POST PKI/HashiCorp/Role
Creates a role in Trust Protection Platform. After role creation:
- The HashiCorp Vault PKI application driver uses onboard validation to enforce the role policy. Daily onboard validation also compares the CA certificate in the Vault with the certificate of record in Trust Protection Platform.
- The role is ready to provision to the vault. Because there is no automatic way to provision a role to the HashiCorp vault, you must call POST PKI/HashiCorp/CA/{guid}.
Prerequisites
In HashiCorp, create role permissions. For more information, see
Requirements
- Permissions: The caller must have Create permission and Manage Policy permission to the Policy folder where the role will be created.
- Token scope: Certificate:Manage
Headers
-
Content type: Content-Type:application/json.
- Token: The bearer access token that you received. For example, Authorization:Bearer 4MyGeneratedBearerTknz==. For more information, see Passing a bearer token in your API calls.
Parameters
For additional information, about HashiCorp roles, see https://www.vaultproject.io/api-docs/secret/pki/#createupdate-role [vaultproject.io].
When adding query parameters, use the /? syntax. If you are not passing any parameters, make sure the URL ends with a trailing slash. Otherwise, some environments, such as cURL and PowerShell, return a HTTP 307 Temporary Redirect message.
|
Name |
Description |
|---|---|
| City | (Optional) The allowed City or Locality (L) that this role can use for CSRs. |
| Country | (Optional) The allowed Country (C) that this role can use for CSRs. |
| EnhancedKeyUsage |
(Optional) The way to enforce the public key of a certificate:
|
| FolderDn | The Policy folder that will hold the new role. |
|
KeyAlgorithm |
(Optional) Required when the HashiCorp Vault CA is responsible for generating the key pair and CSR. Use in conjunction with KeyBitSize.
|
|
KeyBitSize |
(Optional) Required when the
HashiCorp Vault CA is responsible for generating the key
pair and CSR. Use in conjunction with KeyAlgorithm:
|
| Organization | (Optional) The allowed Organization (O) that this role can use for CSRs. |
| OrganizationalUnits | (Optional) An array of allowed department or divisions within the organization (OU) that this role can use for CSRs. |
| RoleName | The role name. The role only appears in Trust Protection Platform until you call POST PKI/HashiCorp/CA. |
| State | (Optional) The allowed State ( ST) that this role can use to generate CSRs. |
| WhitelistedDomains | (Optional) This role only allows the Common Name (CN) and Domain Name Server (DNS) SANs in CSRs to end with one of the domains from the array. |
Returns
|
Name |
Description |
|---|---|
|
HTTP 400 on Error |
For invalid requests, this method an Error: An error message for invalid parameters data, or syntax.
|
|
HTTP 307 |
If the method is missing a slash (/) at the end of the URL or between the query parameters, this message appears: There is no operation listening for [Web SDK method], but there is an operation listening for [Web SDK method/], so you are being redirected there. |
|
HTTP 200 on Success |
For valid requests, this method returns a HTTP 200 message and the following message body:
|
Example: Create a role in Trust Protection Platform
Request for Example
POST https://test.venafi.example/vedsdk/PKI/HashiCorp/Role/
Authorization:Bearer 4MyGeneratedBearerTknz==
{
"FolderDn":"\\VED\\Policy\\HashiCorp",
"RoleName":"TestRole",
"WhitelistedDomains":[
"OKdomain.com"
],
"AllowSubdomain":true,
"OrganizationalUnits":[
"Lab 71"
],
"Organization":"Venafi",
"City":"SLC",
"State":"UT",
"Country":"US",
"KeyAlgorithm":"rsa",
"KeyBitSize":"2048",
"EnhancedKeyUsage":[
"server_flag"
]
}
Response for Example
HTTP/1.1 200 OK
{
"Error":null,
"Guid":"{1951b602-ee26-4222-bd28-64f8b6f57db7}"
}