Conjur API

Response contains three members: installed, configured, and enabled. installed: The authenticator is implemented in Conjur and is available for configuration configured: The authenticator has a webservice in the DB that was loaded by policy enabled: The authenticator is enabled (in the DB or in the ENV) and is ready for authentication. Mocked via Mockzilla.

The access token is used to communicate to the REST API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that was granted during authorization. For API usage, the base64-encoded access token is ordinarily passed as an HTTP Authorization header as Authorization: Token token=. The login must be URL encoded and the host ID must have the prefix host/. For example, the host webserver would login as host/webserver, and would be encoded as host%2Fwebserver. The service_id, if given, must be URL encoded. For example, prod/gke must be encoded as prod%2Fgke. To authenticate to Conjur using this endpoint, reference the detailed documentation: Azure Authenticator (authn-azure).

Use the GCP Authenticator API to send an authentication request from a Google Cloud service to Conjur. For more information, see the documentation.

Once the status webservice has been properly configured and the relevant user groups have been given permissions to access the status webservice, the users in those groups can check the status of the authenticator. This operation only supports the GCP authenticator See Conjur Documentation for details on setting up the authenticator status webservice.

The access token is used to communicate to the REST API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that was granted during authorization. For API usage, the base64-encoded access token is ordinarily passed as an HTTP Authorization header as Authorization: Token token=. The login must be URL encoded and the host ID must have the prefix host/. For example, the host webserver would login as host/webserver, and would be encoded as host%2Fwebserver. The service_id, if given, must be URL encoded. For example, prod/gke must be encoded as prod%2Fgke. For detailed instructions on authenticating to Conjur using this endpoint, reference the documentation: AWS IAM Authenticator (authn-iam).

Use the JWT Authenticator to leverage the identity layer provided by JWT to authenticate with Conjur. Available as a Mockzilla mock endpoint.

Use the JWT Authenticator to leverage the identity layer provided by JWT to authenticate with Conjur.

This request sends a Certificate Signing Request to Conjur, which uses the Kubernetes API to inject a client certificate into the application pod. This endpoint requires a properly configured Conjur Certificate Authority service alongside a properly configured and enabled Kubernetes authenticator. For detailed instructions, see the documentation.

The access token is used to communicate to the REST API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that was granted during authorization. For API usage, the base64-encoded access token is ordinarily passed as an HTTP Authorization header as Authorization: Token token=. The login must be URL encoded and the host ID must have the prefix host/. For example, the host webserver would login as host/webserver, and would be encoded as host%2Fwebserver. The service_id, if given, must be URL encoded. For example, prod/gke must be encoded as prod%2Fgke. To authenticate to Conjur using this endpoint, reference the detailed documentation: Kubernetes Authenticator (authn-k8s).

Exchange your LDAP credentials for a Conjur API key. Once the API key is obtained, it may be used to inexpensively obtain access tokens by calling the Authenticate method. An access token is required to use most other parts of the Conjur API. The Basic authentication-compliant header is formed by: 1. Concatenating the LDAP username, a literal colon character ':', and the password to create the authentication string. 2. Base64-encoding the authentication string. 3. Prefixing the authentication string with the scheme: Basic (note the required space). 4. Providing the result as the value of the Authorization HTTP header: Authorization: Basic . Your HTTP/REST client probably provides HTTP basic authentication support.

The access token is used to communicate to the REST API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that was granted during authorization. For API usage, the base64-encoded access token is ordinarily passed as an HTTP Authorization header as Authorization: Token token=. The login must be URL encoded. For example, alice@devops must be encoded as alice%40devops. The service_id, if given, must be URL encoded. For example, prod/gke must be encoded as prod%2Fgke. For host authentication, the login is the host ID with the prefix host/. For example, the host webserver would login as host/webserver, and would be encoded as host%2Fwebserver. To authenticate to Conjur using a LDAP, reference the detailed documentation: LDAP Authenticator (authn-ldap). Mockzilla mock: no signup, no API key.

Use the OIDC Authenticator to leverage the identity layer provided by OIDC to authenticate with Conjur. For more information see the documentation.

Any role can rotate its own API key. The name and password (for users) or current API key (for hosts and users) of the role must be provided via HTTP Basic Authorization. To rotate another role's API key, you may provide your name and password (for users) or current API key (for hosts and users) via HTTP Basic Authorization with the request. Alternatively, you may provide your Conjur access token via the standard Conjur Authorization header. The Basic authentication-compliant header is formed by: 1. Concatenating the role's name, a literal colon character ':', and the password or API key to create the authentication string. 2. Base64-encoding the authentication string. 3. Prefixing the authentication string with the scheme: Basic (note the required space). 4. Providing the result as the value of the Authorization HTTP header: Authorization: Basic . Your HTTP/REST client probably provides HTTP basic authentication support. For example, curl and all of the Conjur client libraries provide this. If using the Conjur Authorization header, its value should be set to Token token=. Note that the body of the request must be the empty string.

