Secrets API - Reference¶
GET /v1/secrets¶
Lists a project’s secrets.
The list of secrets can be filtered by the parameters passed in via the URL.
The actual secret payload data will not be listed here. Clients must instead make a separate call to retrieve the secret payload data for each individual secret.
Parameters¶
Name | Type | Description |
---|---|---|
offset | integer | The starting index within the total list of the secrets that you would like to retrieve. |
limit | integer | The maximum number of records to return (up to 100). The default limit is 10. |
name | string | Selects all secrets with name similar to this value. |
alg | string | Selects all secrets with algorithm similar to this value. |
mode | string | Selects all secrets with mode similar to this value. |
bits | integer | Selects all secrets with bit_length equal to this value. |
secret_type | string | Selects all secrets with secret_type equal to this value. |
acl_only | boolean | Selects all secrets with an ACL that contains the user. Project scope is ignored. |
created | string | Date filter to select all secrets with created matching the specified criteria. See Date Filters below for more detail. |
updated | string | Date filter to select all secrets with updated matching the specified criteria. See Date Filters below for more detail. |
expiration | string | Date filter to select all secrets with expiration matching the specified criteria. See Date Filters below for more detail. |
sort | string | Determines the sorted order of the returned list. See Sorting below for more detail. |
Date Filters:¶
The values for the created
, updated
, and expiration
parameters are
comma-separated lists of time stamps in ISO 8601 format. The time stamps can
be prefixed with any of these comparison operators: gt:
(greater-than),
gte:
(greater-than-or-equal), lt:
(less-than), lte:
(less-than-or-equal).
For example, to get a list of secrets that will expire in January of 2020:
GET /v1/secrets?expiration=gte:2020-01-01T00:00:00,lt:2020-02-01T00:00:00
Sorting:¶
The value of the sort
parameter is a comma-separated list of sort keys.
Supported sort keys include created
, expiration
, mode
, name
,
secret_type
, status
, and updated
.
Each sort key may also include a direction. Supported directions
are :asc
for ascending and :desc
for descending. The service will
use :asc
for every key that does not include a direction.
For example, to sort the list from most recently created to oldest:
GET /v1/secrets?sort=created:desc
Request:¶
GET /v1/secrets?offset=1&limit=2&sort=created
Headers:
Accept: application/json
X-Auth-Token: {keystone_token}
(or X-Project-Id: {project id})
Response:¶
{
"next": "http://{barbican_host}:9311/v1/secrets?limit=2&offset=3",
"previous": "http://{barbican_host}:9311/v1/secrets?limit=2&offset=0",
"secrets": [
{
"algorithm": null,
"bit_length": null,
"content_types": {
"default": "application/octet-stream"
},
"created": "2015-04-07T03:37:19.805835",
"creator_id": "3a7e3d2421384f56a8fb6cf082a8efab",
"expiration": null,
"mode": null,
"name": "opaque octet-stream base64",
"secret_ref": "http://{barbican_host}:9311/v1/secrets/{uuid}",
"secret_type": "opaque",
"status": "ACTIVE",
"updated": "2015-04-07T03:37:19.808337"
},
{
"algorithm": null,
"bit_length": null,
"content_types": {
"default": "application/octet-stream"
},
"created": "2015-04-07T03:41:02.184159",
"creator_id": "3a7e3d2421384f56a8fb6cf082a8efab",
"expiration": null,
"mode": null,
"name": "opaque random octet-stream base64",
"secret_ref": "http://{barbican_host}:9311/v1/secrets/{uuid}",
"secret_type": "opaque",
"status": "ACTIVE",
"updated": "2015-04-07T03:41:02.187823"
}
],
"total": 5
}
Response Attributes¶
Name | Type | Description |
---|---|---|
secrets | list | Contains a list of secrets. The attributes in the secret objects are the same as for an individual secret. |
total | integer | The total number of secrets available to the user. |
next | string | A HATEOAS URL to retrieve the next set of secrets based on the offset and limit parameters. This attribute is only available when the total number of secrets is greater than offset and limit parameter combined. |
previous | string | A HATEOAS URL to retrieve the previous set of secrets based on the offset and limit parameters. This attribute is only available when the request offset is greater than 0. |
HTTP Status Codes¶
Code | Description |
---|---|
200 | Successful Request |
401 | Invalid X-Auth-Token or the token doesn’t have permissions to this resource |
POST /v1/secrets¶
Creates a Secret entity. If the payload
attribute is not included in the
request, then only the metadata for the secret is created, and a
subsequent PUT request is required.
