enterprise/secrets/v1
COMMERCIAL FEATURE: Access secrets management in the packaged Sensu Go distribution. For more information, read Get started with commercial features.
NOTE: Requests to enterprise/secrets/v1
API endpoints require you to authenticate with a Sensu API key or access token.
The code examples in this document use the environment variable $SENSU_API_KEY
to represent a valid API key in API requests.
Get all secrets providers
The /providers
API endpoint provides HTTP GET access to a list of secrets providers.
Example
The following example demonstrates a GET request to the /providers
API endpoint:
curl -X GET \
http://127.0.0.1:8080/api/enterprise/secrets/v1/providers \
-H "Authorization: Key $SENSU_API_KEY"
The request results in a successful HTTP/1.1 200 OK
response and a JSON array that contains the secrets provider definitions:
[
{
"type": "VaultProvider",
"api_version": "secrets/v1",
"metadata": {
"name": "my_vault",
"created_by": "admin"
},
"spec": {
"client": {
"address": "https://vaultserver.example.com:8200",
"token": "VAULT_TOKEN",
"version": "v1",
"tls": {
"ca_cert": "/etc/ssl/certs/vault_ca_cert.pem"
},
"max_retries": 2,
"timeout": "20s",
"rate_limiter": {
"limit": 10.0,
"burst": 100
}
}
}
}
]
NOTE: In addition to the VaultProvider
type, enterprise/secrets/v1 API also includes the Env
secrets provider type that can retrieve backend environment variables as secrets.
Learn more in the secrets providers reference.
API Specification
/providers (GET) | |
---|---|
description | Returns the list of secrets providers. |
example url | http://hostname:8080/api/enterprise/secrets/v1/providers |
query parameters | types : Defines which type of secrets provider to retrieve. Join with & to retrieve multiple types: ?types=Env&types=VaultProvider . |
response filtering | This endpoint supports API response filtering. |
response type | Array |
response codes |
|
output |
|
Get a specific secrets provider
The /providers/:provider
API endpoint provides HTTP GET access to data for a specific secrets :provider
, by provider name.
Example
The following example queries the /providers/:provider
API endpoint for the requested :provider
, my_vault
:
curl -X GET \
http://127.0.0.1:8080/api/enterprise/secrets/v1/providers/my_vault \
-H "Authorization: Key $SENSU_API_KEY"
The request will return a successful HTTP/1.1 200 OK
response and a JSON map that contains the requested :provider
definition (in this example, my_vault
):
{
"type": "VaultProvider",
"api_version": "secrets/v1",
"metadata": {
"name": "my_vault",
"created_by": "admin"
},
"spec": {
"client": {
"address": "https://vaultserver.example.com:8200",
"token": "VAULT_TOKEN",
"version": "v1",
"tls": {
"ca_cert": "/etc/ssl/certs/vault_ca_cert.pem"
},
"max_retries": 2,
"timeout": "20s",
"rate_limiter": {
"limit": 10.0,
"burst": 100
}
}
}
}
API Specification
/providers/:provider (GET) | |
---|---|
description | Returns the specified secrets provider. |
example url | http://hostname:8080/api/enterprise/secrets/v1/providers/my_vault |
response type | Map |
response codes |
|
output |
|
Create or update a secrets provider
The /providers/:provider
API endpoint provides HTTP PUT access to create or update a specific :provider
, by provider name.
Example
The following example demonstrates a request to the /providers/:provider
API endpoint to update the provider my_vault
:
curl -X PUT \
-H "Authorization: Key $SENSU_API_KEY" \
-H 'Content-Type: application/json' \
-d '{
"type": "VaultProvider",
"api_version": "secrets/v1",
"metadata": {
"name": "my_vault"
},
"spec": {
"client": {
"address": "https://vaultserver.example.com:8200",
"token": "VAULT_TOKEN",
"version": "v1",
"tls": {
"ca_cert": "/etc/ssl/certs/vault_ca_cert.pem"
},
"max_retries": 2,
"timeout": "20s",
"rate_limiter": {
"limit": 10.0,
"burst": 100
}
}
}
}' \
http://127.0.0.1:8080/api/enterprise/secrets/v1/providers/my_vault
The request will return a successful HTTP/1.1 201 Created
response and the complete definition for the provider you created or updated.