Passwords are stored in the Conjur database using bcrypt with a work factor of 12. Therefore, login is a fairly expensive operation. However, once the API key is obtained, it may be used to inexpensively obtain access tokens by calling the Authenticate method. An access token is required to use most other parts of the Conjur API. The Basic authentication-compliant header is formed by: 1. Concatenating the role's name, a literal colon character ':', and the password or API key to create the authentication string. 2. Base64-encoding the authentication string. 3. Prefixing the authentication string with the scheme: Basic (note the required space). 4. Providing the result as the value of the Authorization HTTP header: Authorization: Basic . Your HTTP/REST client probably provides HTTP basic authentication support. For example, curl and all of the Conjur client libraries provide this. Note that machine roles (Hosts) do not have passwords and do not need to use this endpoint.

You must provide the login name and current password or API key of the user whose password is to be updated in an HTTP Basic Authentication header. Also replaces the user’s API key with a new securely generated random value. You can fetch the new API key using the Login method. The Basic authentication-compliant header is formed by: 1. Concatenating the role's name, a literal colon character ':', and the password or API key to create the authentication string. 2. Base64-encoding the authentication string. 3. Prefixing the authentication string with the scheme: Basic (note the required space). 4. Providing the result as the value of the Authorization HTTP header: Authorization: Basic . Your HTTP/REST client probably provides HTTP basic authentication support. For example, curl and all of the Conjur client libraries provide this. Note that machine roles (Hosts) do not have passwords. They authenticate using their API keys, while passwords are only used by human users.

A client can obtain an access token by presenting a valid login name and API key. The access token is used to communicate to the REST API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that was granted during authorization. The login must be URL encoded. For example, alice@devops must be encoded as alice%40devops. The service_id, if given, must be URL encoded. For example, prod/gke must be encoded as prod%2Fgke. For host authentication, the login is the host ID with the prefix host/. For example, the host webserver would login as host/webserver, and would be encoded as host%2Fwebserver. For API usage, the base64-encoded access token is ordinarily passed as an HTTP Authorization header as Authorization: Token token=. This is the default authentication endpoint only. See other endpoints for details on authenticating to Conjur using another method, e.g. for applications running in Azure or Kubernetes. Served by the Mockzilla mock runtime.

Gets a signed certificate from the configured Certificate Authority service. The request must include a valid Certificate Signing Request, and a desired TTL in ISO 8601 format. IMPORTANT This endpoint is part of an early implementation of support for using Conjur as a certificate authority, and is currently available at the Community (or early alpha) level. This endpoint is still subject to breaking changes in the future.

You can request health checks against any cluster node using the Conjur API. These routes do not require authentication. The health check attempts an internal HTTP or TCP connection to each Conjur Enterprise service. It also attempts a simple transaction against all internal databases.

Creates a Host using the Host Factory and returns a JSON description of it. Requires a host factory token, which can be created using the create tokens API. In practice, this token is usually provided automatically as part of Conjur integration with your host provisioning infrastructure. Note: If the token was created with a CIDR restriction, you must make this API request from a whitelisted address.

Creates one or more tokens which can be used to bootstrap host identity. Responds with a JSON document containing the tokens and their restrictions. If the tokens are created with a CIDR restriction, Conjur will only accept them from the whitelisted IP ranges. Permissions required execute privilege on the Host Factory."

Revokes a token, immediately disabling it. Permissions required update privilege on the host factory.". Mocked via Mockzilla.

Information about the Conjur Enterprise node which was queried against. Includes authenticator info, release/version info, configuration details, internal services, and role information.

Modifies an existing Conjur policy. Data may be explicitly deleted using the !delete, !revoke, and !deny statements. Unlike replace mode, no data is ever implicitly deleted. Permissions required

Adds data to the existing Conjur policy. Deletions are not allowed. Any policy objects that exist on the server but are omitted from the policy file will not be deleted and any explicit deletions in the policy file will result in an error. Permissions required create privilege on the policy."

Loads or replaces a Conjur policy document. Any policy data which already exists on the server but is not explicitly specified in the new policy file will be deleted!.

Shows all public keys for a resource as newline delimited string for compatibility with the authorized_keys SSH format. Returns an empty string if the resource does not exist, to prevent attackers from determining whether a resource exists. Available as a Mockzilla mock endpoint.

Use the remote_health route to check the health of any Conjur Enterprise Server from any other Conjur Enterprise Server. With this route, you can check master health relative to a follower, or follower health relative to a standby, and so on.

Lists resources within an organization account. In the absence of an account query parameter, shows results for the account of the authorization token user. If an account query parameter is given, shows results for the specified account. If a kind query parameter is given, narrows results to only resources of that kind. If a limit is given, returns no more than that number of results. Providing an offset skips a number of resources before returning the rest. In addition, providing an offset will give limit a default value of 10 if none other is provided. These two parameters can be combined to page through results. If the parameter count is true, returns only the number of items in the list. Text search If the search parameter is provided, narrows results to those pertaining to the search query. Search works across resource IDs and the values of annotations. It weighs results so that those with matching id or a matching value of an annotation called name appear first, then those with another matching annotation value, and finally those with a matching kind."

