Tools (43)

Extracted live via the executor SDK.

• authentication.changePassword

  You must provide the login name and current password or API key of the user whose password is to be updated in an HTTP Basic Authentication header. Also replaces the user’s API key with a new securely generated random value. You can fetch the new API key using the Login method.

  The Basic authentication-compliant header is formed by:

  1. Concatenating the role's name, a literal colon character ':', and the password or API key to create the authentication string.
  2. Base64-encoding the authentication string.
  3. Prefixing the authentication string with the scheme: Basic (note the required space).
  4. Providing the result as the value of the Authorization HTTP header: Authorization: Basic <authentication string>.

  Your HTTP/REST client probably provides HTTP basic authentication support. For example, curl and all of the Conjur client libraries provide this.

  Note that machine roles (Hosts) do not have passwords. They authenticate using their API keys, while passwords are only used by human users.

• authentication.enableAuthenticator

  Allows you to either enable or disable a given authenticator that does not have service_id (For example: authn-gcp).

  When you enable or disable an authenticator via this endpoint, the status of the authenticator is stored in the Conjur database. The enablement status of the authenticator service may be overridden by setting the CONJUR_AUTHENTICATORS environment variable on the Conjur server; in the case where this environment variable is set, the database record of whether the authenticator service is enabled will be ignored.

  This endpoint is part of an early implementation of support for enabling Conjur authenticators via the API, and is currently available at the Community (or early alpha) level. This endpoint is still subject to breaking changes in the future.

• authentication.enableAuthenticatorInstance

  Allows you to either enable or disable a given authenticator service instance.

  When you enable or disable an authenticator service instance via this endpoint, the status of the authenticator service instance is stored in the Conjur database. The enablement status of the authenticator service instance may be overridden by setting the CONJUR_AUTHENTICATORS environment variable on the Conjur server; in the case where this environment variable is set, the database record of whether the authenticator service instance is enabled will be ignored.

  This endpoint is part of an early implementation of support for enabling Conjur authenticators via the API, and is currently available at the Community (or early alpha) level. This endpoint is still subject to breaking changes in the future.

• authentication.getAccessToken

  A client can obtain an access token by presenting a valid login name and API key.

  The access token is used to communicate to the REST API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that was granted during authorization.

  The login must be URL encoded. For example, alice@devops must be encoded as alice%40devops.

  The service_id, if given, must be URL encoded. For example, prod/gke must be encoded as prod%2Fgke.

  For host authentication, the login is the host ID with the prefix host/. For example, the host webserver would login as host/webserver, and would be encoded as host%2Fwebserver.

  For API usage, the base64-encoded access token is ordinarily passed as an HTTP Authorization header as Authorization: Token token=<base64-encoded token>.

  This is the default authentication endpoint only. See other endpoints for details on authenticating to Conjur using another method, e.g. for applications running in Azure or Kubernetes.

• authentication.getAccessTokenViaAws

  The access token is used to communicate to the REST API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that was granted during authorization.

  For API usage, the base64-encoded access token is ordinarily passed as an HTTP Authorization header as Authorization: Token token=<base64-encoded token>.

  The login must be URL encoded and the host ID must have the prefix host/. For example, the host webserver would login as host/webserver, and would be encoded as host%2Fwebserver.

  The service_id, if given, must be URL encoded. For example, prod/gke must be encoded as prod%2Fgke.

  For detailed instructions on authenticating to Conjur using this endpoint, reference the documentation: AWS IAM Authenticator (authn-iam).

• authentication.getAccessTokenViaAzure

  The access token is used to communicate to the REST API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that was granted during authorization.

  For API usage, the base64-encoded access token is ordinarily passed as an HTTP Authorization header as Authorization: Token token=<base64-encoded token>.

  The login must be URL encoded and the host ID must have the prefix host/. For example, the host webserver would login as host/webserver, and would be encoded as host%2Fwebserver.

  The service_id, if given, must be URL encoded. For example, prod/gke must be encoded as prod%2Fgke.

  To authenticate to Conjur using this endpoint, reference the detailed documentation: Azure Authenticator (authn-azure).

• authentication.getAccessTokenViaGcp

  Use the GCP Authenticator API to send an authentication request from a Google Cloud service to Conjur.

  For more information, see the documentation.

• authentication.getAccessTokenViaJwt

  Use the JWT Authenticator to leverage the identity layer provided by JWT to authenticate with Conjur.

