POST Credentials/Create

Creates a new Credential object. During creation, there is no data validation, except when the Amazon Source is ADFS or EC2AsssignedRole. The data is stored 'as-is' in the database. To confirm that the credential is valid, apply it to a CA template.

If a vault or safe manages the credential, call the right endpoint:

Requirements

  • Permissions:  The caller must have Create permission and Write permission to the policy folder where the credential is to be created.
    • If the Friendlyname is a Certificate or PrivateKey, the caller must also have Private Key Write permission.
    • If the Source is an AWS EC2AsssignedRole, the role must already be assigned in EC2. The caller must either be a Master admin or its identity must be present or part of a group that is listed in the AWS EC2 Role Authorized Identities tab in the Platforms tree.

      EC2 Identities in Platform tree

  • Token scope:  Security:Manage

Headers

  • Content type: Content-Type:application/json.

  • Token: The bearer access token that you received. For example, Authorization:Bearer 4MyGeneratedBearerTknz==. For more information, see Passing a bearer token in your API calls.

Parameters

Input parameters

Name

Description

Contact

(Optional) An array of contacts for the credential.

CredentialPath

The path and full name of the new object. Usually a Distinguished Name (DN) unless a non-standard credential storage system is installed. The value is passed in the Base64 encoded PKCS#12 format.

Description

(Optional) A description for the credential.

EncryptionKey

(Optional) The key to use to protect the credential data.

Expiration

(Optional) A future date/time when the credential expires and requires renewal. Expressed in milliseconds since January 1, 1970 with a time zone offset suffix when using the JSON Date function.

FriendlyName

A parameter that describes the credential type. For more information, see What FriendlyName do I use for my CA?.

Password

The credential password. The value is passed in the Base64 encoded PKCS#12 format.

Shared

(Optional) The setting for shared credentials:

  • true: Share the credential between multiple objects.
  • false: Exclude sharing for this credential.

Values

Case sensitive. An array of Name/Type/Value triplets that describe a credential or key credential. The values depend on

FriendlyName
  • Name: An attribute that is required by a CA or another entity.
  • Type: The data type that describes the Value. For example, string .
  • Value: A value that corresponds to the Name.

Returns

Response description

Name

Description

HTTP 200

For valid requests, this call returns a HTTP 200 message and the following data in the message body:

  • Error: Appears only when the operation cannot supply the necessary data. Provides only a description and Result. No other data.
  • Result: Indicates the reason for success or failure. For more information, see Credential result codes.

HTTP 400

For invalid requests, this call returns HTTP 400 Bad Request and the following data in the message body:

  • error: The reason for the error.
  • error_description: If available, additional information about how to retry the request.

Example: Many ways to create a credential in Trust Protection Platform

The way to create a credential depends on how you'll use it

I need this credential ...

Example

Adaptable credential

Requires setup. Only call POST Credentials/Adaptable/Create.

AWS ADFS Example 2: AWS ADFS credential.
AWS from EC2 role Example 3: AWS credential from an EC2 assigned role.
AWS Static Example 1: Amazon Local credentials.
Certificate Example 4: Certificate credential.
CyberArk safe Requires setup. For CyberArk Password credential and CyberArk Username and Password credential, only call POST Credentials/CyberArk/Create.

Digicert

Example 6: Password credential.

Generic

Set the credential and Create Store value in the UI.

Google Cloud Private CA Example 5: Google Cloud Private CA credential.

HashiCorp vault

Requires setup. Only call POST Credentials/Adaptable/Create.

Generic Password

Depending on the CA, requires either a password or an API key. Example 6: Password credential.

Private key Example 7: Private key credential.
Username and Password Example 8: Username credential.