API Specification
/providers/:provider (PUT) | |
---|---|
description | Creates or updates the specified secrets provider. The provider resource and API version cannot be altered. |
example URL | http://hostname:8080/api/enterprise/secrets/v1/providers/my_vault |
payload |
|
response codes |
|
Delete a secrets provider
The /providers/:provider
API endpoint provides HTTP DELETE access to delete the specified provider from Sensu.
Example
The following example shows a request to the /providers/:provider
API endpoint to delete the provider my_vault
, resulting in a successful HTTP/1.1 204 No Content
response:
curl -X DELETE \
-H "Authorization: Key $SENSU_API_KEY" \
http://127.0.0.1:8080/api/enterprise/secrets/v1/providers/my_vault
API Specification
/providers/:provider (DELETE) | |
---|---|
description | Deletes the specified provider from Sensu. |
example url | http://hostname:8080/api/enterprise/secrets/v1/providers/my_vault |
response codes |
|
Get a subset of secrets providers with response filtering
The /providers
API endpoint supports response filtering for a subset of secrets providers data based on labels and the provider.name
field.
Example
The following example demonstrates a request to the /providers
API endpoint with response filtering for only secrets provider definitions whose name includes vault
:
curl -H "Authorization: Key $SENSU_API_KEY" http://127.0.0.1:8080/api/enterprise/secrets/v1/providers -G \
--data-urlencode 'fieldSelector=provider.name matches vault'
The example request will result in a successful HTTP/1.1 200 OK
response and a JSON array that contains only provider definitions whose names include vault
:
[
{
"type": "VaultProvider",
"api_version": "secrets/v1",
"metadata": {
"name": "vault_dev",
"created_by": "admin"
},
"spec": {
"client": {
"address": "http://localhost:8200",
"agent_address": "",
"max_retries": 2,
"rate_limiter": {
"burst": 100,
"limit": 10
},
"timeout": "20s",
"tls": null,
"token": "\\u003croot_token\\u003e",
"version": "v2"
}
}
},
{
"type": "VaultProvider",
"api_version": "secrets/v1",
"metadata": {
"name": "my_vault",
"created_by": "admin"
},
"spec": {
"client": {
"address": "https://vaultserver.example.com:8200",
"token": "VAULT_TOKEN",
"version": "v1",
"tls": {
"ca_cert": "/etc/ssl/certs/vault_ca_cert.pem"
},
"max_retries": 2,
"timeout": "20s",
"rate_limiter": {
"limit": 10.0,
"burst": 100
}
}
}
}
]
NOTE: Read API response filtering for more filter statement examples that demonstrate how to filter responses using different operators with label and field selectors.
API Specification
/providers (GET) with response filters | |
---|---|
description | Returns the list of secrets providers that match the response filters applied in the API request. |
example url | http://hostname:8080/api/enterprise/secrets/v1/providers |
response type | Array |
response codes |
|
output |
|
Get all secrets
The /secrets
API endpoint provides HTTP GET access to a list of secrets.
Example
The following example demonstrates a GET request to the /secrets
API endpoint:
curl -X GET \
http://127.0.0.1:8080/api/enterprise/secrets/v1/namespaces/default/secrets \
-H "Authorization: Key $SENSU_API_KEY"
The request results in a successful HTTP/1.1 200 OK
response and a JSON array that contains the secret definitions in the default
namespace:
[
{
"type": "Secret",
"api_version": "secrets/v1",
"metadata": {
"name": "sensu-ansible-token",
"namespace": "default",
"created_by": "admin"
},
"spec": {
"id": "secret/ansible#token",
"provider": "ansible_vault"
}
}
]
API Specification
/secrets (GET) | |
---|---|
description | Returns the list of secrets for the specified namespace. |
example url | http://hostname:8080/api/enterprise/secrets/v1/namespaces/default/secrets |
response filtering | This endpoint supports API response filtering. |
response type | Array |
response codes |
|
output |
|
Get a specific secret
The /secrets/:secret
API endpoint provides HTTP GET access to data for a specific secret
, by secret name.
