Overview
The cpln apply command is used to automate the management of Control Plane
resources using JSON or YAML metadata as input.
This automation can be used for:
Using cpln apply
is a good way to leverage the CLI in an idempotent manner.
The usage, limitations, and example templates are described below.
Using the CLI
Using the CLI, the apply
command is called by executing:
The FILE_NAME
is the path for the file and it can be either a JSON or YAML file containing the resource metadata.
To apply an Identity , a Volume Set or a Workload resource you need to specify a GVC using one of the following methods.
Specify a gvc
within your cpln profile . This will add the gvc
to the session context of the profile and will be refered to as the default gvc
when executing any future command including the cpln apply
command.
Specify a --gvc
flag to the apply
command. This will pass the gvc
as an option and will override the default gvc
that is defined in the profile.
Specify a gvc
property in the resource definition within the file you intend to apply.
You can specify either a GVC property or use the --gvc
flag, but not both.
Click here to view the CLI reference page for the apply
command.
Apply a K8s File
The CLI has the ability to convert K8s resources into Control Plane resources. By passing the --k8s true
option to the apply
command, the K8s resources will be converted and applied.
The apply
command utilizes the logic of the CLI convert command and then applies the resulting output.
In case you would like to pass Control Plane resources through stdin
(Standard Input), use the following command.
This is useful if you want to pass the stdout of a command to the cpln apply
command.
Using the Console
The console has the ability to upload a JSON or YAML file or accept a resource definition in JSON or YAML as input. The functionality is the same as using the CLI. To start applying, click the cpln apply
button in the upper right corner of the console. A modal will be displayed containing the upload instructions.
The cpln apply modal provides the ability to specify in which org
and gvc
a resource will be executed. The default is your currently selected org
and gvc
.
A file or an input containing an Identity , a Volume Set or a Workload resource will be executed in the scope of the specified gvc
in the cpln apply modal. In case a gvc
is defined within a resource, the resource will be executed in the scope of that gvc
.
Multiple Resources
The apply command can accept a YAML file containing multiple resources. Each resource must be separated using ---.
If a resource has a reference to another resource (e.g., a workload refers to a GVC), the referenced resource must be defined in the same file ONLY in case it does not already exist at Control Plane.
Renaming of Resources
If the name of an exisiting resource is changed, the cpln apply
command will create a new resource.
NOTE: Any orphaned resources will need to be manually deleted.
Limitations
To create an agent , use the console or the CLI agent command to obtain the bootstrap config data. Using the cpln apply
command from the CLI or console does not output the config data.
Before creating a cloud account , additional configuration is required at the target cloud provider. Refer to the Create Cloud Account guide for instructions.
Before creating a domain , the required DNS entries must exist. Refer to the Configure a Domain guide for instructions.
Samples of existing resources can be generated using the console or the CLI. These samples can assist when defining resources for your application.
Using the console:
After selecting a resource, there will be an Actions pull down button in the upper right corner. Inside it you will find the View and Export options.
The View will allow you to see the resource definition as JSON, YAML and Terraform.
For the Export option select JSON Slim or YAML Slim to download the file.
Using the CLI:
Using the get command for each resource, the -o flag can output the resource as JSON or YAML.
For example: The command cpln gvc get GVC_NAME -o yaml-slim --org ORG_NAME
will output the GVC_NAME as YAML.
The json-slim
and yaml-slim
format options will output only the necessary values needed for a subsequent call to the cpln apply
command.
Use in GitOps
The apply
command can be used to manage Control Plane resources as part of a CI/CD pipeline.
Refer to the GitOps CLI documentation for additional information.
Example Templates
The examples below can be used as templates when creating your own metadata files.
These files can be download here .