• authentication.getAccessTokenViaJwtWithId

  Use the JWT Authenticator to leverage the identity layer provided by JWT to authenticate with Conjur.

• authentication.getAccessTokenViaKubernetes

  The access token is used to communicate to the REST API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that was granted during authorization.

  For API usage, the base64-encoded access token is ordinarily passed as an HTTP Authorization header as Authorization: Token token=<base64-encoded token>.

  The login must be URL encoded and the host ID must have the prefix host/. For example, the host webserver would login as host/webserver, and would be encoded as host%2Fwebserver.

  The service_id, if given, must be URL encoded. For example, prod/gke must be encoded as prod%2Fgke.

  To authenticate to Conjur using this endpoint, reference the detailed documentation: Kubernetes Authenticator (authn-k8s).

• authentication.getAccessTokenViaLdap

  The access token is used to communicate to the REST API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that was granted during authorization.

  For API usage, the base64-encoded access token is ordinarily passed as an HTTP Authorization header as Authorization: Token token=<base64-encoded token>.

  The login must be URL encoded. For example, alice@devops must be encoded as alice%40devops.

  The service_id, if given, must be URL encoded. For example, prod/gke must be encoded as prod%2Fgke.

  For host authentication, the login is the host ID with the prefix host/. For example, the host webserver would login as host/webserver, and would be encoded as host%2Fwebserver.

  To authenticate to Conjur using a LDAP, reference the detailed documentation: LDAP Authenticator (authn-ldap).

• authentication.getAccessTokenViaOidc

  Use the OIDC Authenticator to leverage the identity layer provided by OIDC to authenticate with Conjur.

  For more information see the documentation.

• authentication.getApiKey

  Passwords are stored in the Conjur database using bcrypt with a work factor of 12. Therefore, login is a fairly expensive operation. However, once the API key is obtained, it may be used to inexpensively obtain access tokens by calling the Authenticate method. An access token is required to use most other parts of the Conjur API.

  The Basic authentication-compliant header is formed by:

  1. Concatenating the role's name, a literal colon character ':', and the password or API key to create the authentication string.
  2. Base64-encoding the authentication string.
  3. Prefixing the authentication string with the scheme: Basic (note the required space).
  4. Providing the result as the value of the Authorization HTTP header: Authorization: Basic <authentication string>.

  Your HTTP/REST client probably provides HTTP basic authentication support. For example, curl and all of the Conjur client libraries provide this.

  Note that machine roles (Hosts) do not have passwords and do not need to use this endpoint.

• authentication.getApiKeyViaLdap

  Exchange your LDAP credentials for a Conjur API key. Once the API key is obtained, it may be used to inexpensively obtain access tokens by calling the Authenticate method. An access token is required to use most other parts of the Conjur API.

  The Basic authentication-compliant header is formed by:

  1. Concatenating the LDAP username, a literal colon character ':', and the password to create the authentication string.
  2. Base64-encoding the authentication string.
  3. Prefixing the authentication string with the scheme: Basic (note the required space).
  4. Providing the result as the value of the Authorization HTTP header: Authorization: Basic <authentication string>.

  Your HTTP/REST client probably provides HTTP basic authentication support.

• authentication.k8sInjectClientCert

  This request sends a Certificate Signing Request to Conjur, which uses the Kubernetes API to inject a client certificate into the application pod.

  This endpoint requires a properly configured Conjur Certificate Authority service alongside a properly configured and enabled Kubernetes authenticator. For detailed instructions, see the documentation.

• authentication.rotateApiKey

  Any role can rotate its own API key. The name and password (for users) or current API key (for hosts and users) of the role must be provided via HTTP Basic Authorization.

  To rotate another role's API key, you may provide your name and password (for users) or current API key (for hosts and users) via HTTP Basic Authorization with the request. Alternatively, you may provide your Conjur access token via the standard Conjur Authorization header.

  The Basic authentication-compliant header is formed by:

  1. Concatenating the role's name, a literal colon character ':', and the password or API key to create the authentication string.
  2. Base64-encoding the authentication string.
  3. Prefixing the authentication string with the scheme: Basic (note the required space).
  4. Providing the result as the value of the Authorization HTTP header: Authorization: Basic <authentication string>.

  Your HTTP/REST client probably provides HTTP basic authentication support. For example, curl and all of the Conjur client libraries provide this.

