Load a policy

Adds data to the existing Conjur policy. Deletions are not allowed. Any policy objects that exist on the server but are omitted from the policy file will not be deleted and any explicit deletions in the policy file will result in an error.

Entity IDs must be URL-encoded.

URI

POST /policies/{account}/policy/{identifier}

Any identifier included in the URL must be URL-encoded to be recognized by the Conjur API.

Examples

Identifier	URL-Encoded
`myapp-01`	`myapp-01`(no change)
`user@devops`	`user%40devops`
`alice@devops`	`alice%40devops`
`prod/aws/data/db-password`	`prod%2Faws%2Fdata%2Fdb-password`
`prod/aws/db-password`	`prod%2Faws%2Fdb-password`
`research+development`	`research%2Bdevelopment`
`sales&marketing`	`sales%26marketing`

Permissions required

create privilege on the policy.

Example with curl

Suppose you have a policy to load in /tmp/policy.yml (such as the sample one provided below). The following command will add data to the “root” policy.

curl -H "$(conjur authn authenticate -H)" \
     -X POST -d "$(< /tmp/policy.yml)" \
     https://eval.conjur.org/policies/myorg/policy/root

Request Body

The request body should be a policy file. For example:

- !policy
  id: database
  body:
    - !host
      id: new-host
    - !variable
      id: new-variable
      owner: !host new-host

Response

Code	Description
201	The policy was extended successfully.
401	The request lacks valid authentication credentials.
403	The authenticated user lacks the necessary privilege
404	The policy referred to a role or resource that does not exist in the specified account.
409	Policy load already in progress, retry after a delay.
422	The request body was empty or the policy was not valid YAML or the policy includes a deletion.

Example URI

POST /policies/myorg/policy/root

URI Parameters

Parameter	Type	Mandatory	Description
account	String	Yes	Organization account name. Example: `myorg`
identifier	String	Yes	id of the policy to extend Example: `root`

Parameter

Type

Mandatory

Description

account

String

Yes

Organization account name.

Example: myorg

identifier

String

Yes

id of the policy to extend

Example: root

Response 201

Headers

Content-Type: application/json

Body

{
  "created_roles": {
    "cucumber:host:database/new-host": {
      "id": "cucumber:host:database/new-host",
      "api_key": "1n1k85r3pcs7av2mmpj233jajndc1bx8ma52rwybj31c487r72zree1c"
    }
  },
  "version": 2
}