An OPA Service User is used to access the OPA API. Each Service User is provided tokens used to authenticate and authorize against the service.
Most calls to the OPA API require an HTTP Authorization
header with a value of Bearer ${AUTH_TOKEN}
.
To retrieve an auth token, you need to create an API key for a Service User and pass the API key information to this endpoint.
Auth tokens may expire at any time, so code that uses them should be prepared to handle a 401 response code by creating a new auth token.
This endpoint requires the following role: resource_admin
.
OK
{- "key_id": "6052868b-1b04-4a14-8288-e6496d7f2f4b",
- "key_secret": "uF0SoVBVQP/hJmQSLUZdM2a7ArYzjD8ykzvG7n4tKaOEfSErcwMUUDWpEf4Q42/HaVKPZUfILkzy/bsQFv7WRg=="
}
{- "bearer_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImI4YTAzODA0MTM0NjctNGU5OC04ZDU2LTAxNDRlNGNkMGViMCIsInR5cCI6IkpXVCJ9eeyJleHAiOjE0NzY4MTE1OTAsImlzcyI6InNjYWxlZnQuYXV0aC50b2tlbiIsImp0aSI6IjA0YjRhNTE4LWU5YzYtNDc1My05YWY4LThlOTAwNjVjNjX5YSIsInJvbGVzIjp7IjE0NzY4MTE1OTAiOm51bGx9LCJ0ZWFtIjoic2NhbGVmdCIsInVzZXIiOiJyb2JvdF9ydXNzZWxsIn0.pHuv06Q1-sKjHrGXUzQi-uM7AAG3K1Q6RyukyuR2Py6QHwLot1uZmZt4wrBo6tQRCl3RjHBKGcDmEfBZ6_gFucksFMkINTU3sIDmOvSAChopraXjfYh0KarEDmDnIMsEPl7FVhl4N_I0yLK9O5XSS07AvAc-7RRD8dupe7inDITCHEvoJ16osgL1IzoDvc7ZPDj8-xhJ_kAsKc-vJ5WYESAlCFx_fixedM43Apg2TySNE5nSeJFCa02F4ViZleY7K2l4h_p143DzVZjWEBeKmyQVRXhbZzL6HwONOckham_LHuSrP_sOtVc7BrFwmZq2NZtXEOWyQWfJ4Yp0qg8NzV2LhKLc4LookQuilt8OA8jyEeTabu3Rq9zp0y-FodMg64qfWcPSu53HiwYC9dags5zhXa8zuZRcPMO_orCPVYnmO761xAfsp-P8aJJZDqpxlzKA0s-ClBegunC5C9Xq5snIq-f4hT45u8ldBfAr6dLkDO8BdPMTeutH52bTWX3iJ1ipW1YqMefJhPMzBHLwnJ3SYWN7WTEuRyoC6ndQ60PcEzsPJYAO5MxdY4WsnYOqv3aIryuTlwW3K0dNqcvBSirdar5X7AvidO-XLSXXrY134BogaLBze7FwVYwH7ZhzBdX-DwsUwQsJ7R0mRWxpNnhGu7NjkbB0-QJs",
- "expires_at": "2016-10-18T17:26:30Z",
- "team_name": "scaleft"
}
Lists all Service Users for your Team
This endpoint requires one of the following roles: pam_admin
, security_admin
, resource_admin
, delegated_resource_admin
.
OK
{- "list": [
- {
- "team_name": "william-faulkner",
- "id": "aa225c16-af6e-4ab4-9150-456fd472e2d7",
- "name": "OPA User",
- "status": "ACTIVE",
- "details": null,
- "user_type": "service",
- "deleted_at": null
}, - {
- "team_name": "william-faulkner",
- "id": "6b69de4e-90be-4016-9085-d54bf5815da1",
- "name": "A.User",
- "status": "DISABLED",
- "details": null,
- "user_type": "service",
- "deleted_at": null
}
]
}
Creates a Service User that can be used to automate interactions with the OPA API
This endpoint requires the following role: resource_admin
.
Created
{- "name": "OPA User"
}
{- "deleted_at": null,
- "details": null,
- "id": "aa225c16-af6e-4ab4-9150-456fd472e2d7",
- "name": "OPA User",
- "status": "ACTIVE",
- "team_name": "william-faulkner",
- "user_type": "service"
}
Retrieve a specified Service User
This endpoint requires one of the following roles: pam_admin
, security_admin
, resource_admin
, delegated_resource_admin
.
OK
{- "deleted_at": null,
- "details": null,
- "id": "6b69de4e-90be-4016-9085-d54bf5815da1",
- "name": "A.User",
- "status": "ACTIVE",
- "team_name": "william-faulkner",
- "user_type": "service"
}
Updates a specified Service User
This endpoint requires the following role: resource_admin
.
OK
{- "status": "DISABLED"
}
{- "deleted_at": null,
- "details": null,
- "id": "6b69de4e-90be-4016-9085-d54bf5815da1",
- "name": "A.User",
- "status": "DISABLED",
- "team_name": "william-faulkner",
- "user_type": "service"
}
Lists all API keys for a specified Service User. This doesn't return the corresponding secret for each API key.
This endpoint requires the following role: resource_admin
.
OK
{- "list": [
- {
- "id": "c6de9d40-1e6c-4033-88cb-992367d162eb",
- "issued_at": "2020-04-07T02:00:00Z",
- "expires_at": "0001-01-01T00:00:00Z",
- "last_used": null
}, - {
- "id": "f37fadfc-fa03-4f46-a390-ce202772cff4",
- "issued_at": "2020-04-07T00:00:00Z",
- "expires_at": "2020-04-09T00:00:00Z",
- "last_used": null
}
]
}
Rotates all API keys for a specified Service User. This also sets an expiration date for the existing API keys.
This endpoint requires the following role: resource_admin
.
OK
{- "expires_at": "0001-01-01T00:00:00Z",
- "id": "ba7ffbe9-c8e4-45c9-bc07-45729711c952",
- "issued_at": "2020-04-07T00:00:00Z",
- "last_used": null,
- "secret": "NOvsvBg0g9mFXdHbLxEJcEFpu+LZjQSKsYezqMALq5WbGZTpUsxoS4vBqqHOO9O3xrhOq03B+oLf7bSTShbudw=="
}
Deletes an API key for a Service User. The Service User can no longer authenticate with this API key.
This endpoint requires the following role: resource_admin
.
No Content