Resource Access

The resource-access.conf file defines reusable storage profiles for external resources (for example, the buckets used by the Credential Status service). Instead of sending registry credentials inline in every API call, you can define named profiles here and reference them via config-ref when creating services.

This is the recommended approach for deployments, as it centralizes credential management and allows you to rotate secrets without updating each service definition.

Our recommended approach however is to use Managed Identity where possible for production deployments.

Configuration file

File: config/resource-access.conf

resource-access.conf
resourceAccess = {
  # AWS S3 Example
  aws-s3-standard = {
    type = "aws"
    bucket = {
      name = "my-credential-status-bucket"
      region = "eu-central-1"
      # Optional: endpoint for S3-compatible storage (e.g. MinIO)
      url = "https://s3-compatible-endpoint"
    }
    credentials = {
      accessKeyId = "AKIA..."
      secretKey = "..."
    }
  },

  # Azure Blob Storage Example
  azure-blob-storage = {
    type = "azure"
    bucket = {
      name = "my-container-name"
    }
    azure = {
      connectionString = "DefaultEndpointsProtocol=https;AccountName=myaccount;AccountKey=...;EndpointSuffix=core.windows.net"
    }
  },

  # Google Cloud Storage Example
  gcp-storage = {
    type = "gcp"
    bucket = {
      name = "my-gcp-bucket"
    }
    gcp = {
      projectId = "my-gcp-project-id"
      # The full JSON key for the service account as a single string
      serviceAccountKeyJson = "{\"type\": \"service_account\", ...}"
    }
  }
}

Option reference

  • resourceAccess: Root map of named storage profiles. Each key is a profile name (for example aws-s3-standard).
  • type: Storage type for the profile. Supported values include:
    • aws
    • azure
    • gcp
  • bucket.name: Name of the bucket or container used to store data (for example status lists).
  • bucket.region: (AWS only) Region of the S3 bucket (for example eu-central-1).
  • bucket.url: (Optional, AWS/S3-compatible) Custom or S3-compatible endpoint URL (for example MinIO, CDN domain).
  • credentials.accessKeyId / credentials.secretKey: Access keys for AWS/S3-compatible storage when not using managed identity or environment-based credentials.
  • azure.connectionString: Connection string for Azure Blob Storage.
  • gcp.projectId: Project ID of the Google Cloud project.
  • gcp.serviceAccountKeyJson: Full JSON service account key, provided as a single string.

Using resource-access.conf with services

Once a profile is defined in resource-access.conf, services can reference it using config-ref instead of providing the full registry configuration inline. For example, the Credential Status service can be created as follows:

curl -X 'POST' \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/resource-api/services/create' \
  -H 'accept: */*' \
  -H 'Authorization: Bearer {yourToken}' \
  -H 'Content-Type: application/json' \
  -d '{
  "type": "credential-status",
  "config": {
    "config-ref": "aws-s3-standard"
  }
}'

At runtime, the Enterprise API resolves config-ref against resource-access.conf whenever the service needs to read or write data. This allows centralized credential management and rotation without touching individual service records.

Last updated on February 26, 2026
Data RetentionView Service Configuration