GVC Reference Page
{
"kind" : "gvc" ,
"name" : "example-gvc" ,
"description" : "example-gvc description" ,
"tags" : {
"tag1" : "value1"
} ,
"spec" : {
"pullSecretLinks" : [ "/org/ORG_NAME/secret/SECRET_NAME" ] ,
"staticPlacement" : {
"locationLinks" : [
"/org/ORG_NAME/location/aws-eu-central-1" ,
"/org/ORG_NAME/location/aws-us-west-2" ,
"/org/ORG_NAME/location/azure-eastus2" ,
"/org/ORG_NAME/location/gcp-us-east1"
]
}
}
}
Agent Reference Page
{
"kind" : "agent" ,
"name" : "example-agent" ,
"description" : "example-agent description"
}
Cloud Accounts Reference Page
{
"kind" : "cloudaccount" ,
"name" : "example-aws-cloud-account" ,
"description" : "example-aws-cloud-account description" ,
"tags" : { } ,
"provider" : "aws" ,
"data" : {
"roleArn" : "ROLE_ARN"
}
}
{
"kind" : "cloudaccount" ,
"name" : "example-azure-cloud-account" ,
"description" : "example-azure-cloud-account description" ,
"tags" : { } ,
"provider" : "azure" ,
"data" : {
"secretLink" : "/org/ORG_NAME/secret/AZURE_SECRET"
}
}
{
"kind" : "cloudaccount" ,
"name" : "example-gcp-cloud-account" ,
"description" : "example-gcp-cloud-account description" ,
"tags" : { } ,
"provider" : "gcp" ,
"data" : {
"projectId" : "PROJECT_ID"
}
}
{
"kind" : "cloudaccount" ,
"name" : "example-ngs-cloud-account" ,
"description" : "example-ngs-cloud-account description" ,
"provider" : "ngs" ,
"data" : {
"secretLink" : "/org/ORG_NAME/secret/NATS_SECRET"
}
}
Domain Reference Page
{
"kind" : "domain" ,
"name" : "sub.example.com" ,
"description" : "domain description" ,
"tags" : { }
}
Secrets Reference Page
{
"kind" : "secret" ,
"name" : "example-aws-secret" ,
"description" : "example-aws-secret description" ,
"tags" : { } ,
"type" : "aws" ,
"data" : {
"accessKey" : "AKIAIOSFODNN7EXAMPLE" ,
"roleArn" : "arn:awskey" ,
"secretKey" : "AKIAwJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" ,
"externalId" : "EXTERNAL_ID"
}
}
{
"kind" : "secret" ,
"name" : "example-azure-connector-secret" ,
"description" : "example-azure-connector-secret description" ,
"tags" : { } ,
"type" : "azure-connector" ,
"data" : {
"code" : "CODE" ,
"url" : "URL"
}
}
{
"kind" : "secret" ,
"name" : "example-azure-sdk-secret" ,
"description" : "example-azure-sdk-secret" ,
"tags" : { } ,
"type" : "azure-sdk" ,
"data" : "{\"subscriptionId\":\"2cd8674e-4f89-4a1f-b420-7a1361b46ef7\",\"tenantId\":\"292f5674-c8b0-488b-9ff8-6d30d77f38d9\",\"clientId\":\"649846ce-d862-49d5-a5eb-7d5aad90f54e\",\"clientSecret\":\"cpln\"}"
}
{
"kind" : "secret" ,
"name" : "example-dictionary-secret" ,
"description" : "example-dictionary-secret description" ,
"tags" : { } ,
"type" : "dictionary" ,
"data" : {
"key01" : "value01" ,
"key02" : "value02"
}
}
{
"kind" : "secret" ,
"name" : "example-docker-secret" ,
"description" : "example-docker-secret description" ,
"tags" : { } ,
"type" : "docker" ,
"data" : "{\"auths\":{\"https://index.docker.io/v1/\":{\"username\":\"USERNAME\",\"password\":\"PASSWORD\"}}}"
}
{
"kind" : "secret" ,
"name" : "example-ecr-secret" ,
"description" : "example-ecr-secret description" ,
"tags" : { } ,
"type" : "ecr" ,
"data" : {
"accessKey" : "AKIA_ACCESS_KEY" ,
"repos" : [ "015716931711.dkr.ecr.us-west-2.amazonaws.com/repo" ] ,
"secretKey" : "SECRET_KEY" ,
"externalId" : "EXTERNAL_ID"
}
}
{
"kind" : "secret" ,
"name" : "example-gcp-secret" ,
"description" : "example-gcp-secret description" ,
"tags" : { } ,
"type" : "gcp" ,
"data" : "{\"type\":\"gcp\",\"project_id\":\"cpln12345\",\"private_key_id\":\"pvt_key\",\"private_key\":\"key\",\"client_email\":\"support@cpln.io\",\"client_id\":\"12744\",\"auth_uri\":\"cloud.google.com\",\"token_uri\":\"token.cloud.google.com\",\"auth_provider_x509_cert_url\":\"cert.google.com\",\"client_x509_cert_url\":\"cert.google.com\"}"
}
NOTE: The example below uses a self-signed certificate. Do not use for production.
