Skip to main content
A newer release of this product is available.

Create a new credential

Contributors

POST /accounts/{account_id}/core/v1/credentials

Indicates the desired values for the Credential API resource to be created.

Parameters

Name Type In Required Description

account_id

string

path

True

ID of the containing account resource

  • example: {{.Account}}

Request Body

Indicates the desired values for the Credential API resource to be created.

Name Type Required Description

type

string

True

Media type of the resource. Defined values are:

  • "application/astra-credential"

version

string

True

Version of the resource. Defined values are:

  • "1.0"

  • "1.1"

name

string

True

JSON string containing a user-specified name. When a credential is created for a user, the name will be set to the UUID of that user. Defined values are:

  • Minimum length: 1

  • Maximum length: 127

keyType

string

False

JSON string containing an optional user-specified data validation type descriptor for the contents of the keyStore. Extended update constraints:

  • If a keyType does not exist in the resource and is not specified in an update, the keyType must not continue to exist in the updated resource.

  • If a keyType does not exist in the resource and is specified in an update, the keyType must be added to the resource and validation must be performed. If the validation fails, the update will fail.

  • If a keyType exists in the resource and is not specified in an update, the keyType must be preserved.

  • If a keyType exists in the resource and is specified in an update, and the keyType specified matches the existing keyType, the keyType must be preserved.

  • If a keyType exists in the resource and is specified in an update, and the keyType specified is different from the existing keyType, the update will fail. Defined values are:

  • "generic" - The credential is a generic collection of data. This is equivalent to not including a keyType.

  • Extended validation is performed as follows:

  • One or more strings must exist in the keyStore.

  • Every string in the keyStore must have a value encoded in base64.

  • "passwordHash" - The credential is a password hash.

  • Extended validation is performed as follows:

  • The name of the credential must be unique.

  • The name of the credential must be equal to a valid user resource ID.

  • The name of the credential must not be altered.

  • The corresponding user resource must have an "authProvider" of "local".

  • A "cleartext" string must exist within the keyStore with a value containing a base64-encoded cleartext password:

  • The password cleartext must conform to the account's password policy.

  • The password is stored as a hash.

  • A "change" string must exist within the keyStore with a value containing a base64-encoded string "true" or "false".

  • A credential of type passwordHash can only be deleted if the user ID indicated by the name does not exist.

  • "apikey" - The credential is an API key.

  • Extended validation is performed as follows:

  • An "apikey" string must exist within the keyStore, with a value containing a base64-encoded arbitrary string.

  • "kubeconfig" - The credential is a kubeconfig.

  • Extended validation is performed as follows:

  • A "base64" string must exist within the keyStore, with a value containing a base64-encoded JSON kubeconfig file.

  • The kubeconfig file must only describe a single cluster.

  • No other fields can exist within the keyStore.

  • "certificate" - The credential is a PEM-encoded certificate

  • Extended validation is performed as follows:

  • A "certificate" string must exist within the keyStore, with a value containing a base64-encoded PEM certificate.

  • "privkey" - The credential is a PEM-encoded private key.

  • Extended validation is performed as follows:

  • A "privkey" string must exist within the keyStore, with a value containing a base64-encoded PEM private key.

  • "s3" - Indicates the credentials are for Simple Storage Service (S3) access.

  • Extended validation is performed as follows:

  • An "accessKey" string must exist within the keyStore with a value containing a base64-encoded S3 access key.

  • An "accessSecret" string must exist within the keyStore with a value containing a base64-encoded S3 access secret.

keyStore

keyStore

True

JSON object containing JSON strings. Each string in the keyStore represents part of the credential. The name of each string represents the credential part, and the corresponding key-value stores the value of that part of the credential in base64 format. Defined values are:

  • Conforms to the base64 Encoded Data Schema No limits are placed on the lengths of the strings.

valid

string

False

JSON string describing whether the credential is valid for use. Default value, if omitted, is "true". Defined values are:

  • "true" - The credential is eligible for use.

