API Keys
API keys provide a persistent means of authenticating with the PCE and are recommended for scriptwriting.
This Public Stable APIs allow local users to create user API keys and use them as credentials to access the PCE.
All API keys are organization-based.
There are two categories of API keys:
These keys are based on specific owners and owners so that they can make API calls to the PCE.
These API keys are based on a service instead of on a specific user.
Working with API Keys
When you create an API key, you receive an api_username and secret, which function as the username and password for making API calls. An API key is permanent and does not expire (unless when deleted).
Important
Any tooling that parses the HTTP headers should be changed to allow case-insensitive header name matching in order to retain compatibility with future PCE releases. Refer to RFC 7230, section 3.2, "Header Fields," which states that field names should be case insensitive.
Use API keys to write scripts that run automatically, without requiring a human user to authenticate the API call. Unless you are a read-only user, you can create multiple API keys and make API calls in your scripts.
You can also create different API keys for different functions. For example, you might use an API key for scripting automatic workload pairing, and another API key for collecting system events from Illumio.
When you create an API key, the response returns both the auth_username and the secret needed for authenticating other API calls:
API username:
"auth_username":"api_xxxxxxxxxxx29"(represented in the code examples in this document as$KEY)API key secret:
"secret":"xxxxxxx5048a6a85ce846a706e134ef1d4bf2ac1f253b84c1bf8df6b83c70d95"(represented in the code examples in this document as$TOKEN)
Get a Collection of all API keys
You can now get a list of all API keys, both user-based and service account-based.
To query API keys regardless of their type, use this API:
GET /api/v2/orgs/:xorg_id/api_keys
Query Parameters for API Keys
Some parameters have been renamed or deprecated to allow differentiation between the type userand service_account:
query parameter
nameis retained for the typeservice_accountquery parameter
nameis changed tousernamefor the typeuserquery parameer
service_account_namewas deprecated and consolidated tonamequery parameter
api_key_namewas deprecated and removed as not needed
Special Characters in API Calls
If a usernameor name in an API call contains special characters, these have to be encoded for the call to be successful.
For example, for a service account name sa&1, instead of
api/v2/orgs/1/api_keys?type=service_account&name=sa&1
enter the call as
api/v2/orgs/1/api_keys?type=service_account&name=sa%261
User-Based API Keys
This Public Stable API allows you to manage API keys and make API calls to the PCE.
User API Key Methods
Functionality | HTTP | URI |
|---|---|---|
Get a collection of API keys |
|
|
Get an individual API key |
|
|
Create an API key |
|
|
Update an API key |
|
|
Delete an API key |
|
|
Working with User-based API Keys
Parameters
Parameter | Description | Type |
|---|---|---|
| (GET, POST, PUT, DELETE)The user ID in the form of an HREF (e.g., ' | String |
| (GET, POST, PUT, DELETE)This is the actual API key ID. Use this query parameter only for a GET instance call. | String |
| (POST, PUT)The unique name to give the key. Can be any string. | String |
List User-Based API Keys
When you GET an individual API key or a collection of API keys, the response only returns those API keys created by the user that has authenticated with the PCE for the session.
This API gets one API key or a collection of API keys that a specific user has created. To get a single API key, you need to know the API key’s URI, which is returned in the form of an HREF path when you create an API key, as well as the HREF of the user who created the key.
You can query the user API keys as follows:
GET /api/v2/orgs/:xorg_id/api_keys?type=user
You can also query the user-based API keys based on their expiration:
GET /api/v2/orgs/:xorg_id/api_keys?type=user&state=active
GET /api/v2/orgs/:xorg_id/api_keys?type=user&state=expired
GET [api_version][user_href]/api_keys
Curl Command to Get a Key
The API key is identified in the form of an HREF path property:
"/users/11/api_keys/a034248fbcdd60b4"
curl -i -X GET https://pce.my-company.com:8443/api/v2/users/11/api_keys/a034248fbcdd60b4 -H "Accept: application/json" -u $KEY:$TOKEN
Get a Collection of Keys
To use an API key, store the key and secret safely. Anyone with access to both has access to your organization's API.
