Create Secret

post

https://Use API Lookup for a base URL/secrets

Creates a new Secret for use in Platform runtimes. The Secret will be enabled on creation. A maximum of 5 Secrets are maintained per User or App at any given point. A Secret can be used to store third-party credentials for use in Platform runtimes.

Assigns "read", "manage", "addGrant:read", and "addGrant:manage" rights to the caller. The calling User or App can now delegate access to the Secret in more granular fashion, using 'read' or 'manage' to another identity in its Realm using the grants APIs. For secure Production systems, HERE recommends creating a delegate App in your Realm, granting only the 'read' permission to that App via the 'grantReadTo' query string parameter, and using that App as RunAsId in your Platform runtime.

Access Control:

The calling principal must be in a realm of type "olp".
The calling principal MUST NOT include a project scope.

Query Params

grantReadTo

string

HRN of the identity to whom to also grant read access. For a secure production system using Application delegates, this is a convenience API that can be used to create a Secret and grant read access in one step. When used with a delegate App and the RunAsId feature, the target App's background runtimes will receive the decoded secret in a file.

You can also omit this parameter, and optionally invoke the Grants API at a later time, to achieve the same effect.

Body Params

string

required

ID for the Secret. ID must contain 4 and 16 lowercase alphanumeric characters [a-z0-9] plus the hyphen character [-].

secret

string

required

Web-safe-base64-encoded secret file contents. This property is redacted from the Retrieve Secret and List Secrets APIs, but is securely delivered to Platform Runtimes, as long as the Secret is enabled and not expired. The 'sha256' property in the Retrieve Secret and List Secrets APIs response provides the ability to validate the stored value, but since sha-256 is a one-way hash, the underlying 'secret' remains hidden from view.

type

string

enum

required

"aws" or "custom". For "aws", the platform will place the file in ~/.aws/. For "custom", the platform will place the file in ~/.here/.

Allowed:

filename

string

A relative filename for the platform to use to write the secret in plaintext on the filesystem. The file will be placed in the directory as specified by the 'type' property. Defaults to "credentials".

name

string

a descriptive name for the secret

enabled

boolean

true for enabled, false for disabled. An enabled=false (disabled) secret is not delivered to Platform Runtimes.

expires

string

Date-time formatted time this Secret expires. A null value or missing property means there is no end time at which the secret expires. This property has no effect if enabled=false. An expired secret is not delivered to Platform Runtimes.

Headers

X-Correlation-ID

string

Correlates HTTP requests between a client and server. If not present in the incoming request, it will be generated. This header and value will be included in all loglines including access logs. It will also be propagated to downstream services and returned in the response.

X-Request-ID

string

The unique for the request, used to track this request within the service. X-Request-ID value is NOT propagated to the downstream services.

Responses

201Created

400 E110100 - Secret cannot be stored based on client input.

401 E110001 - Unauthorized due to invalid credentials.

404 E110102 - No app exists with the specified HRN. E110106 - No user exists with the specified HRN.

409 E110002 - Reached allowed maximum number of Secrets per user or app. Delete a Secret to store another one.

429 E110003 - Request blocked because of too many requests made. Wait for a while before making a new request.