{
"kind" : "secret" ,
"name" : "example-keypair-secret" ,
"description" : "example-keypair-secret description" ,
"tags" : { } ,
"type" : "keypair" ,
"data" : {
"passphrase" : "cpln" ,
"publicKey" : "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwrVyExI0uvRmwCAKFHiv\nbaAcPMcKJDa6f6TtaVo2p8jyfEhVwDTmR3FUrDDZAjh0Q8G/Up8Ob3+IJafNymCO\nBhUKou+8ie7guqsbU9JrT0Zos1k/pd0aVfnAR0EpW3es/7fdkWUszU0uweeEj22m\nXMlLplnqqoYOGAhuNMqGsZwBr36Bxq9EeB2O79QsAFDNkPVg7xIaYKn32j69o0Zr\nryYI8xqOYYy5Dw6CX+++YYLYiR/PkLYJTVAsxXeqyltCfb3Iv7vN5HrfoYBhndr3\nNxBPkcIJZeh3Z+QzfJ5U+bB5fP/aOsEk5bPbtLzylj2KnOOM/ZxXJtOcu0xtJLd3\nXwIDAQAB\n-----END PUBLIC KEY-----\n" ,
"secretKey" : "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: DES-EDE3-CBC,9A26BB15304B18E7\n\nZdBgMExsvIJEsIFDMQ02xh4nDnhXEGUNu7LiWIZjn9WS6QB2jApyOFOBWmp0lK6L\ndIJ+Mb8wMeHtkiKS6ZbYeea8M29kwEejZRnKl1Wq0EFycdwbONtbcbjzF+tQGEBT\ngQQgkY7wjDWl8HwjFEA+NUuitzi6uI2xWlQpFdUrmqJAZCbxNFa0aM8nW6jnitvP\n616ps3HjLnWCjoyqS4hWxiWmt+VE3KruPnUVVV7bWlzc6jnoZcSaeqeaoQrNKguH\nte2iBIMdY/uldb7Ik2Kxr2+kBRmV4YNkp1EelNi/m39VcoUHJLk1jLldzuINhbi2\nIRqYZe4EEMSYdb3TkSosXa64Sz7jMBz5AxlA0n78FKlB9G5FAxaXcVYNQIlvzCbw\nuXPbQd/UYKUuEI1Yn8OmGBN5xcOdgWz8hfyxA2Hq1tmo1XN6snavGe7TKbZd70N+\n1yFbclB2T1z8fPcLwUZUxOl4g2DoMMHIzCSPaIe/otT8389k4H6hEulLis4lW0p3\nqopL5kdpxmSGgXsX6q6CUFb/0cw9HskNT3zbzKLx2MzjFCo93IB07UxPwkCD2kb1\nsLKMcpTC8a0vLaTVNYgDX7wW/YjBrCokaqk0z1whuN6iSReOtvmu5ybrq1Ksg8UQ\nyvCSScM/+muKi+gbEOskQs4Ph3ZLHqAX3/XYoyBcFnPNxVHTIa5Dcju6h5gl1/uY\n6tkRsHDr0Lzy8pd6jjf/ApPf9ypCuxKUO1q8PzPg2E4bmEFxc8zOB2NLvfPgFrUR\n0Sbkapv/6x6nNRw75cu69c5we/atip6wst8J1MSU0fTqb6bZ3TF2pDyNEOkdkvoZ\nYZ0r3hUytdT0pImoDLKoyy17mtHLLApzHyIgmR3cqtSt07ncmC5lyEBcZBrQXMa8\naZeOr8iUWQE/q+4BvoxeKsOD6ttKuFnrgl0rmMnYQsSyLJOPizrU4L1d1HMIKswm\niW+Rg7xlWmQg95m8XEWTjAb3tuNz/tGXC7Qa88HvC7YfyG69yM61oPsT83YnxcBT\nC/X67lSFTYguFa3HgDZpjGq7Hc/Q7nhaoqNMEs01O6jbcmrue8IIa2FH1tTwPN0W\nD7JefjCQjEghue2mjc0fovOGe9A9jvWf+gJHF3vRtFa67uQiQxge9zUzpHyVNpOj\nVe0y0HvibNTd6TSCArctJpIcwpjO3MTT5LBJ1p/8v4b4+knEKD2c69jumNbKGbWr\nWjq39M/MGNUO5SbZMO3gFCt6fgtXkOktH9pJ9iOQpYKgl7QTe2qQygfWkIm0EZRN\n6EaQdNNKgENWicpKyKQ4BxoY1LYAHFHJ95VisLf3KmmOF5MwajADZQT/yth3gvht\nxx21b9iudcgq/CRccSvfIPIWZKi6oaqNIXK+E3DQd40TUopLsBWzacTZn9maSZtW\nRyAY1TkRn1qDR2soyhBcihrX5PZ83jnOlM3XTdfF1784g8zB9ooDnK7mUKueH1W3\nhWFADMUF7uaBbo5EZ9sE+dFPzWPJLhu2j67a1iHmByqEvFY64lzq7VwwU/GE8JdA\n85oEkhg1ZEPJp3OYTQfPI/CC/2fc93Exf6wmaXuss8AHehuGcKQniOZmFOKOBprv\n-----END RSA PRIVATE KEY-----"
}
}
{
"kind" : "secret" ,
"name" : "example-opaque-secret" ,
"description" : "example-opaque-secret" ,
"tags" : { } ,
"type" : "opaque" ,
"data" : {
"encoding" : "plain" ,
"payload" : "sample payload"
}
}
{
"kind" : "secret" ,
"name" : "example-tls-secret" ,
"description" : "example-tls-secret description" ,
"tags" : { } ,
"type" : "tls" ,
"data" : {
"cert" : "-----BEGIN CERTIFICATE-----\nMIID+zCCAuOgAwIBAgIUEwBv3WQkP7dIiEIxyj+Wi1STz7QwDQYJKoZIhvcNAQEL\nBQAwgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQH\nDAtMb3MgQW5nZWxlczENMAsGA1UECgwEQ1BMTjERMA8GA1UECwwIQ1BMTi1PUkcx\nEDAOBgNVBAMMB2NwbG4uaW8xHjAcBgkqhkiG9w0BCQEWD3N1cHBvcnRAY3Bsbi5p\nbzAeFw0yMDEwMTQxNzI4MDhaFw0zMDEwMTIxNzI4MDhaMIGMMQswCQYDVQQGEwJV\nUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9zIEFuZ2VsZXMxDTAL\nBgNVBAoMBENQTE4xETAPBgNVBAsMCENQTE4tT1JHMRAwDgYDVQQDDAdjcGxuLmlv\nMR4wHAYJKoZIhvcNAQkBFg9zdXBwb3J0QGNwbG4uaW8wggEiMA0GCSqGSIb3DQEB\nAQUAA4IBDwAwggEKAoIBAQDBzN2jRf9ouoF4XG0eUxcc4f1sP8vhW1fQXjun3cl0\nRsN4jRdOyTKWcls1yAxlOkwFod8d6HND9OvNrsl7U4iJIEcJL6vTqHY7jTGXQkd9\nyPONMpMXYE8Dsiqtk0deoOab7fafYcvq1iWnpvg157mJ/u9qdyU+1h8DncES30Fk\nPsG8TsIsjx94JkTJeMmEJxtws4dfuoCk88INbBHLjxBQgwTu0vgMxN34b5z+esHr\naetDN2fqxSoTOeIlyFzeS+kwG3GK4I1hUQBiL2TeDrnEY6qP/ZoGuyyVnsT/6pHY\n/BTAcH3Rgeqose7mqBT+7zlxDfHYHceuNB/ljq0e1j69AgMBAAGjUzBRMB0GA1Ud\nDgQWBBRxncC/8RRio/S9Ly8tKFS7WnTcNTAfBgNVHSMEGDAWgBRxncC/8RRio/S9\nLy8tKFS7WnTcNTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAr\nsDZQj4K47fW6JkJbxlzZ1hd7IX6cQhI/DRIdTGR1u0kM1RtZoS0UtV5qsYV/g/S4\nChuB/aIARyTWvHKDhcT3bRGHLnoZJ8pLlQh4nEfO07SRhyeNiO4qmWM9az0nP5qD\nwAXpLpmYIairzAgY7QXbk5wXbTrXli3mz14VaNoqN4s7iyLtHn5TGAXc12aMwo7M\n5yn/RGxoWQoJqSQKc9nf909cR81AVCdG1dFcp7u8Ud1pTtlmiU9ZJ/YOXDCT/1hZ\nYxoeotDBBOIao3Ym/3351somMoQ7Lz6hRWvG0WhDIsCXvth4XSxRkZFXgjWNuhdD\nu2ZCis/EwXsqRJPkIPnL\n-----END CERTIFICATE-----\t\t" ,
