a3dfde5cec
* conversion stage 1 * correct image paths * add sidebar title to frontmatter * docs/concepts and docs/internals * configuration docs and multi-level nav corrections * commands docs, index file corrections, small item nav correction * secrets converted * auth * add enterprise and agent docs * add extra dividers * secret section, wip * correct sidebar nav title in front matter for apu section, start working on api items * auth and backend, a couple directory structure fixes * remove old docs * intro side nav converted * reset sidebar styles, add hashi-global-styles * basic styling for nav sidebar * folder collapse functionality * patch up border length on last list item * wip restructure for content component * taking middleman hacking to the extreme, but its working * small css fix * add new mega nav * fix a small mistake from the rebase * fix a content resolution issue with middleman * title a couple missing docs pages * update deps, remove temporary markup * community page * footer to layout, community page css adjustments * wip downloads page * deps updated, downloads page ready * fix community page * homepage progress * add components, adjust spacing * docs and api landing pages * a bunch of fixes, add docs and api landing pages * update deps, add deploy scripts * add readme note * update deploy command * overview page, index title * Update doc fields Note this still requires the link fields to be populated -- this is solely related to copy on the description fields * Update api_basic_categories.yml Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages. * Add bottom hero, adjust CSS, responsive friendly * Add mega nav title * homepage adjustments, asset boosts * small fixes * docs page styling fixes * meganav title * some category link corrections * Update API categories page updated to reflect the second level headings for api categories * Update docs_detailed_categories.yml Updated to represent the existing docs structure * Update docs_detailed_categories.yml * docs page data fix, extra operator page remove * api data fix * fix makefile * update deps, add product subnav to docs and api landing pages * Rearrange non-hands-on guides to _docs_ Since there is no place for these on learn.hashicorp, we'll put them under _docs_. * WIP Redirects for guides to docs * content and component updates * font weight hotfix, redirects * fix guides and intro sidenavs * fix some redirects * small style tweaks * Redirects to learn and internally to docs * Remove redirect to `/vault` * Remove `.html` from destination on redirects * fix incorrect index redirect * final touchups * address feedback from michell for makefile and product downloads
216 lines
6.5 KiB
Markdown
216 lines
6.5 KiB
Markdown
---
|
||
layout: "api"
|
||
page_title: "AliCloud - Secrets Engines - HTTP API"
|
||
sidebar_title: "AliCloud"
|
||
sidebar_current: "docs-http-secret-alicloud"
|
||
description: |-
|
||
This is the API documentation for the Vault AliCloud secrets engine.
|
||
---
|
||
|
||
# AliCloud Secrets Engine (API)
|
||
|
||
This is the API documentation for the Vault AliCloud secrets engine. For general
|
||
information about the usage and operation of the AliCloud secrets engine, please see
|
||
the [Vault AliCloud documentation](/docs/secrets/alicloud/index.html).
|
||
|
||
This documentation assumes the AliCloud secrets engine is enabled at the `/alicloud` path
|
||
in Vault. Since it is possible to enable secrets engines at any location, please
|
||
update your API calls accordingly.
|
||
|
||
## Config management
|
||
|
||
This endpoint configures the root RAM credentials to communicate with AliCloud. AliCloud
|
||
will use credentials in the following order:
|
||
|
||
1. [Environment variables](https://github.com/aliyun/alibaba-cloud-sdk-go/blob/master/sdk/auth/credentials/providers/env.go)
|
||
2. A static credential configuration set at this endpoint
|
||
3. Instance metadata (recommended)
|
||
|
||
To use instance metadata, leave the static credential configuration unset.
|
||
|
||
At present, this endpoint does not confirm that the provided AliCloud credentials are
|
||
valid AliCloud credentials with proper permissions.
|
||
|
||
Please see the [Vault AliCloud documentation](/docs/secrets/alicloud/index.html) for
|
||
the policies that should be attached to the access key you provide.
|
||
|
||
| Method | Path | Produces |
|
||
| :------- | :--------------------------- | :--------------------- |
|
||
| `POST` | `/alicloud/config` | `204 (empty body)` |
|
||
| `GET` | `/alicloud/config` | `200 application/json` |
|
||
|
||
### Parameters
|
||
|
||
* `access_key` (string, required) - The ID of an access key with appropriate policies.
|
||
* `secret_key` (string, required) - The secret for that key.
|
||
|
||
### Sample Post Request
|
||
|
||
```
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request POST \
|
||
--data @payload.json \
|
||
http://127.0.0.1:8200/v1/alicloud/config
|
||
```
|
||
|
||
### Sample Post Payload
|
||
|
||
```json
|
||
{
|
||
"access_key": "0wNEpMMlzy7szvai",
|
||
"secret_key": "PupkTg8jdmau1cXxYacgE736PJj4cA"
|
||
}
|
||
```
|
||
|
||
### Sample Get Response Data
|
||
|
||
```json
|
||
{
|
||
"access_key": "0wNEpMMlzy7szvai"
|
||
}
|
||
```
|
||
|
||
## Role management
|
||
|
||
The `role` endpoint configures how Vault will generate credentials for users of each role.
|
||
|
||
### Parameters
|
||
|
||
* `name` (string, required) – Specifies the name of the role to generate credentials against. This is part of the request URL.
|
||
* `remote_policies` (string, optional) - The names and types of a pre-existing policies to be applied to the generate access token. Example: "name:AliyunOSSReadOnlyAccess,type:System".
|
||
* `inline_policies` (string, optional) - The policy document JSON to be generated and attached to the access token.
|
||
* `role_arn` (string, optional) - The ARN of a role that will be assumed to obtain STS credentials. See [Vault AliCloud documentation](/docs/secrets/alicloud/index.html) regarding trusted actors.
