Setup
We will setup a Credential Status service inside of a tenant. If you don't have a tenant yet, you can learn how to create one here.
Currently, status credentials can be stored and made available via five types of external services:
We support three ways to authenticate with each of these supported services:
- Managed Identity Recommended for AWS and Azure.
- Config Recommended for GCP and S3-compatible storage.
- Registry Recommended for quick testing and local development.
via Managed Identity
The Credential Status service can be configured to use a managed identity for authentication. This is useful when you want to use a service principal for authentication. This is the recommended way to configure the Credential Status service.
It is currently only supported for AWS and Azure. For GCP and S3-compatible storage, we recommend you to use the config-ref method below.
Endpoint: /v1/{target}/resource-api/services/create | API Reference
Configuration options vary based on the bucket's hosting environment and its access method.
Example Request
curl -X 'POST' \
'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/resource-api/services/create' \
-H 'accept: */*' \
-H 'Authorization: Bearer {yourToken}' \
-H 'Content-Type: application/json' \
-d '{
"type": "credential-status",
"config": {
"registry": {
"type": "aws",
"bucketName": "bucket-name",
"region": "region"
}
}
}'
Body
{
"type": "credential-status",
"config": {
"registry": {
"type": "aws",
"bucketName": "bucket-name",
"region": "region"
}
}
}
type: credential-status - Specifies the type of service to create. In this case, it iscredential-status.config: object - Storage configurations for status credential service.registry: object - Defines registry & access credentials for chosen registry.type: aws - Indicates the type of registry, which isawsin this context.bucketName: string - The name of the AWS S3 bucket.region: string - The AWS region where the bucket is located.endpointUrl: string - (Optional) The URL of the S3-compatible registry bucket, e.g.https://s3-mock.com.
bucketUrl: string - (Optional) The URL of the registry bucket custom domain, e.g.https://custom-domain.com.
via Config
Instead of sending storage credentials inline for every Credential Status service, you can define reusable storage
profiles in waltid-enterprise-api/config/resource-access.conf and reference them via config-ref when creating
services through the Enterprise API.
The configuration file uses HOCON and defines a resourceAccess map, where each entry is a named storage profile:
resourceAccess = {
# AWS S3 Example
aws-s3-standard = {
type = "aws"
bucket = {
name = "my-credential-status-bucket"
region = "eu-central-1"
url = "endpoint for S3-compatible storage"
}
credentials = {
accessKeyId = "AKIA..."
secretKey = "..."
}
},
# Azure Blob Storage Example
azure-blob-storage = {
type = "azure"
bucket = {
name = "my-container-name"
}
azure = {
connectionString = "DefaultEndpointsProtocol=https;AccountName=myaccount;AccountKey=...;EndpointSuffix=core.windows.net"
}
},
# Google Cloud Storage Example
gcp-storage = {
type = "gcp"
bucket = {
name = "my-gcp-bucket"
}
gcp = {
projectId = "my-gcp-project-id"
# The full JSON key for the service account as a string
serviceAccountKeyJson = "{\"type\": \"service_account\", ...}"
}
}
}
When creating a credential-status service, you can now reference one of these profiles instead of providing the full
storage configuration inline:
curl -X 'POST' \
'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/resource-api/services/create' \
-H 'accept: */*' \
-H 'Authorization: Bearer {yourToken}' \
-H 'Content-Type: application/json' \
-d '{
"type": "credential-status",
"config": {
"config-ref": "aws-s3-standard"
}
}'
Example Request Body
{
"type": "credential-status",
"config": {
"config-ref": "aws-s3-standard"
}
}
At runtime, the Enterprise API resolves the config-ref against resource-access.conf whenever the Credential Status service needs to read or write a status list. This allows centralized credential management and rotation without updating individual service records in the database.
via Registry
Endpoint: /v1/{target}/resource-api/services/create | API Reference
Configuration options vary based on the bucket's hosting environment and its access method.
Example Request
curl -X 'POST' \
'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/resource-api/services/create' \
-H 'accept: */*' \
-H 'Authorization: Bearer {yourToken}' \
-H 'Content-Type: application/json' \
-d '{
"type": "credential-status",
"config": {
"registry": {
"type": "aws",
"bucketName": "bucket-name",
"region": "region",
"accessKeyId": "s3-access-key-id",
"secretKey": "s3-secret-key"
}
}
}'
Body
{
"type": "credential-status",
"config": {
"registry": {
"type": "aws",
"bucketName": "bucket-name",
"region": "region",
"accessKeyId": "s3-access-key-id",
"secretKey": "s3-secret-key"
}
}
}
Body Parameters
type: credential-status - Specifies the type of service to create. In this case, it iscredential-status.config: object - Storage configurations for status credential service.registry: object - Defines registry & access credentials for chosen registry.type: aws - Indicates the type of registry, which isawsin this context.bucketName: string - The name of the AWS S3 bucket.region: string - The AWS region where the bucket is located.accessKeyId: string - (Optional) The access key ID for accessing the AWS S3 bucket.secretKey: string - (Optional) The secret access key for accessing the AWS S3 bucket.endpointUrl: string - (Optional) The URL of the S3-compatible registry bucket, e.g.https://s3-mock.com.
bucketUrl: string - (Optional) The URL of the registry bucket custom domain, e.g.https://custom-domain.com.
AWS access credentials are optional. If not provided, the default Credential Provider Chain will be executed, relying on AWS environment configuration (e.g. EC2 instance IAM role-provided credentials).