Rotate Another Role's API Key

Replaces the API key of another role that you can update with a new, securely random API key. The new API key is returned as the response body.

 
  • The body of the request must be the empty string.

  • Entity IDs must be URL-encoded.

URI

 
PUT /authn/{account}/api_key?role={kind}:{identifier}

Any identifier included in the URL must be URL-encoded to be recognized by the Conjur API.

Examples:

Identifier

URL-Encoded

myapp-01

myapp-01(no change)

alice@devops

alice%40devops

prod/aws/db-password

prod%2Faws%2Fdb-password

research+development

research%2Bdevelopment

sales&marketing

sales%26marketing

Kinds of Roles

Kind

Description

User

one unique human

Host

a single logical machine (in the broad sense, not just physical)

Layer

a collection of hosts that have the same privileges

Group

a collection of users and groups that have the same privileges

Policy

a role which owns of a set of related objects

Permissions required

update privilege on the role whose API key is being rotated.

Example with curl

Suppose your account is “myorg” and you want to rotate the API key for user “alice” whose current password is “Mypassw0rD1!”:

 
curl --request PUT --data "" \
     -H "$(conjur authn authenticate -H)" \
     https://eval.conjur.org/authn/myorg/api_key?role=user:alice

Headers

Field

Description

Example

Authorization

Supported basic auth credentials: password (for users), API key, and access token.

Basic ZGFuaWVsOjlwOG5mc2RhZmJw

Response

Code

Description

200

The response body is the API key

401

The credentials were not accepted

Example URI

 
PUT /authn/myorg/api_key?role=user:alice

URI Parameters

Parameter

Type

Mandatory

Description

account

String

Yes

Organization account name

Example: myorg

kind

String

Yes

the kind of the role whose API key we will rotate, usually “user” or “host”

Example: user

identifier

String

Yes

the id of the role

Example: alice

Request

Headers

 
Authorization: Basic ZGFuaWVsOjlwOG5mc2RhZmJw

 

 

Requests that rotate a role's own API key must use either their password (for users) or their existing API key (for hosts and users).

Response 200

Headers

 
Content-Type: text/plain; charset=utf-8

Body

 
14m9cf91wfsesv1kkhevg12cdywm2wvqy6s8sk53z1ngtazp1t9tykc