Setup
We will setup a Credential Status service inside of a tenant. If you don't have a tenant yet, you can learn how to create one here.
Currently, status credentials can be stored and made available via five types of external services:
We support three ways to authenticate with each of these supported services:
- Managed Identity Recommended for AWS and Azure.
- Config Recommended for GCP and S3-compatible storage.
- Registry Recommended for quick testing and local development.
via Managed Identity
The Credential Status service can be configured to use a managed identity for authentication. This is useful when you want to use a service principal for authentication. This is the recommended way to configure the Credential Status service.
It is currently only supported for AWS and Azure. For GCP and S3-compatible storage, we recommend you to use the configRef method below.
Endpoint: /v1/{target}/resource-api/services/create | API Reference
Configuration options vary based on the bucket's hosting environment and its access method.
Example Request
curl -X 'POST' \
'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/resource-api/services/create' \
-H 'accept: */*' \
-H 'Authorization: Bearer {yourToken}' \
-H 'Content-Type: application/json' \
-d '{
"type": "credential-status",
"config": {
"registry": {
"type": "aws",
"bucketName": "bucket-name",
"region": "region"
}
}
}'
Body
{
"type": "credential-status",
"config": {
"registry": {
"type": "aws",
"bucketName": "bucket-name",
"region": "region"
}
}
}
type: credential-status - Specifies the type of service to create. In this case, it iscredential-status.config: object - Storage configurations for status credential service.registry: object - Defines registry & access credentials for chosen registry.type: aws - Indicates the type of registry, which isawsin this context.bucketName: string - The name of the AWS S3 bucket.region: string - The AWS region where the bucket is located.endpointUrl: string - (Optional) The URL of the S3-compatible registry bucket, e.g.https://s3-mock.com.
bucketUrl: string - (Optional) The URL of the registry bucket custom domain, e.g.https://custom-domain.com.
#tab4
Not supported.
#tab5
Not required.
::
::
via Config
Instead of sending storage credentials inline for every Credential Status service, you can define reusable storage
profiles in waltid-enterprise-api/config/resource-access.conf and reference them via configRef when creating
services through the Enterprise API.
The configuration file uses HOCON and defines a resourceAccess map, where each entry is a named storage profile:
resourceAccess = {
# AWS S3 Example
aws-s3-standard = {
_type = "AwsS3Access"
id = "s3-storage"
region = "eu-north-1"
bucket = { bucketName = "my-bucket" }
credentials = {
_type = "AwsCredentials"
accessKeyId = "abc"
secretKey = "xyz"
}
},
# Azure Blob Storage Example
azure-blob-storage = {
_type = "AzureBlobAccess"
id = "azure-storage"
bucket = {
bucketName = "documents"
bucketUrl = "https://example.blob.core.windows.net/"
}
credentials = {
_type = "AzureCredentials"
connectionString = "DefaultEndpointsProtocol=https;AccountName=example;AccountKey=..."
}
},
# Google Cloud Storage Example
gcp-storage = {
_type = "GcpStorageAccess"
id = "gcp-storage-main"
projectId = "my-project"
bucket = { bucketName = "gcp-bucket-main" }
credentials = {
_type = "GcpCredentials"
serviceAccountKeyJson = {
type = "service_account"
project_id = "my-project"
private_key_id = "abc123..."
private_key = "-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
"
client_email = "service-account@my-project.iam.gserviceaccount.com"
client_id = "1234567890"
auth_uri = "https://accounts.google.com/o/oauth2/auth"
token_uri = "https://oauth2.googleapis.com/token"
auth_provider_x509_cert_url = "https://www.googleapis.com/oauth2/v1/certs"
client_x509_cert_url = "https://www.googleapis.com/robot/v1/metadata/x509/service-account%40my-project.iam.gserviceaccount.com"
universe_domain = "googleapis.com"
}
}
}
When creating a credential-status service, you can now reference one of these profiles instead of providing the full
storage configuration inline:
curl -X 'POST' \
'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/resource-api/services/create' \
-H 'accept: */*' \
-H 'Authorization: Bearer {yourToken}' \
-H 'Content-Type: application/json' \
-d '{
"type": "credential-status",
"config": {
"configRef": "aws-s3-standard"
}
}'
Example Request Body
{
"type": "credential-status",
"config": {
"configRef": "aws-s3-standard"
}
}
At runtime, the Enterprise API resolves the configRef against resource-access.conf whenever the Credential Status service needs to read or write a status list. This allows centralized credential management and rotation without updating individual service records in the database.
via Registry
Endpoint: /v1/{target}/resource-api/services/create | API Reference
Configuration options vary based on the bucket's hosting environment and its access method.
Example Request
curl -X 'POST' \
'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/resource-api/services/create' \
-H 'accept: */*' \
-H 'Authorization: Bearer {yourToken}' \
-H 'Content-Type: application/json' \
-d '{
"type": "credential-status",
"config": {
"registry": {
"type": "aws",
"bucketName": "bucket-name",
"region": "region",
"accessKeyId": "s3-access-key-id",
"secretKey": "s3-secret-key"
}
}
}'
Body
{
"type": "credential-status",
"config": {
"registry": {
"type": "aws",
"bucketName": "bucket-name",
"region": "region",
"accessKeyId": "s3-access-key-id",
"secretKey": "s3-secret-key"
}
}
}
Body Parameters
type: credential-status - Specifies the type of service to create. In this case, it iscredential-status.config: object - Storage configurations for status credential service.registry: object - Defines registry & access credentials for chosen registry.type: aws - Indicates the type of registry, which isawsin this context.bucketName: string - The name of the AWS S3 bucket.region: string - The AWS region where the bucket is located.accessKeyId: string - (Optional) The access key ID for accessing the AWS S3 bucket.secretKey: string - (Optional) The secret access key for accessing the AWS S3 bucket.endpointUrl: string - (Optional) The URL of the S3-compatible registry bucket, e.g.https://s3-mock.com.
bucketUrl: string - (Optional) The URL of the registry bucket custom domain, e.g.https://custom-domain.com.
AWS access credentials are optional. If not provided, the default Credential Provider Chain will be executed, relying on AWS environment configuration (e.g. EC2 instance IAM role-provided credentials).
Example Request
curl -X 'POST' \
'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/resource-api/services/create' \
-H 'accept: */*' \
-H 'Authorization: Bearer {yourToken}' \
-H 'Content-Type: application/json' \
-d '{
"type": "credential-status",
"config": {
"registry": {
"type": "in-memory"
}
}
}'
Body
{
"type": "credential-status",
"config": {
"registry": {
"type": "in-memory"
}
}
}
Path Parameters
orgID: - When performing operations within an organization, it is essential to use the organization's Base URL or another valid host alias. For example, if your organization is namedtest, your default Base URL will betest.enterprise-sandbox.walt.devwhen using the sandbox environment.target: resourceIdentifier - The target indicates the organization + tenant in which to create the new credential status service and the service's ID ({organizationID}.{tenantID}.[NewCredentialStatusServiceID]), e.g.waltid.tenant1.credential-status-service-id
Response Codes
201- Service created successfully.401- Invalid authentication.
::
::