Lists resources within an organization account. If a kind query parameter is given, narrows results to only resources of that kind. If a limit is given, returns no more than that number of results. Providing an offset skips a number of resources before returning the rest. In addition, providing an offset will give limit a default value of 10 if none other is provided. These two parameters can be combined to page through results. If the parameter count is true, returns only the number of items in the list. Text search If the search parameter is provided, narrows results to those pertaining to the search query. Search works across resource IDs and the values of annotations. It weighs results so that those with matching id or a matching value of an annotation called name appear first, then those with another matching annotation value, and finally those with a matching kind.

Lists resources of the same kind within an organization account. Kinds of resources include: policy, user, host, group, layer, or variable If a limit is given, returns no more than that number of results. Providing an offset skips a number of resources before returning the rest. In addition, providing an offset will give limit a default value of 10 if none other is provided. These two parameters can be combined to page through results. If the parameter count is true, returns only the number of items in the list. Text search If the search parameter is provided, narrows results to those pertaining to the search query. Search works across resource IDs and the values of annotations. It weighs results so that those with matching id or a matching value of an annotation called name appear first, then those with another matching annotation value, and finally those with a matching kind.

Details about a single resource. If permitted_roles and privilege are given, Conjur lists the roles with the specified privilege on the resource. If check, privilege and role are given, Conjur checks if the specified role has the privilege on the resource. If permitted_roles and check are both given, Conjur responds to the check call ONLY. Permissions Required. Mockzilla mock: no signup, no API key.

Deletes an existing role membership. If a role A is granted to a role B, then role A is said to have role B as a member. These relationships are described in the “members” portion of the returned JSON. When the members query parameter is provided, you will get the members of a role. When the members and member query parameters are provided, the role specfified by member will be removed as a member of the role specified in the endpoint URI.

Gets detailed information about a specific role, including the role members. If a role A is granted to a role B, then role A is said to have role B as a member. These relationships are described in the “members” portion of the returned JSON. Listing members If members is provided, you will get the members of a role. If a kind query parameter is given, narrows results to only resources of that kind. If a limit is given, returns no more than that number of results. Providing an offset skips a number of resources before returning the rest. In addition, providing an offset will give limit a default value of 10 if none other is provided. These two parameters can be combined to page through results. If the parameter count is true, returns only the number of items in the list. Text search If the search parameter is provided, narrows results to those pertaining to the search query. Search works across resource IDs and the values of annotations. It weights results so that those with matching id or a matching value of an annotation called name appear first, then those with another matching annotation value, and finally those with a matching kind. Parameter Priority If Conjur is given any combination of optional parameters, it responds with ONLY results for the parameter of the highest priority. 1. graph 2. all 3. memberships 4. members

Updates or modifies an existing role membership. If a role A is granted to a role B, then role A is said to have role B as a member. These relationships are described in the “members” portion of the returned JSON. When the members query parameter is provided, you will get the members of a role. When the members and member query parameters are provided, the role specfified by member will be added as a member of the role specified in the endpoint URI.

Fetches multiple secret values in one invocation. It’s faster to fetch secrets in batches than to fetch them one at a time.

Fetches the value of a secret from the specified Secret. The latest version will be retrieved unless the version parameter is specified. The twenty most recent secret versions are retained. The secret data is returned in the response body. Note: Conjur will allow you to add a secret to any resource, but the best practice is to store and retrieve secret data only using Secret resources. Served by the Mockzilla mock runtime.

Creates a secret value within the specified Secret. Note: Conjur will allow you to add a secret to any resource, but the best practice is to store and retrieve secret data only using Secret resources.

WhoAmI provides information about the client making an API request. It can be used to help troubleshoot configuration by verifying authentication and the client IP address for audit and network access restrictions. For more information, see Host Attributes.

Allows you to either enable or disable a given authenticator that does not have service_id (For example: authn-gcp). When you enable or disable an authenticator via this endpoint, the status of the authenticator is stored in the Conjur database. The enablement status of the authenticator service may be overridden by setting the CONJUR_AUTHENTICATORS environment variable on the Conjur server; in the case where this environment variable is set, the database record of whether the authenticator service is enabled will be ignored. This endpoint is part of an early implementation of support for enabling Conjur authenticators via the API, and is currently available at the Community (or early alpha) level. This endpoint is still subject to breaking changes in the future.

Allows you to either enable or disable a given authenticator service instance. When you enable or disable an authenticator service instance via this endpoint, the status of the authenticator service instance is stored in the Conjur database. The enablement status of the authenticator service instance may be overridden by setting the CONJUR_AUTHENTICATORS environment variable on the Conjur server; in the case where this environment variable is set, the database record of whether the authenticator service instance is enabled will be ignored. This endpoint is part of an early implementation of support for enabling Conjur authenticators via the API, and is currently available at the Community (or early alpha) level. This endpoint is still subject to breaking changes in the future.

Once the status webservice has been properly configured and the relevant user groups have been given permissions to access the status webservice, the users in those groups can check the status of the authenticator. Supported Authenticators: - Azure - OIDC Not Supported: - AWS IAM - Kubernetes - LDAP See Conjur Documentation for details on setting up the authenticator status webservice. Mocked via Mockzilla.