  • "false" - The credential must not be used.

validFromTimestamp

string

False

JSON string containing a timestamp indicating when the credential is valid. These are used for credential rotation. Defined values are:

  • Conforms to the ISO-8601 Date Time Schema

validUntilTimestamp

string

False

JSON string containing a timestamp indicating when the credential is no longer valid. These are used for credential rotation. Defined values are:

  • Conforms to the ISO-8601 Date Time Schema

metadata

type_astra_metadata_update

False

Client and service-specified metadata associated with the resource. Defined values are:

  • Conforms to the Astra Metadata Schema If not specified on create, a metadata object will be created with no labels. If not specified on update, the metadata object's labels, creationTimestamp and createdBy, will be preserved without modification.

Example request
{
  "type": "application/astra-credential",
  "version": "1.1",
  "name": "myCert",
  "keyStore": {
    "privKey": "SGkh",
    "pubKey": "VGhpcyBpcyBhbiBleGFtcGxlLg=="
  }
}

Response

Status: 201, Returns the newly created credential resource in the JSON response body.
Name Type Required Description

type

string

True

Media type of the resource. Defined values are:

  • "application/astra-credential"

version

string

True

Version of the resource. Defined values are:

  • "1.0"

  • "1.1"

id

string

True

Globally unique identifier of the resource. Defined values are:

  • Conforms to the UUIDv4 Schema

name

string

True

JSON string containing a user-specified name. When a credential is created for a user, the name will be set to the UUID of that user. Defined values are:

  • Minimum length: 1

  • Maximum length: 127

keyType

string

False

JSON string containing an optional user-specified data validation type descriptor for the contents of the keyStore. Extended update constraints:

  • If a keyType does not exist in the resource and is not specified in an update, the keyType must not continue to exist in the updated resource.

  • If a keyType does not exist in the resource and is specified in an update, the keyType must be added to the resource and validation must be performed. If the validation fails, the update will fail.

  • If a keyType exists in the resource and is not specified in an update, the keyType must be preserved.

  • If a keyType exists in the resource and is specified in an update, and the keyType specified matches the existing keyType, the keyType must be preserved.

  • If a keyType exists in the resource and is specified in an update, and the keyType specified is different from the existing keyType, the update will fail. Defined values are:

  • "generic" - The credential is a generic collection of data. This is equivalent to not including a keyType.

  • Extended validation is performed as follows:

  • One or more strings must exist in the keyStore.

  • Every string in the keyStore must have a value encoded in base64.

  • "passwordHash" - The credential is a password hash.

  • Extended validation is performed as follows:

  • The name of the credential must be unique.

  • The name of the credential must be equal to a valid user resource ID.

  • The name of the credential must not be altered.

  • The corresponding user resource must have an "authProvider" of "local".

  • A "cleartext" string must exist within the keyStore with a value containing a base64-encoded cleartext password:

  • The password cleartext must conform to the account's password policy.

  • The password is stored as a hash.

  • A "change" string must exist within the keyStore with a value containing a base64-encoded string "true" or "false".

  • A credential of type passwordHash can only be deleted if the user ID indicated by the name does not exist.

  • "apikey" - The credential is an API key.

  • Extended validation is performed as follows:

  • An "apikey" string must exist within the keyStore, with a value containing a base64-encoded arbitrary string.

  • "kubeconfig" - The credential is a kubeconfig.

  • Extended validation is performed as follows:

  • A "base64" string must exist within the keyStore, with a value containing a base64-encoded JSON kubeconfig file.

  • The kubeconfig file must only describe a single cluster.

  • No other fields can exist within the keyStore.

  • "certificate" - The credential is a PEM-encoded certificate

  • Extended validation is performed as follows:

  • A "certificate" string must exist within the keyStore, with a value containing a base64-encoded PEM certificate.

  • "privkey" - The credential is a PEM-encoded private key.

  • Extended validation is performed as follows:

  • A "privkey" string must exist within the keyStore, with a value containing a base64-encoded PEM private key.

  • "s3" - Indicates the credentials are for Simple Storage Service (S3) access.

  • Extended validation is performed as follows:

  • An "accessKey" string must exist within the keyStore with a value containing a base64-encoded S3 access key.

  • An "accessSecret" string must exist within the keyStore with a value containing a base64-encoded S3 access secret.

valid

string

True

JSON string describing whether the credential is valid for use. Default value, if omitted, is "true". Defined values are:

  • "true" - The credential is eligible for use.

