#Resource Access

The resource-access.conf file defines reusable credential profiles for external storage and key management services. Instead of embedding credentials inline in every API call, you define named profiles here and reference them via configRef when creating services.

Recommended: Use Managed Identity where possible for production deployments. Direct credential configuration (shown below) is best suited for development or environments where managed identity is unavailable.

#How It Works

Define a named profile in resource-access.conf (e.g. s3-storage, aws-kms)
Reference the profile by name using "configRef": "<profile-name>" when creating a service via the API
At runtime, the Enterprise API resolves the configRef and injects the appropriate credentials

This centralizes credential management — rotating secrets only requires updating resource-access.conf, not every service definition.

#File Location

config/resource-access.conf

#Storage Profiles

Storage profiles are used by services such as Credential Status that need to read and write data to a bucket or blob container.

#AWS S3

resourceAccess = {
  s3-storage = {
    _type  = "AwsS3Access"
    id     = "s3-storage"
    region = "eu-north-1"
    bucket = { bucketName = "my-bucket" }
    credentials = {
      _type       = "AwsCredentials"
      accessKeyId = "abc"
      secretKey   = "xyz"
    }
  }
}

#Azure Blob Storage

resourceAccess = {
  azure-storage = {
    _type  = "AzureBlobAccess"
    id     = "azure-storage"
    bucket = {
      bucketName = "documents"
      bucketUrl  = "https://example.blob.core.windows.net/"
    }
    credentials = {
      _type            = "AzureCredentials"
      connectionString = "DefaultEndpointsProtocol=https;AccountName=example;AccountKey=..."
    }
  }
}

#Google Cloud Storage

resourceAccess = {
  gcp-storage-main = {
    _type     = "GcpStorageAccess"
    id        = "gcp-storage-main"
    projectId = "my-project"
    bucket    = { bucketName = "gcp-bucket-main" }
    credentials = {
      _type = "GcpCredentials"
      serviceAccountKeyJson = {
        type                        = "service_account"
        project_id                  = "my-project"
        private_key_id              = "abc123..."
        private_key                 = "-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
"
        client_email                = "service-account@my-project.iam.gserviceaccount.com"
        client_id                   = "1234567890"
        auth_uri                    = "https://accounts.google.com/o/oauth2/auth"
        token_uri                   = "https://oauth2.googleapis.com/token"
        auth_provider_x509_cert_url = "https://www.googleapis.com/oauth2/v1/certs"
        client_x509_cert_url        = "https://www.googleapis.com/robot/v1/metadata/x509/service-account%40my-project.iam.gserviceaccount.com"
        universe_domain             = "googleapis.com"
      }
    }
  }
}

#KMS Profiles

KMS profiles are used when creating key management services for AWS KMS or Azure Key Vault.

#AWS KMS

resourceAccess = {
  aws-kms = {
    _type  = "AwsKmsAccess"
    id     = "aws-kms"
    region = "eu-central-1"
    credentials = {
      _type       = "AwsCredentials"
      accessKeyId = "AK....F"
      secretKey   = "6Y....Sr"
    }
  }
}

#Azure Key Vault

resourceAccess = {
  azure-kms = {
    _type       = "AzureKeyVaultAccess"
    id          = "azure-kms"
    keyVaultUrl = "https://n2-keyvault.vault.azure.net/"
    credentials = {
      _type        = "AzureCredentials"
      tenantId     = "a8......46d"
      clientId     = "3b......c2c"
      clientSecret = "1ZQ.......sc1n"
    }
  }
}

#Using Profiles in API Calls

Once a profile is defined, reference it by name using configRef in your service creation request.

#Credential Status Service (Storage)

curl -X POST \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/resource-api/services/create' \
  -H 'Authorization: Bearer {yourToken}' \
  -H 'Content-Type: application/json' \
  -d '{
    "type": "credential-status",
    "config": {
      "configRef": "s3-storage"
    }
  }'

#KMS Service

curl -X POST \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/resource-api/services/create' \
  -H 'Authorization: Bearer {yourToken}' \
  -H 'Content-Type: application/json' \
  -d '{
    "type": "kms",
    "configRef": "aws-kms"
  }'

#Configuration Reference

#Common Fields

Field	Description
`_type`	Profile type. See supported values below.
`id`	Unique identifier for this profile. Must match the key name in `resourceAccess`.

#Supported `_type` Values

`_type`	Provider	Use case
`AwsS3Access`	AWS	S3 bucket storage
`AzureBlobAccess`	Azure	Blob container storage
`GcpStorageAccess`	GCP	Cloud Storage bucket
`AwsKmsAccess`	AWS	Key Management Service
`AzureKeyVaultAccess`	Azure	Key Vault

#Storage-Specific Fields

Field	Provider	Description
`bucket.bucketName`	Azure	Name of the blob container
`bucket.bucketUrl`	AWS , Azure	The URL of the registry bucket custom domain
`region`	AWS	AWS region (e.g. `eu-central-1`)
`endpointUrl`	AWS	Optional S3-compatible endpoint (e.g. `https://s3-mock.com`)
`projectId`	GCP	Google Cloud project ID

#Credentials Fields

Field	Provider	Description
`credentials.accessKeyId`	AWS	AWS access key ID
`credentials.secretKey`	AWS	AWS secret access key
`credentials.connectionString`	Azure (Storage)	Azure Blob Storage connection string
`credentials.tenantId`	Azure (KMS)	Azure AD tenant ID
`credentials.clientId`	Azure (KMS)	Azure AD client/application ID
`credentials.clientSecret`	Azure (KMS)	Azure AD client secret
`credentials.serviceAccountKeyJson`	GCP	Full GCP service account key object
`keyVaultUrl`	Azure (KMS)	URL of the Azure Key Vault instance

Last updated on March 10, 2026

Data Retention View Service Configuration