OCI auth method (API)

This is the API documentation for the Vault OCI auth method plugin. To learn more about the usage and operation, see the Vault OCI auth method.

This documentation assumes the OCI method is mounted at the /auth/oci path in Vault. Since it is possible to enable auth methods at any location, please update your API calls accordingly.

Configure home tenancy method

Configure your home tenancy in the Vault, so that only users or instances from your tenancy will be allowed to log into Vault, through the OCI Auth method.

Method Path

Method	Path
`POST`	`/auth/oci/config`

POST

/auth/oci/config

Parameters

home_tenancy_id (string: <required>) - The Tenancy OCID of your OCI account.

Sample payload

{
  "home_tenancy_id": "ocid1.tenancy.oc1..aaaaaaaah7zkvaffv26pzyauoe2zbnionqvhvsexamplee557wakiofi4ysgqq"
}

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/auth/oci/config

Read config

Returns the previously configured config.

Method Path

Method	Path
`GET`	`/auth/oci/config`

GET

/auth/oci/config

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/auth/oci/config

Sample response

{
  "data": {
    "home_tenancy_id": "ocid1.tenancy.oc1..aaaaaaaah7zkvaffv26pzyauoe2zbnionqvhvsexamplee557wakiofi4ysgqq"
  }
}

Create/Update role

Create a Vault administrator role in the OCI Auth method.

Method Path

Method	Path
`POST`	`/auth/oci/role/:name`

POST

/auth/oci/role/:name

Parameters

name (string: <required>) - Name of the role.
ocid_list (string: <required>) - A comma separated list of Group or Dynamic Group OCIDs that can take this role.

@include 'tokenfields.mdx'

Sample payload

{
  "ocid_list": "ocid1.group.oc1..aaaaaaaaiqnblimpvmegkqh3bxilrdvjobr7qd223g275idcqhexamplefq,ocid1.dynamicgroup.oc1..aaaaaaaa5hmfyrdaxvmt52ekju5n7ffamn2pdvxaq6esb2vzzoduexamplea",
  "token_policies": ["dev", "prod"],
  "token_ttl": 1800
}

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/auth/oci/role/devrole

Read role

Returns the previously registered role configuration.

Method Path

Method	Path
`GET`	`/auth/oci/role/:name`

GET

/auth/oci/role/:name

Parameters

name (string: <required>) - Name of the role.

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/auth/oci/role/devrole

Sample response

{
  "data": {
    "ocid_list": [
      "ocid1.group.oc1..aaaaaaaaiqnblimpvmegkqh3bxilrdvjobr7qd223g275idcqhexamplefq",
      "ocid1.dynamicgroup.oc1..aaaaaaaa5hmfyrdaxvmt52ekju5n7ffamn2pdvxaq6esb2vzzoduexamplea"
    ],
    "token_ttl": 1800,
    "token_policies": ["dev", "prod"]
  }
}

List roles

Lists all the roles that are registered with the auth method.

Method Path

Method	Path
`LIST`	`/auth/oci/role`
`GET`	`/auth/oci/role?list=true`

LIST

/auth/oci/role

GET

/auth/oci/role?list=true

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    --request LIST \
    http://127.0.0.1:8200/v1/auth/oci/role

Sample response

{
  "data": {
    "keys": ["devrole", "prodrole"]
  }
}

Delete role

Deletes the previously registered role.

Method Path

Method	Path
`DELETE`	`/auth/oci/role/:role`

DELETE

/auth/oci/role/:role

Parameters

role (string: <required>) - Name of the role.

Sample request

$ curl \
    --header "X-Vault-Token: ..." \
    --request DELETE \
    http://127.0.0.1:8200/v1/auth/oci/role/devrole

Fetch a token. This endpoint takes signed request headers and a role name for some entity. It verifies the signed request headers to authenticate that entity and then authorizes the entity for the given role.

Method Path

Method	Path
`POST`	`/auth/oci/login/:role`

POST

/auth/oci/login/:role

Parameters

role (string: <required>) - Name of the role against which the login is being attempted.
request_headers (list: []) - Signed request headers for authenticating. For details on signing, see signing the request

Sample payload

{
  "request_headers": {
    "date": ["Fri, 22 Aug 2019 21:02:19 GMT"],
    "(request-target)": ["get /v1/auth/oci/login/devrole"],
    "host": ["127.0.0.1"],
    "content-type": ["application/json"],
    "authorization": [
      "Signature algorithm=\"rsa-sha256\",headers=\"date (request-target) host\",keyId=\"ocid1.tenancy.oc1..aaaaaaaaba3pv6wkcr4jqae5f15p2b2m2yt2j6rx32uzr4h25vqstifsfdsq/ocid1.user.oc1..aaaaaaaat5nvwcna5j6aqzjcaty5eqbb6qt2jvpkanghtgdaqedqw3rynjq/73:61:a2:21:67:e0:df:be:7e:4b:93:1e:15:98:a5:b7\",signature=\"GBas7grhyrhSKHP6AVIj/h5/Vp8bd/peM79H9Wv8kjoaCivujVXlpbKLjMPeDUhxkFIWtTtLBj3sUzaFj34XE6YZAHc9r2DmE4pMwOAy/kiITcZxa1oHPOeRheC0jP2dqbTll8fmTZVwKZOKHYPtrLJIJQHJjNvxFWeHQjMaR7M=\",version=\"1\""
    ]
  }
}

Sample request

$ curl \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/auth/oci/login/devrole

Sample response

{
  "auth": {
    "token": "62b8ssf9-529c-6b26-e0b8-045fcdb4",
    "token_accessor": "afaff6d0-be3d-c8d2-b0d7-2676sss0d9b4",
    "token_policies": ["dev"],
    "token_duration": 1800
  }
}

PreviousLDAP auth method (API)NextOkta auth method (API)

Last updated 1 year ago

Configure home tenancy method

Parameters

Sample payload

Sample request

Read config

Sample request

Sample response

Create/Update role

Parameters

Sample payload

Sample request

Read role

Parameters

Sample request

Sample response

List roles

Sample request

Sample response

Delete role

Parameters

Sample request

Login

Parameters

Sample payload

Sample request

Sample response