A secret is either a username/password or name/ssh-key pair for use in securing access to repositories and other systems. Secrets can be created and managed in the Concord Console user interface as well as the Concord REST API.
The REST API provides support for the following operations related to secrets:
Creates a new secret to be stored in Concord.
/api/v1/org/${orgName}/secret
POST
Authorization
, Content-Type: multipart/form-data
Multipart request
type
- mandatory, supported types:
key_pair
- a SSH key pair, public and private key files;username_password
- a pair of string values;data
- binary or text data.name
- mandatory, the name of the created secret. Must be
unique for the organization;storePassword
- optional, a password, will be used to encrypt
the created secret and which can be used to retrieve it back;generatePassword
- optional, a boolean value. If true
, the
server will automatically generate and return a storePassword
value;visibility
- optional, PUBLIC
(default) or PRIVATE
. See
the description of public and private resources;project
- optional, a project name. If set, the secret can
only be used in the processes of the specified project;The rest of the parameters depend of the type
of the created
secret:
type=key_pair
:
public
- a public key file of the key pair;private
- a private key file of the key pair.type=username_password
:
username
- a string value;password
- a string value.type=data
:
data
- a string or binary value.For type=key_pair
if a public
value is omitted, a new key
pair will generated by the server.
Success response
Content-Type: application/json
{
"id": "...",
"result": "CREATED",
"ok": true
}
You can create a new key pair that is signed by the Concord server as follows:
curl -u myusername \
-F name=myKey \
-F type=key_pair \
https://concord.example.com/api/v1/org/Default/secret
After successful authentication with the provided prompted password, the server generates the new key pair and returns the public key:
{
"id" : "e7c24546-e0e1-11e7-be9f-fa163e0708eb",
"result" : "CREATED",
"publicKey" : "ssh-rsa AAAAB3NzaC1...zri1 concord-server\n",
"ok" : true
}
This key can be used a deploy key in the git repository of your project to establish the necessary trust between the Concord server and your git repository hosting system.
You can upload an existing key pair as follows:
curl -H "Authorization: auBy4eDWrKWsyhiDp3AQiw" \
-F name=myKey \
-F type=key_pair \
-F public=@/path/to/id_rsa.pub \
-F private=@/path/to/id_rsa \
https://concord.example.com/api/v1/org/Default/secret
After successful authentication with the prompted password, the server uploads and stores the files. The secret can subsequently be used within your Concord flows.
You can create a username and password secret as follows:
curl -u myusername \
-F name=myKey \
-F type=username_password \
-F username=myUser \
-F password=myPass \
https://concord.example.com/api/v1/org/Default/secret
After successful authentication with the prompted password, the server creates and stores both values with a secret. It can subsequently be used within your Concord flows.
You can store a single value as a secret on Concord as follows:
curl -u myusername \
-F name=myKey \
-F type=data \
-F data=myValue \
https://concord.example.com/api/v1/org/Default/secret
Updates parameters of an existing secret.
/api/v2/org/${orgName}/secret/${secretName}
POST
Authorization
, Content-Type: multipart/form-data
Body Multipart binary data.
The values will be interpreted depending on their name:
name
- New secret name to update;orgId
or org
- New ID or name of the organization which
“owns” the secret;projectId
or project
- New ID or name of the project
for which secret will be restricted;removeProjectLink
- remove restriction to a project, boolean, default value is false;ownerId
- new secret owner identifier, UUID;storePassword
- current store password used to encrypt the created secret and which can be used to retrieve it back;newStorePassword
- new store password, storePassword
is mandatory to update a new store password, secrets protected by server key
cannot be updated to a password protected secret;visibility
- new secret visibility, PUBLIC
or PRIVATE
. See the description of public and private resources;type
- type of new secret to be updated, takes values data
, username_password
, key_pair
;The secret data to be updated depends on type
value and corresponding rest of the parameters are as follows:
type=key_pair
:
public
- a public key file of the key pair.private
- a private key file of the key pair.type=username_password
:
username
- a string value;password
- a string value.type=data
:
data
- a string or binary value(file).storePassword
should be mandatory to update a password protected secret.