Due to security concerns, external users are not allowed to create an API Key even if their roles allow it.
curl -i -X GET https://pce.my-company.com:8443/api/v2/users/11/api_keys -H "Accept: application/json" -u $KEY:$TOKEN
Response Body
An API key is represented by its HREF path, as shown here:
/users/29/api_keys/1e9bb1787883639d5
For example:
[
{
"href": "/users/29/api_keys/1e9bb1787883639d5",
"key_id": "1e9bb1787883639d5",
"auth_username": "api_1e9bb1787883639d5",
"created_at": "2016-01-27T01:30:22.274Z",
"name": "my_api_key",
"description": "my_scripting_key"
},
{
"href": "/users/29/api_keys/1793df73a99255f7e",
"key_id": "1793df73a99255f7e",
"auth_username": "api_1793df73a99255f7e",
"created_at": "2016-03-14T16:20:43.603Z",
"name": "MyKey",
"description": "My Special Key"
}
]Get All Labels with a Key
If you use an API key to get a collection of labels in an organization, and your API key uses these credentials:
api_xxxxxxx64fcee809is the API keyxxxxxxx09137412532289d6ecd10bc89c6b1f608c9a85482e7a573is the secret (API key password)
curl -i -X GET https://pce.my-company.com:8443/api/v2/orgs/3/labels -H "Accept: application/json" -u api_xxxxxxx64fcee809:'xxxxxxx09137412532289d6ecd10bc89c6b1f608c9a85482e7a573'
Session and persistent (API key) credentials are represented in this document as the constants $KEY:$TOKEN (with no spaces).
curl -i -X GET https://pce.my-company.com:8443/api/v2/orgs/3/labels -H "Accept: application/json" -u $KEY:$TOKEN
Create a User-based API Key
This API creates a unique API key and returns an API key ID and secret, which you can use to get, update, or delete the key, and to make other API calls.
To create an API key, you first need to authenticate either using a session token or another API key. To obtain a session token, use the Users API and authenticate with the PCE. You will receive your user ID, user HREF, and a session token that you can use when you call this API to create an API key.
Important
If you use an API key, safely store the key and the secret. Anyone with access to both will have access to the API for your organization.
Important
Due to security concerns, external users are not allowed to create an API Key even if their roles allow it.
URI
POST [api_version][user_href]/api_keys
An example user HREF looks like this:
/users/99
{
"name": "my_api_key",
"description": "my_scripting_key"
}To create a user-based API key
In this curl command, the user authentication (-u) uses the session credentials returned from calling the Login API to log in a user. The API key is passed as a JSON object formatted inside of double quotes in the command:
curl -i -X POST https://pce.my-company.com:8443/api/v2/users/14/api_keys -H "Content-Type:application/json" -u user_14:'xxxxxxx563199f92af7b705ddca2685'-d "{ "name":"my_api_key","description":"my_scripting_key" }" Response Body
This example shows the response from creating an API key, which you can use for making other API calls. These values do not expire. The auth_username functions as the username, and the secret functions as the password when making other API calls:
{
key_id: "xxxxxxx6654188229"
secret: "xxxxxxxxxxxa6a85ce846a706e134ef1d4bf2ac1f253b84c1bf8df6b83c70d95"
auth_username: api_xxxxxxx6654188229
}These values can now be use authenticate with the API as follows:
Username:
api_xxxxxxx29api_xxxxxxx6654188229Password:
xxxxxxxxxxxa6a85ce846a706e134ef1d4bf2ac1f253b84c1bf8df6b83c70d95
Use the PCE Web Console
You can also create API keys in the PCE web console with the User Menu.
In the drop-down User menu, select My API Keys.
A list of configured API keys is displayed.
If no API keys are configured, the message "No API Keys" is displayed.
To add a new API key, click Add.
In the Create API Key pop-up window, enter a name for the API key in the Name field. Optionally, enter a description in the Description field.
Click Save to save your API key or click Cancel to close the pop-up window without saving your changes.
When the API Key Created window appears, click the > button next to "Show credentials" to display the credentials for your API key.
The following information is displayed:
Key ID: The unique ID of the API key
Authentication Username: The username that authenticates the API calls
Secret: The password for the API key
Click Download Credentials to download the credentials as a text file. Make sure that you have saved the credential information before clicking Done.
After you click Done, the API Keys page displays a summary of your new API key, including the following information:
Name
Description
Key ID
Authentication Username
Created On
Note
The credential information is displayed only once. Make sure to save it in a secure location because it is used to access the API for your organization. If the credential information is lost, you must create a new API key.
Update a User-Based API Key
This API allows you to update an API key name or description. To make this call, you need the API key URI, which is returned in the form of an HREF path when you Create a User-Based API Key.
Update a User-based API Key
PUT [api_version][api_key_href
Example Payload
{
"name": "my_api_key1",
"description": "my_scripting_key v2"
}curl -i -X POST https://pce.my-company.com:8443/api/v2/users/99/api_keys/a034248fbcdd60b4 -H "Content-Type:application/json" -u $KEY:$TOKEN -d '{ "name": "my_key_1", "description": "my_scripting_key v2" }'Delete a User-based API Key
To delete an API key, you need the unique API key ID, which is returned in the form of an HREF path property when you either create a new API key, or when you get a single or a collection of API keys.
URI to Delete a User-based API Key
DELETE [api_version][api_key_href]
Service Account-based API Keys
Service account-based APIs allow for the creation and management of API keys based on a service account. You can manage the expiration of service account-based API keys.
