detail": "`highPrivRoleId` field is not set",
"meta": {
"errors": {
"type": "badRequest",
"detail": "`highPrivRoleId` field is not set",
"meta": {
"stack": "Error: `highPrivRoleId` field is not set...js:76:19)"
}
}
}
}
]
}Login App to obtain Secrets TokenPOST/apps/{appId}/login
Login to obtain high and low-privilege-auth-service-token-s .
- appId
string(required) Example: authentication-serviceID of the Service / App
Token ¶
Headers
X-Secrets-Token: tokenBody
{
"ttl": 3600
}Renew TokenPOST/tokens/renew
X-Secrets-Token is the token to operate on.
Headers
X-Secrets-Token: tokenRevoke TokenPOST/tokens/revoke
Authentication Service should revoke user token on user logout.
X-Secrets-Token is the token to operate on.
Generated by aglio on 02 May 2020