Replace a policy

Loads or replaces a Conjur policy document.

Any policy data which already exists on the server but is not explicitly specified in the new policy file will be deleted.
Entity IDs must be URL-encoded

URI

PUT /policies/{account}/policy/{identifier}

Any identifier included in the URL must be URL-encoded to be recognized by the Conjur API.

Examples

Identifier	URL-Encoded
`myapp-01`	`myapp-01`(no change)
`alice@devops`	`alice%40devops`
`username@devops`	`username%40devops`
`prod/aws/db-password`	`prod%2Faws%2Fdb-password`
`prod/aws/data/db-password`	`prod%2Faws%2Fadta%2fdb-password`
`research+development`	`research%2Bdevelopment`
`sales&marketing`	`sales%26marketing`

Permissions required

update privilege on the policy.

Example with curl

Suppose you have a policy to load in /tmp/policy.yml (such as the sample one provided below). The following command loads this as the “root” policy, replacing any other data that may already be in this policy:

curl -H "$(conjur authn authenticate -H)" \
     -X PUT -d "$(< /tmp/policy.yml)" \
     https://eval.conjur.org/policies/myorg/policy/root

Request Body

The request body is a policy file. For example:

- !policy
  id: database
  body:
    - !host
      id: db-host
    - !variable
      id: db-password
      owner: !host db-host

Response

Code	Description
201	The policy was loaded or replaced successfully
401	The request lacks valid authentication credentials
403	The authenticated user lacks the necessary privilege
404	The policy referred to a role or resource that does not exist in the specified account
409	Policy load already in progress, retry after a delay
422	The request body was empty or the policy was not valid YAML

Example URI

PUT /policies/myorg/policy/root

URI Parameters

Parameter	Type	Mandatory	Description
account	String	Yes	Organization account name Example: `myorg`
identifier	String	Yes	The ID of the policy to load (`root` if no root policy has been loaded yet) Example: `root`

Parameter

Type

Mandatory

Description

account

String

Yes

Organization account name

Example: myorg

identifier

String

Yes

The ID of the policy to load (root if no root policy has been loaded yet)

Example: root

Response 201

Headers

Content-Type: application/json

Body

{
  "created_roles": {
    "myorg:host:database/db-host": {
      "id": "myorg:host:database/db-host",
      "api_key": "309yzpa1n5kp932waxw6d37x4hew2x8ve8w11m8xn92acfy672m929en"
    }
  },
  "version": 1
}