Content-Type: application/json
{
"ok": true,
"result": "UPDATED"
}
You can update a single value as a secret on Concord as follows:
curl -u myusername \
-F org=Default \
-F name=mySecret \
-F data="$(echo -n "your-secret-value" | base64)" \
http://concord.example.com/api/v1/org/Default/secret/myKey
Retrieves metadata of an existing secret.
/api/v1/org/${orgName}/secret/${secretName}
GET
Authorization
Content-Type: application/json
{
"id": "...",
"name": "secretName",
"orgId": "...",
"orgName": "...",
"projectId": "...",
"projectName": "...",
"type": "...",
"storeType": "...",
"visibility": "..."
}
Returns a public key from an existing key pair of a secret.
/api/v1/org/${orgName}/secret/${secretName}/public
GET
Authorization
Success response
Content-Type: application/json
{
"name": "secretName",
"publicKey": "ssh-rsa AAAA... concord-server",
"ok": true
}
On a typical Concord installation you can pass your username and be quoted for the password:
curl -u username 'https://concord.example.com/api/v1/org/Default/secret/myKey/public'
The server provides a JSON-formatted response similar to:
{
"name" : "myKey",
"publicKey" : "ssh-rsa ABCXYZ... concord-server",
"ok" : true
}
The value of the publicKey
attribute represents the public key of the newly
generated key.
The value of the name
attribute e.g. myKey
identifies the key for
usage in Concord.
Deletes a secret and associated keys.
/api/v1/org/${orgName}/secret/${secretName}
DELETE
Authorization
Success response
Content-Type: application/json
{
"ok": true
}
List all existing secrets in a specific organization.
/api/v1/org/${orgName}/secret
limit
: maximum number of records to return;offset
: starting index from which to return;filter
: secrets with matching name to return;GET
Success response
Content-Type: application/json
[
{ "name": "...", "type": "..." },
{ "name": "...", "type": "..." }
]
Returns secrets’s current access rules.
/api/v1/org/${orgName}/secret/${secretName}/access
GET
Authorization
Content-Type: application/json
[
{"teamId": "...", "level": "..."},
...
]
Updates secrets’s access rules for a specific team.
/api/v1/org/${orgName}/secret/${secretName}/access
POST
Authorization
, Content-Type: application/json
Content-Type: application/json
{
"teamId": "9304748c-81e6-11e9-b909-0fe0967f269a",
"orgName": "myOrg",
"teamName": "myTeam",
"level": "READER"
}
Either teamId
or orgName
and teamName
combinations are allowed.
The level
parameter accepts one of the three possible values:
READER
WRITER
OWNER
Content-Type: application/json
{
"ok": true,
"result": "UPDATED"
}
curl -ikn -H 'Content-Type: application/json' \
-d '{"orgName": "MyOrg", "teamName": "myTeam", "level": "READER"}' \
http://concord.example.com/api/v1/org/MyOrg/secret/MySecret/access
Updates secrets’s access rules for multiple teams.
/api/v1/org/${orgName}/secret/${secretName}/access/bulk
POST
Authorization
, Content-Type: application/json
Content-Type: application/json
[{
"teamId": "9304748c-81e6-11e9-b909-0fe0967f269a",
"orgName": "myOrg",
"teamName": "myTeam",
"level": "READER"
}]
Accepts a list of access rule elements. See the non-bulk version of this method for description.
Content-Type: application/json
{
"ok": true,
"result": "UPDATED"
}
Moves the Secret to the specified Organization (through Organization name ID)
/api/v1/org/${orgName}/secret/${secretName}
POST
Authorization
, Content-Type: application/json
Content-Tupe: application/json
{
"orgName": "anotherOrg"
}
Also accepts orgId
(Unique Organization ID) instead of orgName
in the request body.
Content-Type: application/json
{
"ok": true,
"result": "UPDATED"
}