Example
The following example queries the /secrets/:secret
API endpoint for the requested :secret
:
curl -X GET \
http://127.0.0.1:8080/api/enterprise/secrets/v1/namespaces/default/secrets/sensu-ansible-token \
-H "Authorization: Key $SENSU_API_KEY"
The request will return a successful HTTP/1.1 200 OK
response and a JSON map that contains the requested :secret
definition (in this example, sensu-ansible-token
):
{
"type": "Secret",
"api_version": "secrets/v1",
"metadata": {
"name": "sensu-ansible-token",
"namespace": "default",
"created_by": "admin"
},
"spec": {
"id": "secret/ansible#token",
"provider": "ansible_vault"
}
}
API Specification
/secrets/:secret (GET) | |
---|---|
description | Returns the specified secret. |
example url | http://hostname:8080/api/enterprise/secrets/v1/namespaces/default/secrets/sensu-ansible-token |
response type | Map |
response codes |
|
output |
|
Create or update a secret
The /secrets/:secret
API endpoint provides HTTP PUT access to create or update a specific secret
, by secret name.
Example
The following example demonstrates a request to the /secrets/:secret
API endpoint to update the secret sensu-ansible-token
.
curl -X PUT \
-H "Authorization: Key $SENSU_API_KEY" \
-H 'Content-Type: application/json' \
-d '{
"type": "Secret",
"api_version": "secrets/v1",
"metadata": {
"name": "sensu-ansible-token",
"namespace": "default"
},
"spec": {
"id": "secret/ansible#token",
"provider": "ansible_vault"
}
}' \
http://127.0.0.1:8080/api/enterprise/secrets/v1/namespaces/default/secrets/sensu-ansible-token
The request will return a successful HTTP/1.1 201 Created
response.
API Specification
/secrets/:secret (PUT) | |
---|---|
description | Creates or updates the specified secret. |
example URL | http://hostname:8080/api/enterprise/secrets/v1/namespaces/default/secrets/sensu-ansible-token |
payload |
|
response codes |
|
Delete a secret
The /secrets/:secret
API endpoint provides HTTP DELETE access to delete the specified secret from Sensu.
Example
The following example shows a request to the /secrets/:secret
API endpoint to delete the secret sensu-ansible-token
, resulting in a successful HTTP/1.1 204 No Content
response:
curl -X DELETE \
-H "Authorization: Key $SENSU_API_KEY" \
http://127.0.0.1:8080/api/enterprise/secrets/v1/namespaces/default/secrets/sensu-ansible-token
API Specification
/secrets/:secret (DELETE) | |
---|---|
description | Deletes the specified secret from Sensu. |
example url | http://hostname:8080/api/enterprise/secrets/v1/namespaces/default/secrets/sensu-ansible-token |
response codes |
|
Get a subset of secrets with response filtering
The /secrets
API endpoint supports response filtering for a subset of secrets data based on labels and the following fields:
secret.name
secret.namespace
secret.provider
secret.id
Example
The following example demonstrates a request to the /secrets
API endpoint with response filtering, resulting in a JSON array that contains only secrets definitions for the vault
provider.
curl -H "Authorization: Key $SENSU_API_KEY" http://127.0.0.1:8080/api/enterprise/secrets/v1/secrets -G \
--data-urlencode 'fieldSelector=secret.provider == vault'
The example request will result in a successful HTTP/1.1 200 OK
response and a JSON array that contains only secret definitions for the vault
provider:
[
{
"type": "Secret",
"api_version": "secrets/v1",
"metadata": {
"name": "pagerduty_key",
"namespace": "default",
"created_by": "admin"
},
"spec": {
"id": "secret/pagerduty#key",
"provider": "vault"
}
},
{
"type": "Secret",
"api_version": "secrets/v1",
"metadata": {
"name": "sensu-ansible",
"namespace": "default",
"created_by": "admin"
},
"spec": {
"id": "secret/database#password",
"provider": "vault"
}
},
{
"type": "Secret",
"api_version": "secrets/v1",
"metadata": {
"name": "sumologic_url",
"namespace": "default",
"created_by": "admin"
},
"spec": {
"id": "secret/sumologic#key",
"provider": "vault"
}
}
]
NOTE: Read API response filtering for more filter statement examples that demonstrate how to filter responses using different operators with label and field selectors.
API Specification
/secrets (GET) with response filters | |
---|---|
description | Returns the list of secrets that match the response filters applied in the API request. |
example url | http://hostname:8080/api/enterprise/secrets/v1/secrets |
response type | Array |
response codes |
|
output |
|