Replace a Policy

Loads or replaces a Conjur policy document.

 
  • Any policy data which already exists on the server but is not explicitly specified in the new policy file will be deleted.
  • Entity IDs must be URL-encoded

URI

 
PUT /policies/{account}/policy/{identifier}

Any identifier included in the URL must be URL-encoded to be recognized by the Conjur API.

Examples

Identifier

URL-Encoded

myapp-01

myapp-01(no change)

alice@devops

alice%40devops

prod/aws/db-password

prod%2Faws%2Fdb-password

research+development

research%2Bdevelopment

sales&marketing

sales%26marketing

Permissions required

update privilege on the policy.

Example with curl and jq

Suppose you have a policy to load in /tmp/policy.yml (such as the sample one provided below). The following command will load this as the “root” policy, replacing any other data that may already be in this policy:

 
curl -H "$(conjur authn authenticate -H)" \
     -X PUT -d "$(< /tmp/policy.yml)" \
     https://eval.conjur.org/policies/myorg/policy/root \
     | jq .

Request Body

The request body is a policy file. For example:

 
- !policy
  id: database
  body:
    - !host
      id: db-host
    - !variable
      id: db-password
      owner: !host db-host

Response

Code

Description

201

The policy was loaded or replaced successfully

401

The request lacks valid authentication credentials

403

The authenticated user lacks the necessary privilege

404

The policy referred to a role or resource that does not exist in the specified account

409

Policy load already in progress, retry after a delay

422

The request body was empty or the policy was not valid YAML

Example URI

 
PUT /policies/myorg/policy/root

URI Parameters

Parameter

Type

Mandatory

Description

account

String

Yes

Organization account name

Example: myorg

identifier

String

Yes

id of the policy to load (root if no root policy has been loaded yet)

Example: root

Response 201

Headers

 
Content-Type: application/json

Body

 
{
  "created_roles": {
    "myorg:host:database/db-host": {
      "id": "myorg:host:database/db-host",
      "api_key": "309yzpa1n5kp932waxw6d37x4hew2x8ve8w11m8xn92acfy672m929en"
    }
  },
  "version": 1
}