  If using the Conjur Authorization header, its value should be set to Token token=<base64-encoded access token>.

  Note that the body of the request must be the empty string.

• certificateAuthority.sign

  Gets a signed certificate from the configured Certificate Authority service.

  The request must include a valid Certificate Signing Request, and a desired TTL in ISO 8601 format.

  *** IMPORTANT *** This endpoint is part of an early implementation of support for using Conjur as a certificate authority, and is currently available at the Community (or early alpha) level. This endpoint is still subject to breaking changes in the future.

• hostFactory.createHost

  Creates a Host using the Host Factory and returns a JSON description of it.

  Requires a host factory token, which can be created using the create tokens API. In practice, this token is usually provided automatically as part of Conjur integration with your host provisioning infrastructure.

  Note: If the token was created with a CIDR restriction, you must make this API request from a whitelisted address.

• hostFactory.createToken

  Creates one or more tokens which can be used to bootstrap host identity. Responds with a JSON document containing the tokens and their restrictions.

  If the tokens are created with a CIDR restriction, Conjur will only accept them from the whitelisted IP ranges.

  Permissions required

  execute privilege on the Host Factory."

• hostFactory.revokeToken

  Revokes a token, immediately disabling it.

  Permissions required

  update privilege on the host factory."

• policies.loadPolicy

  Adds data to the existing Conjur policy. Deletions are not allowed. Any policy objects that exist on the server but are omitted from the policy file will not be deleted and any explicit deletions in the policy file will result in an error.

  Permissions required

  create privilege on the policy."

• policies.replacePolicy

  Loads or replaces a Conjur policy document.

  Any policy data which already exists on the server but is not explicitly specified in the new policy file will be deleted!.

• policies.updatePolicy

  Modifies an existing Conjur policy. Data may be explicitly deleted using the !delete, !revoke, and !deny statements. Unlike replace mode, no data is ever implicitly deleted.

  Permissions required

• publicKeys.showPublicKeys

  Shows all public keys for a resource as newline delimited string for compatibility with the authorized_keys SSH format. Returns an empty string if the resource does not exist, to prevent attackers from determining whether a resource exists.

• resources.showResource

  Details about a single resource.

  If permitted_roles and privilege are given, Conjur lists the roles with the specified privilege on the resource.

  If check, privilege and role are given, Conjur checks if the specified role has the privilege on the resource.

  If permitted_roles and check are both given, Conjur responds to the check call ONLY.

  Permissions Required

• resources.showResourcesForAccount

  Lists resources within an organization account.

  If a kind query parameter is given, narrows results to only resources of that kind.

  If a limit is given, returns no more than that number of results. Providing an offset skips a number of resources before returning the rest. In addition, providing an offset will give limit a default value of 10 if none other is provided. These two parameters can be combined to page through results.

  If the parameter count is true, returns only the number of items in the list.

  Text search

  If the search parameter is provided, narrows results to those pertaining to the search query. Search works across resource IDs and the values of annotations. It weighs results so that those with matching id or a matching value of an annotation called name appear first, then those with another matching annotation value, and finally those with a matching kind.

• resources.showResourcesForAllAccounts

  Lists resources within an organization account.

  In the absence of an account query parameter, shows results for the account of the authorization token user.

  If an account query parameter is given, shows results for the specified account.

  If a kind query parameter is given, narrows results to only resources of that kind.

  If a limit is given, returns no more than that number of results. Providing an offset skips a number of resources before returning the rest. In addition, providing an offset will give limit a default value of 10 if none other is provided. These two parameters can be combined to page through results.

  If the parameter count is true, returns only the number of items in the list.

  Text search

  If the search parameter is provided, narrows results to those pertaining to the search query. Search works across resource IDs and the values of annotations. It weighs results so that those with matching id or a matching value of an annotation called name appear first, then those with another matching annotation value, and finally those with a matching kind."

• resources.showResourcesForKind

  Lists resources of the same kind within an organization account.

  Kinds of resources include: policy, user, host, group, layer, or variable

  If a limit is given, returns no more than that number of results. Providing an offset skips a number of resources before returning the rest. In addition, providing an offset will give limit a default value of 10 if none other is provided. These two parameters can be combined to page through results.

  If the parameter count is true, returns only the number of items in the list.

