Secrets API
COMMERCIAL FEATURE: Access secrets management in the packaged Sensu Go distribution. For more information, see Get started with commercial features.
NOTE: Requests to the secrets API require you to authenticate with a Sensu access token or API key.
The code examples in this document use the environment variable $SENSU_API_KEY
to represent a valid API key in API requests.
Get all secrets providers
The /providers
API endpoint provides HTTP GET access to a list of secrets providers.
Example
The following example demonstrates a request to the /providers
API endpoint, resulting in a list of secrets providers.
curl -X GET \
http://127.0.0.1:8080/api/enterprise/secrets/v1/providers \
-H "Authorization: Key $SENSU_API_KEY"
[
{
"type": "VaultProvider",
"api_version": "secrets/v1",
"metadata": {
"name": "my_vault",
"created_by": "admin"
},
"spec": {
"client": {
"address": "https://vaultserver.example.com:8200",
"token": "VAULT_TOKEN",
"version": "v1",
"tls": {
"ca_cert": "/etc/ssl/certs/vault_ca_cert.pem"
},
"max_retries": 2,
"timeout": "20s",
"rate_limiter": {
"limit": 10.0,
"burst": 100
}
}
}
}
]
NOTE: In addition to the VaultProvider
type, the secrets API also includes a built-in Env
secrets provider type that can retrieve backend environment variables as secrets.
Learn more in the secrets providers reference.
API Specification
/providers (GET) | |
---|---|
description | Returns the list of secrets providers. |
example url | http://hostname:8080/api/enterprise/secrets/v1/providers |
query parameters | types : Defines which type of secrets provider to retrieve. Join with & to retrieve multiple types: ?types=Env&types=VaultProvider . |
response filtering | This endpoint supports API response filtering. |
response type | Array |
response codes |
|
output |
|
Get a specific secrets provider
The /providers/:provider
API endpoint provides HTTP GET access to data for a specific secrets :provider
, by provider name.
Example
In the following example, querying the /providers/:provider
API endpoint returns a JSON map that contains the requested :provider
, my_vault
.
curl -X GET \
http://127.0.0.1:8080/api/enterprise/secrets/v1/providers/my_vault \
-H "Authorization: Key $SENSU_API_KEY"
{
"type": "VaultProvider",
"api_version": "secrets/v1",
"metadata": {
"name": "my_vault",
"created_by": "admin"
},
"spec": {
"client": {
"address": "https://vaultserver.example.com:8200",
"token": "VAULT_TOKEN",
"version": "v1",
"tls": {
"ca_cert": "/etc/ssl/certs/vault_ca_cert.pem"
},
"max_retries": 2,
"timeout": "20s",
"rate_limiter": {
"limit": 10.0,
"burst": 100
}
}
}
}
API Specification
/providers/:provider (GET) | |
---|---|
description | Returns the specified secrets provider. |
example url | http://hostname:8080/api/enterprise/secrets/v1/providers/my_vault |
response type | Map |
response codes |
|
output |
|
Create or update a secrets provider
The /providers/:provider
API endpoint provides HTTP PUT access to create or update a specific :provider
, by provider name.
Example
The following example demonstrates a request to the /providers/:provider
API endpoint to update the provider my_vault
.
curl -X PUT \
-H "Authorization: Key $SENSU_API_KEY" \
-H 'Content-Type: application/json' \
-d '{
"type": "VaultProvider",
"api_version": "secrets/v1",
"metadata": {
"name": "my_vault"
},
"spec": {
"client": {
"address": "https://vaultserver.example.com:8200",
"token": "VAULT_TOKEN",
"version": "v1",
"tls": {
"ca_cert": "/etc/ssl/certs/vault_ca_cert.pem"
},
"max_retries": 2,
"timeout": "20s",
"rate_limiter": {
"limit": 10.0,
"burst": 100
}
}
}
}' \
http://127.0.0.1:8080/api/enterprise/secrets/v1/providers/my_vault
HTTP/1.1 200 OK
API Specification
/providers/:provider (PUT) | |
---|---|
description | Creates or updates the specified secrets provider. The provider resource and API version cannot be altered. |
example URL | http://hostname:8080/api/enterprise/secrets/v1/providers/my_vault |
payload |
|
response codes |
|
Delete a secrets provider
The /providers/:provider
API endpoint provides HTTP DELETE access to delete the specified provider from Sensu.