Attributes¶
Attribute Name | Type | Description | Default |
---|---|---|---|
name | string | (optional) The name of the secret set by the user. | None |
expiration | string | (optional) This is a UTC timestamp in ISO
8601 format YYYY-MM-DDTHH:MM:SSZ . If
set, the secret will not be available after
this time. |
None |
algorithm | string | (optional) Metadata provided by a user or system for informational purposes. | None |
bit_length | integer | (optional) Metadata provided by a user or system for informational purposes. Value must be greater than zero. | None |
mode | string | (optional) Metadata provided by a user or system for informational purposes. | None |
payload | string | (optional) The secret’s data to be stored.
payload_content_type must also be
supplied if payload is included. |
None |
payload_content_type | string | (optional) (required if payload is included) The media type for the content of the payload. For more information see Secret Types | None |
payload_content_encoding | string | (optional) (required if payload is encoded)
The encoding used for the payload to be able
to include it in the JSON request.
Currently only base64 is supported. |
None |
secret_type | string | (optional) Used to indicate the type of secret being stored. For more information see Secret Types | opaque |
Request:¶
POST /v1/secrets
Headers:
Content-Type: application/json
X-Auth-Token: <token>
Content:
{
"name": "AES key",
"expiration": "2015-12-28T19:14:44.180394",
"algorithm": "aes",
"bit_length": 256,
"mode": "cbc",
"payload": "YmVlcg==",
"payload_content_type": "application/octet-stream",
"payload_content_encoding": "base64"
}
Response:¶
201 Created
{
"secret_ref": "https://{barbican_host}/v1/secrets/{secret_uuid}"
}
HTTP Status Codes¶
Code | Description |
---|---|
201 | Successfully created a Secret |
400 | Bad Request |
401 | Invalid X-Auth-Token or the token doesn’t have permissions to this resource |
403 | Forbidden. The user has been authenticated, but is not authorized to create a secret. This can be based on the user’s role or the project’s quota. |
415 | Unsupported media-type |
GET /v1/secrets/{uuid}¶
Retrieves a secret’s metadata.
Request:¶
GET /v1/secrets/{uuid}
Headers:
Accept: application/json
X-Auth-Token: {token}
(or X-Project-Id: {project_id})
Response:¶
200 OK
{
"status": "ACTIVE",
"created": "2015-03-23T20:46:51.650515",
"updated": "2015-03-23T20:46:51.654116",
"expiration": "2015-12-28T19:14:44.180394",
"algorithm": "aes",
"bit_length": 256,
"mode": "cbc",
"name": "AES key",
"secret_ref": "https://{barbican_host}/v1/secrets/{secret_uuid}",
"secret_type": "opaque",
"content_types": {
"default": "application/octet-stream"
}
}
Payload Request:¶
Warning
DEPRECATION WARNING: Previous releases of the API allowed the payload to be
retrieved from this same endpoint by changing the Accept header to be one
of the values listed in the content_types
attribute of the Secret
metadata. This was found to be problematic in some situations, so new
applications should make use of the /v1/secrets/{uuid}/payload
endpoint instead.
GET /v1/secrets/{uuid}
Headers:
Accept: application/octet-stream
X-Auth-Token: <token>
Payload Response:¶
200 OK
beer
HTTP Status Codes¶
Code | Description |
---|---|
200 | Successful request |
401 | Invalid X-Auth-Token or the token doesn’t have permissions to this resource |
404 | Not Found |
406 | Not Acceptable |
PUT /v1/secrets/{uuid}¶
Add the payload to an existing metadata-only secret, such as one made by
sending a POST /v1/secrets request that does not include the payload
attribute.
Note
This action can only be done for a secret that doesn’t have a payload.
Headers¶
Name | Description | Default |
---|---|---|
Content-Type | Corresponds with the payload_content_type attribute of a normal secret creation request. | text/plain |
Content-Encoding | (optional) Corresponds with the payload_content_encoding attribute of a normal secret creation request. | None |
Request:¶
PUT /v1/secrets/{uuid}
Headers:
X-Auth-Token: <token>
Content-Type: application/octet-stream
Content-Encoding: base64
Content:
YmxhaA==
Response:¶
204 No Content
HTTP Status Codes¶
Code | Description |
---|---|
204 | Successful request |
401 | Invalid X-Auth-Token or the token doesn’t have permissions to this resource |
404 | Not Found |
DELETE /v1/secrets/{uuid}¶
Delete a secret by uuid
Request:¶
DELETE /v1/secrets/{uuid}
Headers:
X-Auth-Token: <token>
Response:¶
204 No Content
HTTP Status Codes¶
Code | Description |
---|---|
204 | Successful request |
401 | Invalid X-Auth-Token or the token doesn’t have permissions to this resource |
404 | Not Found |
GET /v1/secrets/{uuid}/payload¶
Retrieve a secret’s payload
Accept Header Options:¶
When making a request for a secret’s payload, you must set the accept header
to one of the values listed in the content_types
attribute of a secret’s
metadata.
Request:¶
GET /v1/secrets/{uuid}/payload
Headers:
Accept: text/plain
X-Auth-Token: <token>
Response:¶
200 OK
beer
HTTP Status Codes¶
Code | Description |
---|---|
200 | Successful request |
401 | Invalid X-Auth-Token or the token doesn’t have permissions to this resource |
404 | Not Found |
406 | Not Acceptable |