luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/website/source/api/auth/oci/index.html.md.erb

251 lines
6.1 KiB
Plaintext
Raw Normal View History

Added OCI Auth plugin documentation (#7284)
2019-09-04 20:25:08 +00:00
---
layout: "api"
page_title: "OCI - Auth Methods - HTTP API"
sidebar_title: "OCI"
sidebar_current: "api-http-auth-oci"
description: |-
This is the API documentation for the Vault OCI auth method plugin.
---
# OCI Auth Method (API)
This is the API documentation for the Vault OCI auth method plugin. To
learn more about the usage and operation, see the
[Vault OCI auth method](/docs/auth/oci.html).
This documentation assumes the OCI method is mounted at the
`/auth/oci` path in Vault. Since it is possible to enable auth methods at
any location, please update your API calls accordingly.
## Configure Home Tenancy Method
Configure your home tenancy in the Vault, so that only users or instances from your tenancy will be allowed to log into Vault, through the OCI Auth method.
| Method | Path |
| :--------------------------- | :--------------------- |
| `POST` | `/auth/oci/config` |
### Parameters
- `home_tenancy_id` `(string: <required>)` - The Tenancy OCID of your OCI account.
### Sample Payload
```json
{
"home_tenancy_id": "ocid1.tenancy.oc1..aaaaaaaah7zkvaffv26pzyauoe2zbnionqvhvsexamplee557wakiofi4ysgqq"
}
```
### Sample Request
```text
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/auth/oci/config
```
## Read Config
Returns the previously configured config.
| Method | Path |
| :--------------------------- | :--------------------- |
| `GET` | `/auth/oci/config` |
### Sample Request
```
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/auth/oci/config
```
### Sample Response
```json
{
"data":{
"home_tenancy_id": "ocid1.tenancy.oc1..aaaaaaaah7zkvaffv26pzyauoe2zbnionqvhvsexamplee557wakiofi4ysgqq"
}
}
```
## Create Role
Create a Vault administrator role in the OCI Auth method.
| Method | Path |
| :--------------------------- | :--------------------- |
| `POST` | `/auth/oci/role/:name`|
### Parameters
- `name` `(string: <required>)` - Name of the role.
- `ocid_list` `(string: <required>)` - A comma separated list of Group or Dynamic Group OCIDs that can take this role.
<%= partial "partials/tokenfields" %>
### Sample Payload
```json
{
"ocid_list": "ocid1.group.oc1..aaaaaaaaiqnblimpvmegkqh3bxilrdvjobr7qd223g275idcqhexamplefq,ocid1.dynamicgroup.oc1..aaaaaaaa5hmfyrdaxvmt52ekju5n7ffamn2pdvxaq6esb2vzzoduexamplea",
"token_policies": [
"dev",
"prod"
],
"token_ttl": 1800
}
```
### Sample Request
```text
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/auth/oci/role/devrole
```
## Read Role
Returns the previously registered role configuration.
| Method | Path |
| :--------------------------- | :--------------------- |
| `GET` | `/auth/oci/role/:name` |
### Parameters
- `name` `(string: <required>)` - Name of the role.
### Sample Request
```text
$ curl \
--header "X-Vault-Token: ..." \
http://127.0.0.1:8200/v1/auth/oci/role/devrole
```
### Sample Response
```json
{
"data":{
"ocid_list": ["ocid1.group.oc1..aaaaaaaaiqnblimpvmegkqh3bxilrdvjobr7qd223g275idcqhexamplefq","ocid1.dynamicgroup.oc1..aaaaaaaa5hmfyrdaxvmt52ekju5n7ffamn2pdvxaq6esb2vzzoduexamplea"],
"token_ttl": 1800,
"token_policies":[
"dev",
"prod"
]
}
}
```
## List Roles
Lists all the roles that are registered with the auth method.
| Method | Path |
| :--------------------------- | :--------------------- |
| `LIST` | `/auth/oci/role` |
| `GET` | `/auth/oci/role?list=true` |
### Sample Request
```text
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
http://127.0.0.1:8200/v1/auth/oci/role
```
### Sample Response
```json
{
"data": {
"keys": [
"devrole",
"prodrole"
]
}
}
```
## Delete Role
Deletes the previously registered role.
| Method | Path |
| :--------------------------- | :--------------------- |
| `DELETE` | `/auth/oci/role/:role`|
### Parameters
- `role` `(string: <required>)` - Name of the role.
### Sample Request
```text
$ curl \
--header "X-Vault-Token: ..." \
--request DELETE \
http://127.0.0.1:8200/v1/auth/oci/role/devrole
```
## Login
Fetch a token. This endpoint takes signed request headers and
a role name for some entity. It verifies the signed request headers to authenticate that
entity and then authorizes the entity for the given role.
| Method | Path |
| :--------------------------- | :--------------------- |
| `POST` | `/auth/oci/login/:role` |
### Parameters
- `role` `(string: <required>)` - Name of the role against which the login is being attempted.
- `request_headers` `(list: [])` - Signed request headers for authenticating. For details on signing, see [signing the request](https://docs.cloud.oracle.com/iaas/Content/API/Concepts/signingrequests.htm)
### Sample Payload
```json
{
"request_headers": {
"date": ["Fri, 22 Aug 2019 21:02:19 GMT"],
"(request-target)": ["get /v1/auth/oci/login/devrole"],
"host": ["127.0.0.1"],
"content-type": ["application/json"],
"authorization": ["Signature algorithm=\"rsa-sha256\",headers=\"date (request-target) host\",keyId=\"ocid1.tenancy.oc1..aaaaaaaaba3pv6wkcr4jqae5f15p2b2m2yt2j6rx32uzr4h25vqstifsfdsq/ocid1.user.oc1..aaaaaaaat5nvwcna5j6aqzjcaty5eqbb6qt2jvpkanghtgdaqedqw3rynjq/73:61:a2:21:67:e0:df:be:7e:4b:93:1e:15:98:a5:b7\",signature=\"GBas7grhyrhSKHP6AVIj/h5/Vp8bd/peM79H9Wv8kjoaCivujVXlpbKLjMPeDUhxkFIWtTtLBj3sUzaFj34XE6YZAHc9r2DmE4pMwOAy/kiITcZxa1oHPOeRheC0jP2dqbTll8fmTZVwKZOKHYPtrLJIJQHJjNvxFWeHQjMaR7M=\",version=\"1\""]
}
}
```
### Sample Request
```text
$ curl \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/auth/oci/login/devrole
```
### Sample Response
```json
{
"auth": {
"token": "62b8ssf9-529c-6b26-e0b8-045fcdb4",
"token_accessor": "afaff6d0-be3d-c8d2-b0d7-2676sss0d9b4",
"token_policies": [
"dev"
],
"token_duration": 1800
}
}
```
Reference in a new issue Copy permalink