Example
The following example shows a request to the /providers/:provider
API endpoint to delete the provider my_vault
, resulting in a successful HTTP 204 No Content
response.
curl -X DELETE \
-H "Authorization: Key $SENSU_API_KEY" \
http://127.0.0.1:8080/api/enterprise/secrets/v1/providers/my_vault
HTTP/1.1 204 No Content
API Specification
/providers/:provider (DELETE) | |
---|---|
description | Deletes the specified provider from Sensu. |
example url | http://hostname:8080/api/enterprise/secrets/v1/providers/my_vault |
response codes |
|
Get all secrets
The /secrets
API endpoint provides HTTP GET access to a list of secrets.
Example
The following example demonstrates a request to the /secrets
API endpoint, resulting in a list of secrets for the specified namespace.
curl -X GET \
http://127.0.0.1:8080/api/enterprise/secrets/v1/namespaces/default/secrets \
-H "Authorization: Key $SENSU_API_KEY"
HTTP/1.1 200 OK
[
{
"type": "Secret",
"api_version": "secrets/v1",
"metadata": {
"name": "sensu-ansible-token",
"namespace": "default",
"created_by": "admin"
},
"spec": {
"id": "secret/ansible#token",
"provider": "ansible_vault"
}
}
]
API Specification
/secrets (GET) | |
---|---|
description | Returns the list of secrets for the specified namespace. |
example url | http://hostname:8080/api/enterprise/secrets/v1/namespaces/default/secrets |
response filtering | This endpoint supports API response filtering. |
response type | Array |
response codes |
|
output |
|
Get a specific secret
The /secrets/:secret
API endpoint provides HTTP GET access to data for a specific secret
, by secret name.
Example
In the following example, querying the /secrets/:secret
API endpoint returns a JSON map that contains the requested :secret
.
curl -X GET \
http://127.0.0.1:8080/api/enterprise/secrets/v1/namespaces/default/secrets/sensu-ansible-token \
-H "Authorization: Key $SENSU_API_KEY"
HTTP/1.1 200 OK
{
"type": "Secret",
"api_version": "secrets/v1",
"metadata": {
"name": "sensu-ansible-token",
"namespace": "default",
"created_by": "admin"
},
"spec": {
"id": "secret/ansible#token",
"provider": "ansible_vault"
}
}
API Specification
/secrets/:secret (GET) | |
---|---|
description | Returns the specified secret. |
example url | http://hostname:8080/api/enterprise/secrets/v1/namespaces/default/secrets/sensu-ansible-token |
response type | Map |
response codes |
|
output |
|
Create or update a secret
The /secrets/:secret
API endpoint provides HTTP PUT access to create or update a specific secret
, by secret name.
Example
The following example demonstrates a request to the /secrets/:secret
API endpoint to update the secret sensu-ansible-token
.
curl -X PUT \
-H "Authorization: Key $SENSU_API_KEY" \
-H 'Content-Type: application/json' \
-d '{
"type": "Secret",
"api_version": "secrets/v1",
"metadata": {
"name": "sensu-ansible-token",
"namespace": "default"
},
"spec": {
"id": "secret/ansible#token",
"provider": "ansible_vault"
}
}' \
http://127.0.0.1:8080/api/enterprise/secrets/v1/namespaces/default/secrets/sensu-ansible-token
HTTP/1.1 200 OK
API Specification
/secrets/:secret (PUT) | |
---|---|
description | Creates or updates the specified secret. |
example URL | http://hostname:8080/api/enterprise/secrets/v1/namespaces/default/secrets/sensu-ansible-token |
payload |
|
response codes |
|
Delete a secret
The /secrets/:secret
API endpoint provides HTTP DELETE access to delete the specified secret from Sensu.
Example
The following example shows a request to the /secrets/:secret
API endpoint to delete the secret sensu-ansible-token
, resulting in a successful HTTP 204 No Content
response.
curl -X DELETE \
-H "Authorization: Key $SENSU_API_KEY" \
http://127.0.0.1:8080/api/enterprise/secrets/v1/namespaces/default/secrets/sensu-ansible-token
HTTP/1.1 204 No Content
API Specification
/secrets/:secret (DELETE) | |
---|---|
description | Deletes the specified secret from Sensu. |
example url | http://hostname:8080/api/enterprise/secrets/v1/namespaces/default/secrets/sensu-ansible-token |
response codes |
|