"chain" : "-----BEGIN CERTIFICATE-----\nMIID+zCCAuOgAwIBAgIUEwBv3WQkP7dIiEIxyj+Wi1STz7QwDQYJKoZIhvcNAQEL\nBQAwgYwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRQwEgYDVQQH\nDAtMb3MgQW5nZWxlczENMAsGA1UECgwEQ1BMTjERMA8GA1UECwwIQ1BMTi1PUkcx\nEDAOBgNVBAMMB2NwbG4uaW8xHjAcBgkqhkiG9w0BCQEWD3N1cHBvcnRAY3Bsbi5p\nbzAeFw0yMDEwMTQxNzI4MDhaFw0zMDEwMTIxNzI4MDhaMIGMMQswCQYDVQQGEwJV\nUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEUMBIGA1UEBwwLTG9zIEFuZ2VsZXMxDTAL\nBgNVBAoMBENQTE4xETAPBgNVBAsMCENQTE4tT1JHMRAwDgYDVQQDDAdjcGxuLmlv\nMR4wHAYJKoZIhvcNAQkBFg9zdXBwb3J0QGNwbG4uaW8wggEiMA0GCSqGSIb3DQEB\nAQUAA4IBDwAwggEKAoIBAQDBzN2jRf9ouoF4XG0eUxcc4f1sP8vhW1fQXjun3cl0\nRsN4jRdOyTKWcls1yAxlOkwFod8d6HND9OvNrsl7U4iJIEcJL6vTqHY7jTGXQkd9\nyPONMpMXYE8Dsiqtk0deoOab7fafYcvq1iWnpvg157mJ/u9qdyU+1h8DncES30Fk\nPsG8TsIsjx94JkTJeMmEJxtws4dfuoCk88INbBHLjxBQgwTu0vgMxN34b5z+esHr\naetDN2fqxSoTOeIlyFzeS+kwG3GK4I1hUQBiL2TeDrnEY6qP/ZoGuyyVnsT/6pHY\n/BTAcH3Rgeqose7mqBT+7zlxDfHYHceuNB/ljq0e1j69AgMBAAGjUzBRMB0GA1Ud\nDgQWBBRxncC/8RRio/S9Ly8tKFS7WnTcNTAfBgNVHSMEGDAWgBRxncC/8RRio/S9\nLy8tKFS7WnTcNTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAr\nsDZQj4K47fW6JkJbxlzZ1hd7IX6cQhI/DRIdTGR1u0kM1RtZoS0UtV5qsYV/g/S4\nChuB/aIARyTWvHKDhcT3bRGHLnoZJ8pLlQh4nEfO07SRhyeNiO4qmWM9az0nP5qD\nwAXpLpmYIairzAgY7QXbk5wXbTrXli3mz14VaNoqN4s7iyLtHn5TGAXc12aMwo7M\n5yn/RGxoWQoJqSQKc9nf909cR81AVCdG1dFcp7u8Ud1pTtlmiU9ZJ/YOXDCT/1hZ\nYxoeotDBBOIao3Ym/3351somMoQ7Lz6hRWvG0WhDIsCXvth4XSxRkZFXgjWNuhdD\nu2ZCis/EwXsqRJPkIPnL\n-----END CERTIFICATE-----\t\t" ,
