Load a Policy

Adds data to the existing Conjur policy. Deletions are not allowed. Any policy objects that exist on the server but are omitted from the policy file will not be deleted and any explicit deletions in the policy file will result in an error.

 

Entity IDs must be URL-encoded.

URI

 
POST /policies/{account}/policy/{identifier}

Any identifier included in the URL must be URL-encoded to be recognized by the Conjur API.

Examples

Identifier

URL-Encoded

myapp-01

myapp-01(no change)

alice@devops

alice%40devops

prod/aws/db-password

prod%2Faws%2Fdb-password

research+development

research%2Bdevelopment

sales&marketing

sales%26marketing

Permissions required

create privilege on the policy.

Example with curl and jq

Suppose you have a policy to load in /tmp/policy.yml (such as the sample one provided below). The following command will add data to the “root” policy:

 
curl -H "$(conjur authn authenticate -H)" \
     -X POST -d "$(< /tmp/policy.yml)" \
     https://eval.conjur.org/policies/myorg/policy/root \
     | jq .

Request Body

The request body should be a policy file. For example:

 
- !policy
  id: database
  body:
    - !host
      id: new-host
    - !variable
      id: new-variable
      owner: !host new-host

Response

Code

Description

201

The policy was extended successfully.

401

The request lacks valid authentication credentials.

403

The authenticated user lacks the necessary privilege.

404

The policy referred to a role or resource that does not exist in the specified account.

409

Policy load already in progress, retry after a delay.

422

The request body was empty or the policy was not valid YAML or the policy includes a deletion.

Example URI

 
POST /policies/myorg/policy/root

URI Parameters

Parameter

Type

Mandatory

Description

account

String

Yes

Organization account name

Example: myorg

identifier

String

Yes

id of the policy to extend

Example: root

Response 201

Headers

 
Content-Type: application/json

Body

 
{
  "created_roles": {
    "cucumber:host:database/new-host": {
      "id": "cucumber:host:database/new-host",
      "api_key": "1n1k85r3pcs7av2mmpj233jajndc1bx8ma52rwybj31c487r72zree1c"
    }
  },
  "version": 2
}