  • "false" - The credential must not be used.

validFromTimestamp

string

False

JSON string containing a timestamp indicating when the credential is valid. These are used for credential rotation. Defined values are:

  • Conforms to the ISO-8601 Date Time Schema

validUntilTimestamp

string

False

JSON string containing a timestamp indicating when the credential is no longer valid. These are used for credential rotation. Defined values are:

  • Conforms to the ISO-8601 Date Time Schema

metadata

type_astra_metadata_update

True

Client and service-specified metadata associated with the resource. Defined values are:

  • Conforms to the Astra Metadata Schema If not specified on create, a metadata object will be created with no labels. If not specified on update, the metadata object's labels, creationTimestamp and createdBy, will be preserved without modification.

Example response
{
  "type": "application/astra-credential",
  "version": "1.1",
  "id": "58e26f6a-a631-5122-8e0e-7afe306675c0",
  "name": "myCert",
  "valid": "true",
  "metadata": {
    "labels": [],
    "creationTimestamp": "2022-10-06T20:58:16.305662Z",
    "modificationTimestamp": "2022-10-06T20:58:16.305662Z",
    "createdBy": "8f84cf09-8036-51e4-b579-bd30cb07b269"
  }
}

Response

Status: 401, Unauthorized
Name Type Required Description

type

string

True

title

string

True

detail

string

False

status

string

True

correlationID

string

False

Example response
{
  "type": "https://astra.netapp.io/problems/3",
  "title": "Missing bearer token",
  "detail": "The request is missing the required bearer token.",
  "status": "401"
}

Response

Status: 400, Bad request
Name Type Required Description

type

string

True

title

string

True

detail

string

False

status

string

True

correlationID

string

False

invalidFields

array[invalidFields]

False

List of invalid request body fields

Example response
{
  "type": "https://astra.netapp.io/problems/5",
  "title": "Invalid query parameters",
  "detail": "The supplied query parameters are invalid.",
  "status": "400"
}

Response

Status: 409, Conflict
Name Type Required Description

type

string

True

title

string

True

detail

string

False

status

string

True

correlationID

string

False

invalidFields

array[invalidFields]

False

List of invalid request body fields

Example response
{
  "type": "https://astra.netapp.io/problems/10",
  "title": "JSON resource conflict",
  "detail": "The request body JSON contains a field that conflicts with an idempotent value.",
  "status": "409"
}

Response

Status: 403, Forbidden
Name Type Required Description

type

string

True

title

string

True

detail

string

False

status

string

True

correlationID

string

False

Example response
{
  "type": "https://astra.netapp.io/problems/11",
  "title": "Operation not permitted",
  "detail": "The requested operation isn't permitted.",
  "status": "403"
}

Error

Status: 404, Not found
Name Type Required Description

type

string

True

title

string

True

detail

string

False

status

string

True

correlationID

string

False

Example error response
{
  "type": "https://astra.netapp.io/problems/2",
  "title": "Collection not found",
  "detail": "The collection specified in the request URI wasn't found.",
  "status": "404"
}

Definitions

See Definitions

keyStore

JSON object containing JSON strings. Each string in the keyStore represents part of the credential. The name of each string represents the credential part, and the corresponding key-value stores the value of that part of the credential in base64 format. Defined values are:

  • Conforms to the base64 Encoded Data Schema No limits are placed on the lengths of the strings.

Hash mapping strings to string

type_astra_label

Name Type Required Description

name

string

True

value

string

True

type_astra_metadata_update

Client and service-specified metadata associated with the resource. Defined values are:

  • Conforms to the Astra Metadata Schema If not specified on create, a metadata object will be created with no labels. If not specified on update, the metadata object's labels, creationTimestamp and createdBy, will be preserved without modification.

Name Type Required Description

labels

array[type_astra_label]

False

creationTimestamp

string

False

modificationTimestamp

string

False

createdBy

string

False

modifiedBy

string

False

invalidParams

Name Type Required Description

name

string

True

Name of the invalid query parameter

reason

string

True

Reason why the query parameter is invalid

invalidFields

Name Type Required Description

name

string

True

Name of the invalid request body field

reason

string

True

Reason why the request body field is invalid