Skip to main content
A newer release of this product is available.

Create a new role binding for a group

Contributors

POST /accounts/{account_id}/core/v1/groups/{group_id}/roleBindings

Indicates desired values for the Role Binding API resource to be created.

Parameters

Name Type In Required Description

account_id

string

path

True

ID of the containing account resource

  • example: {{.Account}}

group_id

string

path

True

ID of the containing group resource

Request Body

Indicates desired values for the Role Binding API resource to be created.

Name Type Required Description

type

string

True

Media type of the resource. Defined values are:

  • "application/astra-roleBinding"

version

string

True

Version of the resource. Defined values are:

  • "1.0"

  • "1.1"

userID

string

False

JSON string containing a user resource ID. Defined values are:

  • Conforms to the Astra Identifier Schema If not specified on create, a nil UUID will be used. Only userID or groupID can be specified on create.

groupID

string

False

JSON string containing a group resource ID. Defined values are:

  • Conforms to the Astra Identifier Schema If not specified on create, a nil UUID will be used. Only userID or groupID can be specified on create.

accountID

string

True

JSON string containing the ID of an account resource. For create, this must match the account ID in the request URI. Defined values are:

  • Conforms to the Astra Identifier Schema

role

string

True

JSON string containing one of the four defined roles. Defined values are:

  • "viewer"

  • "member"

  • "admin"

  • "owner"

roleConstraints

array[string]

False

JSON array of JSON strings specifying the scope of the role assignment. Defined values are:

  • Conforms to Astra Role Constraints Schema If not specified on create, the value will be set to an array of size 1 containing string "*" representing "full scope". If not specified on update, the value will be preserved without modification. An empty array represents "no scope". Examples:

  • = Allow access to any resource: "roleConstraints": ["*"]

  • = deny access to all resources: "roleConstraints": []

  • = Allow access to a specific namespace resource only: "roleConstraints": [ "namespaces:id='6fa2f917-f730-41b8-9c15-17f531843b31'" ]

  • = Allow access to a specific namespace and everything under it: "roleConstraints": [ "namespaces:id='6fa2f917-f730-41b8-9c15-17f531843b31'.*" ]

  • = Allow access to all namespaces labelled "dev" in any cluster in any cloud, and everything under them: "roleConstraints": [ "namespaces:kubernetesLabels='dev.example.com/appname=dev'.*" ]

  • = Allow access to all namespace resources only: "roleConstraints": [ "namespaces:*" ]

  • = Allow access to all namespace resources and everything under them: "roleConstraints": [ "namespaces:." ]

metadata

type_astra_metadata_update

False

Client and service-specified metadata associated with the resource. Defined values are:

  • Conforms to the Astra Metadata Schema If not specified on create, a metadata object will be created with no labels. If not specified on update, the metadata object's labels, creationTimestamp and createdBy, will be preserved without modification.

Example request
{
  "type": "application/astra-roleBinding",
  "version": "1.1",
  "userID": "00000000-0000-0000-0000-000000000000",
  "groupID": "6f7f5bb3-1320-4861-bd8a-d3a4106d36b1",
  "accountID": "9fd87309-067f-48c9-a331-527796c14cf3",
  "role": "viewer",
  "roleConstraints": [
    "*"
  ]
}

Response

Status: 201, Returns the newly created roleBinding resource in the JSON response body.
Name Type Required Description

type

string

True

Media type of the resource. Defined values are:

  • "application/astra-roleBinding"

version

string

True

Version of the resource. Defined values are:

  • "1.0"

  • "1.1"

id

string

True

Globally unique identifier of the resource. Defined values are:

  • Conforms to the UUIDv4 Schema

principalType

string

True

JSON string representing the type of the principal this binding is associated with. Defined values are:

  • "user"

  • "group" For principalType "user", a non-nil user ID is required. For principalType "group", a non-nil group ID is required.

userID

string

True

JSON string containing a user resource ID. Defined values are:

  • Conforms to the Astra Identifier Schema If not specified on create, a nil UUID will be used. Only userID or groupID can be specified on create.

groupID

string

True

JSON string containing a group resource ID. Defined values are:

  • Conforms to the Astra Identifier Schema If not specified on create, a nil UUID will be used. Only userID or groupID can be specified on create.

accountID

string

True

JSON string containing the ID of an account resource. For create, this must match the account ID in the request URI. Defined values are:

  • Conforms to the Astra Identifier Schema

role

string

True

JSON string containing one of the four defined roles. Defined values are:

  • "viewer"

  • "member"

  • "admin"

  • "owner"

roleConstraints

array[string]

False

JSON array of JSON strings specifying the scope of the role assignment. Defined values are:

  • Conforms to Astra Role Constraints Schema If not specified on create, the value will be set to an array of size 1 containing string "*" representing "full scope". If not specified on update, the value will be preserved without modification. An empty array represents "no scope". Examples:

  • = Allow access to any resource: "roleConstraints": ["*"]

  • = deny access to all resources: "roleConstraints": []

  • = Allow access to a specific namespace resource only: "roleConstraints": [ "namespaces:id='6fa2f917-f730-41b8-9c15-17f531843b31'" ]

  • = Allow access to a specific namespace and everything under it: "roleConstraints": [ "namespaces:id='6fa2f917-f730-41b8-9c15-17f531843b31'.*" ]

  • = Allow access to all namespaces labelled "dev" in any cluster in any cloud, and everything under them: "roleConstraints": [ "namespaces:kubernetesLabels='dev.example.com/appname=dev'.*" ]

  • = Allow access to all namespace resources only: "roleConstraints": [ "namespaces:*" ]

  • = Allow access to all namespace resources and everything under them: "roleConstraints": [ "namespaces:." ]

metadata

type_astra_metadata_update

True

Client and service-specified metadata associated with the resource. Defined values are:

  • Conforms to the Astra Metadata Schema If not specified on create, a metadata object will be created with no labels. If not specified on update, the metadata object's labels, creationTimestamp and createdBy, will be preserved without modification.

Example response
{
  "type": "application/astra-roleBinding",
  "version": "1.1",
  "id": "a198f052-5cd7-59d3-9f27-9ea32a21fbca",
  "principalType": "group",
  "userID": "00000000-0000-0000-0000-000000000000",
  "groupID": "6f7f5bb3-1320-4861-bd8a-d3a4106d36b1",
  "accountID": "9fd87309-067f-48c9-a331-527796c14cf3",
  "role": "viewer",
  "roleConstraints": [
    "*"
  ],
  "metadata": {
    "labels": [],
    "creationTimestamp": "2022-10-06T20:58:16.305662Z",
    "modificationTimestamp": "2022-10-06T20:58:16.305662Z",
    "createdBy": "8f84cf09-8036-51e4-b579-bd30cb07b269"
  }
}

Response

Status: 401, Unauthorized
Name Type Required Description

type

string

True

title

string

True

detail

string

True

status

string

True

correlationID

string

False

Example response
{
  "type": "https://astra.netapp.io/problems/3",
  "title": "Missing bearer token",
  "detail": "The request is missing the required bearer token.",
  "status": "401"
}

Response

Status: 400, Bad request
Name Type Required Description

type

string

True

title

string

True

detail

string

True

status

string

True

correlationID

string

False

invalidFields

array[invalidFields]

False

List of invalid request body fields

Example response
{
  "type": "https://astra.netapp.io/problems/5",
  "title": "Invalid query parameters",
  "detail": "The supplied query parameters are invalid.",
  "status": "400"
}

Response

Status: 409, Conflict
Name Type Required Description

type

string

True

title

string

True

detail

string

True

status

string

True

correlationID

string

False

invalidFields

array[invalidFields]

False

List of invalid request body fields

Example response
{
  "type": "https://astra.netapp.io/problems/10",
  "title": "JSON resource conflict",
  "detail": "The request body JSON contains a field that conflicts with an idempotent value.",
  "status": "409"
}

Response

Status: 403, Forbidden
Name Type Required Description

type

string

True

title

string

True

detail

string

True

status

string

True

correlationID

string

False

Example response
{
  "type": "https://astra.netapp.io/problems/11",
  "title": "Operation not permitted",
  "detail": "The requested operation isn't permitted.",
  "status": "403"
}

Error

Status: 404, Not found
Name Type Required Description

type

string

True

title

string

True

detail

string

True

status

string

True

correlationID

string

False

Example error response
{
  "type": "https://astra.netapp.io/problems/2",
  "title": "Collection not found",
  "detail": "The collection specified in the request URI wasn't found.",
  "status": "404"
}

Definitions

See Definitions

type_astra_label

Name Type Required Description

name

string

True

value

string

True

type_astra_metadata_update

Client and service-specified metadata associated with the resource. Defined values are:

  • Conforms to the Astra Metadata Schema If not specified on create, a metadata object will be created with no labels. If not specified on update, the metadata object's labels, creationTimestamp and createdBy, will be preserved without modification.

Name Type Required Description

labels

array[type_astra_label]

False

creationTimestamp

string

False

modificationTimestamp

string

False

createdBy

string

False

modifiedBy

string

False

invalidParams

Name Type Required Description

name

string

True

Name of the invalid query parameter

reason

string

True

Reason why the query parameter is invalid

invalidFields

Name Type Required Description

name

string

True

Name of the invalid request body field

reason

string

True

Reason why the request body field is invalid