Service accounts are always organization-based and specific to a PCE. While creating a service account, users create their permissions, and an api_key implicitly gets created. Deleting a service account removes its permissions and all associated API keys.
Methods
Functionality | HTTP | URI |
|---|---|---|
List all Service Account API keys: |
|
|
To retrieve a specific Service Account |
|
|
Create a new service account API key |
|
|
To create a new service account API key after performing the required validation |
|
|
Update a service account |
|
|
Delete a service account API key |
|
|
Delete a service account including any associated API keys |
|
|
Parameters
Parameter | Description | Type | Required |
|---|---|---|---|
| (GET, POST, PUT) Organization ID. | Integer | Yes |
| (GET) Maximum number of service accounts to return | Integer | No |
| (GET, POST, PUT) Name of service account to filter by | String | No(GET) Yes(POST) |
| (GET) Role URI (JSON-encoded string) to filter on | String | No |
| The description of the service_account | String | No |
| (POST, PUT) Access restriction assigned to the keys created under this service_account | Object | No |
| (PUT, DELETE) Service account UUID | String | Yes |
Service account-based API keys' expiration is defined by owners who can specify the default expiration time.
The key expiration time is specified with a default value specified in the settings, where the expiration date of an existing API key cannot be modified.
When an API request is authenticated by an expired API key, the request is rejected and the audit event triggered by this failure includes the API key's Key ID and the expired status of the API Key. The details also include the expiration date and the last_used_at date.
Query Keys by Expiration
To retrieve the API keys based on the expiration (active or expired) used these APIs:
GET /api/v2/orgs/:xorg_id/api_keys?type=service_account&state=expired
This query lists all expired API keys.
GET /api/v2/orgs/:xorg_id/api_keys?type=service_account&state=active
This query lists all active API keys.
Settings
Settings for service account-based API keys specify the default expiration period for service account keys and retention period for expired keys.
The Public Experimental APIs that manage API keys settings are based on the role of the organization administrator (this_org_admin) and are ad follows:
GET /api/v1/orgs/:xorg_id/settings
Support for viewing api_key settings for an organization.
PUT /api/v1/orgs/:xorg_id/setting
Support for updating
api_keysettings for an organization.API key expiration is now set between
-1and2147483647seconds and expired key retention is a minimum of0seconds.The
settings_put.schema.jsonschema looks as follows:{ "$schema": "http://json-schema.org/draft-04/schema#", "type": "object", "additionalProperties": false, "properties": { "max_api_key_expiration_in_seconds": { "description": "Validity of api_key in seconds; -1 specifies api_keys never expire", "type": "integer", "minimum": -1, "default": 7776000, "maximum": 2147483647 }, "expired_api_keys_retention_in_seconds": { "description": "Retention of expired api_keys in the database", "type": "integer", "default": 7776000, "minimum": 0, "maximum": 31536000 }, "advanced_ruleset_display": { "description": "When true, the UI will display rulesets in advanced mode. This means that scopes will be displayed for any unscoped rulesets, including newly added rulesets.", "type": "boolean", "default": true }, "ven_maintenance_token_required": { "description": "Identifies if the tampering protection for the VEN and endpoints is enabled or not.", "type": "boolean", "default": false } } }
The new property ven_maintenance_token identifies if the tampering protection for the VEN and endpoints is enabled. The default is "not enabled".
Create a new Service Account API Key
Request
{
"name": "key3",
"description": "testing key 3",
"access_restriction": {
"href": "/orgs/1/access_restrictions/2"
},
"permissions": [
{
"role": { "href": "/orgs/1/roles/ruleset_manager"},
"scope": [
{
"label": {
"href": "/orgs/1/labels/9",
"key": "env",
"value": "Development"
}
}
]
},
{
"role": { "href": "/orgs/1/roles/owner" },
"scope": []
}
],
"api_key": {
"expires_in_seconds": 86400
}
}Response
{
"name": "service_account1",
"description": "testing service_account",
"href": "/orgs/1/service_accounts/33ed7e04-9b25-4c9a-a031-a6b1bd437807",
"access_restriction": {
"href": "/orgs/1/access_restrictions/2"
},
"permissions": [
{
"href": "/orgs/1/permissions/84e5541f-3349-41c9-8fdb-9756faf96baa",
"role": {"href": "/orgs/1/roles/ruleset_manager"
},
"scope": [
{
"label": {
"href": "/orgs/1/labels/9"
}
}
]
},
{
"role": {
"href": "/orgs/1/roles/owner"
},
"scope": []
}
],
"api_key": {
"auth_username": "api_135c247aa6e3b654e",
"secret": "ab80cc497f7556e0cd72703c5229d814322c301d14d2d8d8c7060d516990097b"
}
}