"key" : "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDBzN2jRf9ouoF4\nXG0eUxcc4f1sP8vhW1fQXjun3cl0RsN4jRdOyTKWcls1yAxlOkwFod8d6HND9OvN\nrsl7U4iJIEcJL6vTqHY7jTGXQkd9yPONMpMXYE8Dsiqtk0deoOab7fafYcvq1iWn\npvg157mJ/u9qdyU+1h8DncES30FkPsG8TsIsjx94JkTJeMmEJxtws4dfuoCk88IN\nbBHLjxBQgwTu0vgMxN34b5z+esHraetDN2fqxSoTOeIlyFzeS+kwG3GK4I1hUQBi\nL2TeDrnEY6qP/ZoGuyyVnsT/6pHY/BTAcH3Rgeqose7mqBT+7zlxDfHYHceuNB/l\njq0e1j69AgMBAAECggEAPGhrPZV4A2D/MlE9AhLMRYh7wd4w4tHiEWUOG0kank/g\nZhc0iK5WQmbq31y34GXHhInsThpCs5AIYFh3HSXwjS2udsKRQKxmDjH4nzldp2uX\n3w9Aoiy29GP4wZoCyRBGUZxfH1cQhOazXgrBm6vbPZRldD4nMer0R+BIamWEsIYD\nYjDj1pT0noLUSeqoLmGxSQ4DNIBQVZB/T8ziMcEzl6bhprT0QrapJSyD2CtA8tH1\nZ8cyhmyE0CUvSkV4K2ecvVukWBJvrAYc6euPAnkS5LJrQotI5+3jJO2QawOlL6Uw\nrFWBpgBrCgbzquMRpDCQ/J9/GDYaZjim4YdonboBgQKBgQD7jx3CVnG4LDz198am\nspmPwKCW1ke6PhlG7zf3YR00xg9vPBYiy4obb1Jg6em1wr+iZ0dEt8fimeZXewBf\nLzlrR8T1Or0eLzfbn+GlLIKGKhn2pKB/i1iolkfIonchqXRk9WNx+PzjgUqiYWRC\n/1tH2BsODlVrzKL2lnbWKNIFdQKBgQDFOLedpMeYemLhrsU1TXGt1xTxAbWvOCyt\nvig/huyz4SQENXyu3ImPzxIxpTHxKhUaXo/qFXn0jhqnf0LfWI4nbQUbkivb5BPr\nKY9aj7XwwsY4MXW5C12Qi0lIwHOWCmfzvyS7TCMqnQb7sT4Mjmm4ydEbiI1TjlFJ\nD/RFxzcDKQKBgQCehPcJyZNrrWTU0sh5rz4ZWhdYNbuJXyxqiMBJwQa4hL6hJ8oD\nLyPeWe4daAmAIjLEUjSU1wK8hqKiKb54PLgAJH+20MbvyG14lm2Iul2d0dX+mIsT\nFGpQAjNF+Sr9KV1RaVi7L12ct5KidKDLn0KUKVgTKXEmtxNSNEq6dYqzKQKBgDI8\nzljzvnwSwNloIYgAYDK+FPGHU/Z8QrVHOQ1lmyn+8aO41DfeqZPeVW4b/GrII3QC\nHnqsWdJ32EZOXoRyFFPqq2BojY+Hu6MthPy2msvncYKi5q/qOz00nchQbaEMqYon\naH3lWRfjxAGdFocwR7HwhrmSwR1FpWMNE1Yq9tJxAoGBANc0nZSy5ZlTiMWdRrTt\ngFc9N/jz8OL6qLrJtX2Axyv7Vv8H/gbDg4olLR+Io38M0S1WwEHsaIJLIvJ6msjl\n/LlseAW6oiO6jzhWEr0VQSLkuJn45hG/uy7t19SDuNR7W5NuEr0YbWd6fZEpR7RR\nS1hFKnRRcrVqA+HjWnZ//BGi\n-----END PRIVATE KEY-----"
}
}
Secret - Username/Password
{
"kind" : "secret" ,
"name" : "example-username-secret" ,
"description" : "example-username-secret description" ,
"tags" : { } ,
"type" : "userpass" ,
"data" : {
"encoding" : "plain" ,
"password" : "PASSWORD" ,
"username" : "USERNAME"
}
}
Groups Reference Page
See the Group Query Rules reference page for details on how to create a query.
{
"kind" : "group" ,
"name" : "example-group" ,
"description" : "example-group description" ,
