POST Credentials/Create
Creates a new Credential object. During creation, there is no data validation, except when the Amazon Source is ADFS or EC2AsssignedRole. The data is stored 'as-is' in the database. To confirm that the credential is valid, apply it to a CA template.
If a vault or safe manages the credential, call the right endpoint:
-
For a CyberArk safe, call POST Credentials/CyberArk/Create.
-
For a HashiCorp vault, call POST Credentials/Adaptable/Create.
Requirements
- Permissions: The caller must have Create permission and Write permission to the policy folder where the credential is to be created.
- If the Friendlyname is a Certificate or PrivateKey, the caller must also have Private Key Write permission.
- If the Source is an AWS EC2AsssignedRole, the role must already be assigned in EC2. The caller must either be a Master admin or its identity must be present or part of a group that is listed in the AWS EC2 Role Authorized Identities tab in the Platforms tree.
- Token scope: Security:Manage
Headers
-
Content type: Content-Type:application/json.
- Token: The bearer access token that you received. For example, Authorization:Bearer 4MyGeneratedBearerTknz==. For more information, see Passing a bearer token in your API calls.
Parameters
Name |
Description |
---|---|
Contact |
(Optional) An array of contacts for the credential. |
CredentialPath |
The path and full name of the new object. Usually a Distinguished Name (DN) unless a non-standard credential storage system is installed. The value is passed in the Base64 encoded PKCS#12 format. |
Description |
(Optional) A description for the credential. |
EncryptionKey |
(Optional) The key to use to protect the credential data. |
Expiration |
(Optional) A future date/time when the credential expires and requires renewal. Expressed in milliseconds since January 1, 1970 with a time zone offset suffix when using the JSON Date function. |
FriendlyName |
A parameter that describes the credential type. For more information, see What FriendlyName do I use for my CA?. |
Password |
The credential password. The value is passed in the Base64 encoded PKCS#12 format. |
Shared |
(Optional) The setting for shared credentials:
|
Values |
Case sensitive. An array of Name/Type/Value triplets that describe a credential or key credential. The values depend on FriendlyName
|
Returns
Name |
Description |
---|---|
HTTP 200 |
For valid requests, this call returns a HTTP 200 message and the following data in the message body:
|
HTTP 400 |
For invalid requests, this call returns HTTP 400 Bad Request and the following data in the message body:
|
Example: Many ways to create a credential in Trust Protection Platform
I need this credential ... |
Example |
---|---|
Adaptable credential |
Requires setup. Only call POST Credentials/Adaptable/Create. |
AWS ADFS | Example 2: AWS ADFS credential. |
AWS from EC2 role | Example 3: AWS credential from an EC2 assigned role. |
AWS Static | Example 1: Amazon Local credentials. |
Certificate | Example 4: Certificate credential. |
CyberArk safe | Requires setup. For CyberArk Password credential and CyberArk Username and Password credential, only call POST Credentials/CyberArk/Create. |
Digicert |
|
Generic |
Set the credential and Create Store value in the UI. |
Google Cloud Private CA | Example 5: Google Cloud Private CA credential. |
HashiCorp vault |
Requires setup. Only call POST Credentials/Adaptable/Create. |
Generic Password |
Depending on the CA, requires either a password or an API key. Example 6: Password credential. |
Private key | Example 7: Private key credential. |
Username and Password | Example 8: Username credential. |