POST Credentials/Create
Creates a new Credential object. During creation, there is no data validation, except when the Amazon Source is ADFS or EC2AsssignedRole. The data is stored 'as-is' in the database. To confirm that the credential is valid, apply it to a CA template.
If a vault or safe manages the credential, call the right endpoint:
-
For a CyberArk safe, call POST Credentials/CyberArk/Create.
-
For a HashiCorp vault, call POST Credentials/Adaptable/Create.
Requirements
- Permissions: The caller must have Create permission and Write permission to the policy folder where the credential is to be created.
- If the Friendlyname is a Certificate or PrivateKey, the caller must also have Private Key Write permission.
- If the Source is an AWS EC2AsssignedRole, the role must already be assigned in EC2. The caller must either be a Master admin or its identity must be present or part of a group that is listed in the AWS EC2 Role Authorized Identities tab in the Platforms tree.
- Token scope: Security:Manage
Headers
-
Content type: Content-Type:application/json.
- Token: The bearer access token that you received. For example, Authorization:Bearer 4MyGeneratedBearerTknz==. For more information, see Passing a bearer token in your API calls.
Parameters
|
Name |
Description |
|---|---|
|
Contact |
(Optional) An array of contacts for the credential. |
|
CredentialPath |
The path and full name of the new object. Usually a Distinguished Name (DN) unless a non-standard credential storage system is installed. The value is passed in the Base64 encoded PKCS#12 format. |
|
Description |
(Optional) A description for the credential. |
|
EncryptionKey |
(Optional) The key to use to protect the credential data. |
|
Expiration |
(Optional) A future date/time when the credential expires and requires renewal. Expressed in milliseconds since January 1, 1970 with a time zone offset suffix when using the JSON Date function. |
|
FriendlyName |
A parameter that describes the credential type. For more information, see What FriendlyName do I use for my CA?. |
|
Password |
The credential password. The value is passed in the Base64 encoded PKCS#12 format. |
|
Shared |
(Optional) The setting for shared credentials:
|
|
Values |
Case sensitive. An array of Name/Type/Value triplets that describe a credential or key credential. The values depend on FriendlyName
|
Returns
|
Name |
Description |
|---|---|
|
HTTP 200 |
For valid requests, this call returns a HTTP 200 message and the following data in the message body:
|
|
HTTP 400 |
For invalid requests, this call returns HTTP 400 Bad Request and the following data in the message body:
|
Example: Many ways to create a credential in Trust Protection Platform
|
I need this credential ... |
Example |
|---|---|
| Adaptable credential |
Requires setup. Only call POST Credentials/Adaptable/Create. |
| AWS ADFS | Example 2: AWS ADFS credential. |
| AWS from EC2 role | Example 3: AWS credential from an EC2 assigned role. |
| AWS Static | Example 1: Amazon Local credentials. |
| Certificate | Example 4: Certificate credential. |
| CyberArk safe | Requires setup. For CyberArk Password credential and CyberArk Username and Password credential, only call POST Credentials/CyberArk/Create. |
|
Digicert |
|
|
Generic |
Set the credential and Create Store value in the UI. |
| Google Cloud Private CA | Example 5: Google Cloud Private CA credential. |
|
HashiCorp vault |
Requires setup. Only call POST Credentials/Adaptable/Create. |
|
Generic Password |
Depending on the CA, requires either a password or an API key. Example 6: Password credential. |
| Private key | Example 7: Private key credential. |
| Username and Password | Example 8: Username credential. |