Update a policy

Modifies an existing Conjur policy. Data may be explicitly deleted using the !delete, !revoke, and !deny statements. Unlike “replace” mode, no data is ever implicitly deleted.

Entity IDs must be URL-encoded.

URI

PATCH /policies/{account}/policy/{identifier}

Any identifier included in the URL must be URL-encoded to be recognized by the Conjur API.

Examples

Identifier	URL-Encoded
myapp-01	myapp-01(no change)
user@devops	user%40devops
alice@devops	alice%40devops
prod/aws/db-password	prod%2Faws%2Fdb-password
research+development	research%2Bdevelopment
sales&marketing	sales%26marketing

Permissions required

update privilege on the policy.

Example with curl

Suppose you have a policy to load in /tmp/policy.yml (such as the sample one provided below). The following command will create and delete data in the “root” your policy policy1:

curl -H "$(conjur authn authenticate -H)" \ -X PATCH -d "$(< /tmp/policy.yml)" \ https://eval.conjur.org/policies/myorg/policy/root

Request Body

The request body should be a policy file. For example:

- !policy id: database body: - !host id: another-host - !delete record: !host new-host

Response

Code	Description
201	The policy was updated successfully
401	The request lacks valid authentication credentials
403	The authenticated user lacks the necessary privilege
404	The policy referred to a role or resource that does not exist in the specified account
409	Policy load already in progress, retry after a delay
422	The request body was empty or the policy was not valid YAML

Example URI

PATCH /policies/myorg/policy/root

URI Parameters

Parameter	Type	Mandatory	Description
account	String	Yes	Organization account name Example: myorg
identifier	String	Yes	The ID of the policy to update Example: root

Response 201

Headers

Content-Type: application/json

Body

{ "created_roles": { "cucumber:host:database/another-host": { "id": "cucumber:host:database/another-host", "api_key": "zcpanf1qj0be1spqmq51yfj69j24akjy413gsv501eqbf48136cw7v" } }, "version": 3 }