Skip to main content



The Credentials service is a NetApp Cloud Manager service that provides a secure way to manage and encrypt credentials and sensitive data. The consumers of the service are both external users and internal services with the "credentials:internal" scope.

The service manages three types of credentials:

  • generic

  • AWS Amazon Resource Name (AWS ARN)

  • Azure (Azure service principal)

In addition to the generic credentials, that can be any type of data, the service also provides dedicated endpoints for the following scenarios:

  • ARN credentials are considered best practice for managing third-party permissions. The Credentials service manages
    customer ARNs and can provide temporary credentials for users or other services.
    ARN credentials are not considered sensitive, so ARN data is not encrypted in a MongoDB database.

    When creating ARN credentials, the service automatically provides the credentials as type "aws_assume_role".
    For more information, see AWS ARN Documentation.

  • Azure service principal credentials manage and encrypt the service principal data (which is considered sensitive) and can provide a temporary token for
    users or internal services.

    When creating Azure service principal credentials, the service automatically provides the credentials as type "azure_service_principal".
    For more information, see Azure Service Principal Documentation.

REST implementation

HTTP methods

Method Description


Create an object instance


Retrieve an object instance or collection


Update an existing object's specified properties


Remove an existing object

Request headers

Request Header Description


Required. Contains a JWT access token


Used to determine whether credentials are simulated or real

Query parameters

You can use query parameters with endpoints in the following components:

Query Parameter Description


Used for fetching list of credentials by a specific credentials type


Used to determine whether the service principal in located in AWS GovCloud (US) location


Used to determine whether to return the decrypted credentials or leave it as undefined with default value false

Response headers

This API uses the standard HTTP response headers common with all Cloud Manager service APIs. See REST implementation for more information.

HTTP status codes

HTTP Status Code Description


OK: Returned for successful operation completion


Bad Request: Returned if the input is malformed and could not be parsed


Unauthorized: Returned if user authentication failed or the token has expired


Forbidden: Returned for authorization errors depending on the resource and token


Not Found: Returned if the requested resource could not be found


Processing Error: Returned if an error occurs on the server while processing the API call

Error handling

There are three processes involved with error handling and processing:

  • The error is logged for supportability

  • The error is returned to the caller for specific handling

  • The database connection is rolled back

cURL examples

Retrieve generic credentials

The following cURL example retrieves generic credentials by using a specified account ID and credentials ID.

  curl -X GET "<accountId>/credentials/<credentialsId>
" -H  "accept: application/json" -H  "authorization: <user token>"