"tags" : { } ,
"memberLinks" : [ "/org/ORG_NAME/serviceaccount/SERVICE_ACCOUNT_NAME" , "/org/ORG_NAME/user/USER_EMAIL" , "/org/ORG_NAME/user/USER_EMAIL" ] ,
"memberQuery" : {
"kind" : "user" ,
"fetch" : "items" ,
"spec" : {
"match" : "all" ,
"terms" : [
{
"op" : "=" ,
"tag" : "test-tag" ,
"value" : "test-value"
}
]
}
}
}
Policies Reference Page
The first example shows a policy for an explicit secret (‘targetLinks’) that contain a binding for all four of the principal types with the ‘edit’ and ‘manage’ permissions.
The second example shows a policy that targets all secrets within the org. When the target key set to all
. The targetLinks
and targetQuery
properties are not evaluated.
Each ‘targetKind’ has its own unique set of binding permissions. The permissions can be obtained by:
Running the CLI permissions command (e.g., cpln secret permissions
), or
The reference page for each target (e.g. Secret Permissions ).
{
"kind" : "policy" ,
"name" : "example-policy-explicit" ,
"description" : "example-policy description" ,
"tags" : { } ,
"targetKind" : "secret" ,
"bindings" : [
{
"permissions" : [ "edit" , "manage" ] ,
"principalLinks" : [
"/org/ORG_NAME/group/GROUP_NAME" ,
"/org/ORG_NAME/gvc/GVC_NAME/identity/IDENTITY_NAME" ,
"/org/ORG_NAME/serviceaccount/SERVICE_ACCOUNT_NAME" ,
"/org/ORG_NAME/user/USER_EMAIL"
]
}
] ,
"targetLinks" : [ "/org/ORG_NAME/secret/SECRET_NAME" ] ,
"targetQuery" : {
"kind" : "secret" ,
"fetch" : "items" ,
"spec" : {
"match" : "all" ,
"terms" : [
{
"op" : "=" ,
"tag" : "example-tag" ,
"value" : "example-value"
}
]
}
}
}
{
"kind" : "policy" ,
"name" : "example-policy-all" ,
"description" : "example-policy-all description" ,
"tags" : { } ,
"targetKind" : "secret" ,
"target" : "all" ,
"bindings" : [
{
"permissions" : [ "edit" , "manage" ] ,
"principalLinks" : [
"/org/ORG_NAME/group/GROUP_NAME" ,
"/org/ORG_NAME/gvc/GVC_NAME/identity/IDENTITY_NAME" ,
"/org/ORG_NAME/serviceaccount/SERVICE_ACCOUNT_NAME" ,
"/org/ORG_NAME/user/USER_EMAIL"
]
}
]
}