  Text search

  If the search parameter is provided, narrows results to those pertaining to the search query. Search works across resource IDs and the values of annotations. It weighs results so that those with matching id or a matching value of an annotation called name appear first, then those with another matching annotation value, and finally those with a matching kind.

• roles.addMemberToRole

  Updates or modifies an existing role membership.

  If a role A is granted to a role B, then role A is said to have role B as a member. These relationships are described in the “members” portion of the returned JSON.

  When the members query parameter is provided, you will get the members of a role.

  When the members and member query parameters are provided, the role specfified by member will be added as a member of the role specified in the endpoint URI.

• roles.removeMemberFromRole

  Deletes an existing role membership.

  If a role A is granted to a role B, then role A is said to have role B as a member. These relationships are described in the “members” portion of the returned JSON.

  When the members query parameter is provided, you will get the members of a role.

  When the members and member query parameters are provided, the role specfified by member will be removed as a member of the role specified in the endpoint URI.

• roles.showRole

  Gets detailed information about a specific role, including the role members.

  If a role A is granted to a role B, then role A is said to have role B as a member. These relationships are described in the “members” portion of the returned JSON.

  Listing members

  If members is provided, you will get the members of a role.

  If a kind query parameter is given, narrows results to only resources of that kind.

  If a limit is given, returns no more than that number of results. Providing an offset skips a number of resources before returning the rest. In addition, providing an offset will give limit a default value of 10 if none other is provided. These two parameters can be combined to page through results.

  If the parameter count is true, returns only the number of items in the list.

  Text search

  If the search parameter is provided, narrows results to those pertaining to the search query. Search works across resource IDs and the values of annotations. It weights results so that those with matching id or a matching value of an annotation called name appear first, then those with another matching annotation value, and finally those with a matching kind.

  Parameter Priority

  If Conjur is given any combination of optional parameters, it responds with ONLY results for the parameter of the highest priority.

  1. graph
  2. all
  3. memberships
  4. members
• secrets.createSecret

  Creates a secret value within the specified Secret.

  Note: Conjur will allow you to add a secret to any resource, but the best practice is to store and retrieve secret data only using Secret resources.

• secrets.getSecret

  Fetches the value of a secret from the specified Secret. The latest version will be retrieved unless the version parameter is specified. The twenty most recent secret versions are retained.

  The secret data is returned in the response body.

  Note: Conjur will allow you to add a secret to any resource, but the best practice is to store and retrieve secret data only using Secret resources.

• secrets.getSecrets

  Fetches multiple secret values in one invocation. It’s faster to fetch secrets in batches than to fetch them one at a time.

• status.getAuthenticators

  Response contains three members: installed, configured, and enabled.

  installed: The authenticator is implemented in Conjur and is available for configuration configured: The authenticator has a webservice in the DB that was loaded by policy enabled: The authenticator is enabled (in the DB or in the ENV) and is ready for authentication

• status.getGcpAuthenticatorStatus

  Once the status webservice has been properly configured and the relevant user groups have been given permissions to access the status webservice, the users in those groups can check the status of the authenticator.

  This operation only supports the GCP authenticator

  See Conjur Documentation for details on setting up the authenticator status webservice.

• status.getServiceAuthenticatorStatus

  Once the status webservice has been properly configured and the relevant user groups have been given permissions to access the status webservice, the users in those groups can check the status of the authenticator.

  Supported Authenticators:

  • Azure
  • OIDC

  Not Supported:

  • AWS IAM
  • Kubernetes
  • LDAP

  See Conjur Documentation for details on setting up the authenticator status webservice.

• status.health

  You can request health checks against any cluster node using the Conjur API. These routes do not require authentication.

  The health check attempts an internal HTTP or TCP connection to each Conjur Enterprise service. It also attempts a simple transaction against all internal databases.

• status.info

  Information about the Conjur Enterprise node which was queried against.

  Includes authenticator info, release/version info, configuration details, internal services, and role information.

• status.remoteHealth

  Use the remote_health route to check the health of any Conjur Enterprise Server from any other Conjur Enterprise Server. With this route, you can check master health relative to a follower, or follower health relative to a standby, and so on.

• status.whoAmI

  WhoAmI provides information about the client making an API request. It can be used to help troubleshoot configuration by verifying authentication and the client IP address for audit and network access restrictions. For more information, see Host Attributes.

• openapi.previewSpec

  Preview an OpenAPI document before adding it as a source

• openapi.addSource

  Add an OpenAPI source and register its operations as tools