|
||
* `ttl` (int, optional) - The duration in seconds after which the issued token should expire. Defaults to 0, in which case the value will fallback to the system/mount defaults.
|
||
* `max_ttl` (int, optional) - The maximum allowed lifetime of tokens issued using this role.
|
||
|
||
| Method | Path | Produces |
|
||
| :------- | :---------------------------| :--------------------- |
|
||
| `GET` | `/alicloud/role` | `200 application/json` |
|
||
| `POST` | `/alicloud/role/:role_name` | `204 (empty body)` |
|
||
| `GET` | `/alicloud/role/:role_name` | `200 application/json` |
|
||
| `DELETE` | `/alicloud/role/:role_name` | `204 (empty body)` |
|
||
|
||
### Sample Post Request
|
||
|
||
```
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
--request POST \
|
||
--data @payload.json \
|
||
http://127.0.0.1:8200/v1/alicloud/role/my-application
|
||
```
|
||
|
||
### Sample Post Payload Using Policies
|
||
|
||
```json
|
||
{
|
||
"remote_policies": [
|
||
"name:AliyunOSSReadOnlyAccess,type:System",
|
||
"name:AliyunRDSReadOnlyAccess,type:System"
|
||
],
|
||
"inline_policies": "[{\"Statement\": [{\"Action\": [\"ram:Get*\",\"ram:List*\"],\"Effect\": \"Allow\",\"Resource\": \"*\"}],\"Version\": \"1\"}]"
|
||
}
|
||
```
|
||
|
||
### Sample Get Role Response Using Policies
|
||
|
||
```json
|
||
{
|
||
"inline_policies": [{
|
||
"hash": "49796debb24d39b7a61485f9b0c97e04",
|
||
"policy_document": {
|
||
"Statement": [{
|
||
"Action": ["ram:Get*", "ram:List*"],
|
||
"Effect": "Allow",
|
||
"Resource": "*"
|
||
}],
|
||
"Version": "1"
|
||
}
|
||
}],
|
||
"max_ttl": 0,
|
||
"remote_policies": [{
|
||
"name": "AliyunOSSReadOnlyAccess",
|
||
"type": "System"
|
||
}, {
|
||
"name": "AliyunRDSReadOnlyAccess",
|
||
"type": "System"
|
||
}],
|
||
"role_arn": "",
|
||
"ttl": 0
|
||
}
|
||
```
|
||
|
||
### Sample Post Payload Using Assume-Role
|
||
|
||
```json
|
||
{
|
||
"role_arn": "acs:ram::5138828231865461:role/hastrustedactors"
|
||
}
|
||
```
|
||
|
||
### Sample Get Role Response Using Assume-Role
|
||
|
||
```json
|
||
{
|
||
"inline_policies": null,
|
||
"max_ttl": 0,
|
||
"remote_policies": null,
|
||
"role_arn": "acs:ram::5138828231865461:role/hastrustedactors",
|
||
"ttl": 0
|
||
}
|
||
```
|
||
|
||
### Sample List Roles Response
|
||
|
||
Performing a `LIST` on the `/alicloud/roles` endpoint will list the names of all the roles Vault contains.
|
||
|
||
```json
|
||
[
|
||
"policy-based",
|
||
"role-based"
|
||
]
|
||
```
|
||
|
||
## Generate RAM Credentials
|
||
|
||
This endpoint generates dynamic RAM credentials based on the named role. This
|
||
role must be created before queried.
|
||
|
||
| Method | Path | Produces |
|
||
| :------- | :--------------------------- | :--------------------- |
|
||
| `GET` | `/alicloud/creds/:name` | `200 application/json` |
|
||
|
||
### Parameters
|
||
|
||
* `name` (string, required) – Specifies the name of the role to generate credentials against. This is part of the request URL.
|
||
|
||
### Sample Request
|
||
|
||
```
|
||
$ curl \
|
||
--header "X-Vault-Token: ..." \
|
||
http://127.0.0.1:8200/v1/alicloud/creds/example-role
|
||
```
|
||
|
||
### Sample Response for Roles Using Policies
|
||
|
||
```json
|
||
{
|
||
"access_key": "0wNEpMMlzy7szvai",
|
||
"secret_key": "PupkTg8jdmau1cXxYacgE736PJj4cA"
|
||
}
|
||
|
||
```
|
||
|
||
### Sample Response for Roles Using Assume-Role
|
||
|
||
```json
|
||
{
|
||
"access_key": "STS.L4aBSCSJVMuKg5U1vFDw",
|
||
"expiration": "2018-08-15T22:04:07Z",
|
||
"secret_key": "wyLTSmsyPGP1ohvvw8xYgB29dlGI8KMiH2pKCNZ9",
|
||
"security_token": "CAESrAIIARKAAShQquMnLIlbvEcIxO6wCoqJufs8sWwieUxu45hS9AvKNEte8KRUWiJWJ6Y+YHAPgNwi7yfRecMFydL2uPOgBI7LDio0RkbYLmJfIxHM2nGBPdml7kYEOXmJp2aDhbvvwVYIyt/8iES/R6N208wQh0Pk2bu+/9dvalp6wOHF4gkFGhhTVFMuTDRhQlNDU0pWTXVLZzVVMXZGRHciBTQzMjc0KgVhbGljZTCpnJjwySk6BlJzYU1ENUJuCgExGmkKBUFsbG93Eh8KDEFjdGlvbkVxdWFscxIGQWN0aW9uGgcKBW9zczoqEj8KDlJlc291cmNlRXF1YWxzEghSZXNvdXJjZRojCiFhY3M6b3NzOio6NDMyNzQ6c2FtcGxlYm94L2FsaWNlLyo="
|
||
}
|
||
```
|