Overview

Contributors

The Credentials service is a NetApp Cloud Manager service that provides a secure way to manage and encrypt credentials and sensitive data. The consumers of the service are both external users and internal services that with the have "credentials:internal" scope.

The service manages three types of credentials:

  • generic

  • AWS Amazon Resource Name (AWS ARN)

  • Azure (Azure service principal)

In addition to the generic credentials, that can be any type of data, the service also provides dedicated endpoints for the following scenarios:

  • ARN credentials are considered best practice for managing third-party permissions. The Credentials service manages
    customer ARNs and can provide temporary credentials for users or other services.
    ARN credentials are not considered sensitive, so ARN data is not encrypted in a MongoDB database.

    When creating ARN credentials, the service automatically provides the credentials as type "aws_assume_role".
    For more information, see AWS ARN Documentation.

  • Azure service principal credentials manage and encrypt the service principal data (which is considered sensitive) and can provide a temporary token for
    users or internal services.

    When creating Azure service principal credentials, the service automatically provides the credentials as type "azure_service_principal".
    For more information, see Azure Service Principal Documentation.


REST implementation

HTTP methods

Method Description

POST

Create an object instance

GET

Retrieve an object instance or collection

PUT

Update an existing object’s specified properties

DELETE

Remove an existing object

Request headers

Request Header Description

Authorization

Required. Contains a JWT access token

x-simulator

Used to determine whether credentials are simulated or real

Query parameters

You can use query parameters with endpoints in the following components:

Query Parameter Description

credentialsType

Used for fetching list of credentials by a specific credentials type

isGov

Used to determine whether the service principal in located in AWS GovCloud (US) location

getDecrypted

Used to determine whether to return the decrypted credentials or leave it as undefined with default value false

Response headers

This API uses the standard HTTP response headers common with all Cloud Manager service APIs. See REST implementation for more information.

HTTP status codes

HTTP Status Code Description

200

OK: Returned for successful operation completion

400

Bad Request: Returned if the input is malformed and could not be parsed

401

Unauthorized: Returned if user authentication failed or the token has expired

403

Forbidden: Returned for authorization errors depending on the resource and token

404

Not Found: Returned if the requested resource could not be found

500

Processing Error: Returned if an error occurs on the server while processing the API call


Error handling

There are three processes involved with error handling and processing:

  • The error is logged for supportability

  • The error is returned to the caller for specific handling

  • The database connection is rolled back


cURL examples

Retrieve generic credentials

The following cURL example retrieves generic credentials by using a specified account ID and credentials ID.

  curl -X GET "https://cloudmanager.cloud.netapp.com/credentials/account/<accountId>/credentials/<credentialsId>
" -H  "accept: application/json" -H  "authorization: <user token>"