Skip to content
qibdo qibdo
v1
API version
  • v1
Theme
Book a demo

Update Access Policy

PATCH
/vault/v1/workspaces/{workspace}/engines/qibdo/accessPolicies/{id}
curl --request PATCH \
--url https://example.com/vault/v1/workspaces/example/engines/qibdo/accessPolicies/example \
--header 'Content-Type: application/json' \
--data '{ "name": "example", "document": { "rules": [ { "resource_name_pattern": "example", "permissions": [ "example" ], "ttl_cap_seconds": "example", "conditions": [ { "source_ip": { "operator": "example", "cidrs": [ "example" ] }, "time_window": { "operator": "example", "from": "example", "to": "example", "timezone": "example" } } ] } ] } }'

Replaces the active policy document with a new one. The previous document is pushed onto the policy’s version_history. Per AIP-134, supply the resource fields to update alongside a FieldMask; * requests full replacement semantics.

workspace
required
string

The workspace the access policy belongs to.

id
required
string

The unique identifier of the access policy to update.

update_mask
string format: field-mask

AIP-134 FieldMask. Omit for implicit mask of populated fields; * for full replacement.

Media type application/json

QibdoAccessPolicy resource — workspace-scoped access policy document layered on top of Qibdo IAM. The policy document composes one or more rules that grant a set of permissions on a resource-name pattern, optionally constrained by source IP ranges or time windows. The version_history list is a Qibdo-invented enhancement: every update appends the previous document so the full revision trail is auditable. Policies are consulted as a second-pass check after the IAM @PreAuthorize gate.

object
id

The unique identifier of the access policy (UUID).

stringOutput only
workspace_id

The workspace this policy belongs to (UUID, weak reference to taxonomy).

stringOutput only
name
required

Human-readable name of the policy, unique within the workspace (3–256 chars, lowercase alphanumerics plus / - _).

string
schema_version

The JSONB schema version governing the shape of document and version_history entries. Server-managed.

stringOutput only
document
required

The active policy document (rules + conditions).

object
rules

The rules that make up this policy. Every rule’s resource_name_pattern MUST be unique within a document.

Array<object>

AccessPolicyRule — grants a set of permissions on a resource-name pattern, optionally bounded by TTL and conditions.

object
resource_name_pattern
required

Resource-name pattern, e.g. “workspaces//secrets/”. The wildcard semantics follow Google AIP-159.

string
permissions
required

Permissions granted when the rule matches, e.g. “vault.secret.get”. At least one permission is required per rule.

Array<string>
ttl_cap_seconds

Optional upper bound on credentials issued via this rule (seconds). Unset means no TTL cap imposed by this rule.

string
conditions

Conjunctive constraints; all listed conditions must evaluate to true for the rule to apply.

Array<object>

AccessPolicyCondition — a constraint evaluated at authorization time. Mirrors IAM’s Condition hierarchy structurally (DOM-003: no shared domain types across bounded contexts).

object
source_ip

SourceIpCondition — restricts access to callers whose source IP falls inside (or outside) a set of CIDR ranges.

object
operator
required

IN_RANGE grants the rule when the source IP is in any listed CIDR; NOT_IN_RANGE grants the rule when it is in none.

string
cidrs
required

List of CIDR ranges to match against the caller’s source IP.

Array<string>
time_window

TimeWindowCondition — restricts access to callers whose request timestamp falls inside (or outside) a daily time window in the given timezone.

object
operator
required

WITHIN grants the rule when the current time is inside [from, to]; OUTSIDE grants the rule when it is not.

string
from
required

Start of the window in HH:mm 24-hour notation.

string
to
required

End of the window in HH:mm 24-hour notation.

string
timezone
required

IANA timezone identifier, e.g. “Europe/Amsterdam”.

string
version_history

Append-only list of previous document revisions. Each update pushes the pre-mutation document onto this list. Server-managed.

Array<object>Output only

AccessPolicyRevision — a snapshot of a previous policy document captured at update time. Qibdo-invented audit trail (upstream clouds do not expose policy revision history).

object
revision_number

Monotonically increasing revision number; starts at 1 for the first edit.

stringOutput only
previous_document

The document that was replaced.

object
rules

The rules that make up this policy. Every rule’s resource_name_pattern MUST be unique within a document.

Array<object>

AccessPolicyRule — grants a set of permissions on a resource-name pattern, optionally bounded by TTL and conditions.

object
resource_name_pattern
required

Resource-name pattern, e.g. “workspaces//secrets/”. The wildcard semantics follow Google AIP-159.

string
permissions
required

Permissions granted when the rule matches, e.g. “vault.secret.get”. At least one permission is required per rule.

Array<string>
ttl_cap_seconds

Optional upper bound on credentials issued via this rule (seconds). Unset means no TTL cap imposed by this rule.

string
conditions

Conjunctive constraints; all listed conditions must evaluate to true for the rule to apply.

Array<object>

AccessPolicyCondition — a constraint evaluated at authorization time. Mirrors IAM’s Condition hierarchy structurally (DOM-003: no shared domain types across bounded contexts).

object
source_ip

SourceIpCondition — restricts access to callers whose source IP falls inside (or outside) a set of CIDR ranges.

object
operator
required

IN_RANGE grants the rule when the source IP is in any listed CIDR; NOT_IN_RANGE grants the rule when it is in none.

string
cidrs
required

List of CIDR ranges to match against the caller’s source IP.

Array<string>
time_window

TimeWindowCondition — restricts access to callers whose request timestamp falls inside (or outside) a daily time window in the given timezone.

object
operator
required

WITHIN grants the rule when the current time is inside [from, to]; OUTSIDE grants the rule when it is not.

string
from
required

Start of the window in HH:mm 24-hour notation.

string
to
required

End of the window in HH:mm 24-hour notation.

string
timezone
required

IANA timezone identifier, e.g. “Europe/Amsterdam”.

string
edited_by

The principal that performed the edit (UUID, weak reference to IAM user).

stringOutput only
edited_at

When the edit happened (server-managed).

string format: date-time Output only
created

Timestamp when the policy was created (server-managed).

string format: date-time Output only
updated

Timestamp when the policy was last updated (server-managed).

string format: date-time Output only
location_id

Weak reference to a topology Location — where this resource resides. Defaults to the global location when omitted at creation and is immutable thereafter. Only the global location is available in this release.

stringOutput only
Example generated
{
"name": "example",
"document": {
"rules": [
{
"resource_name_pattern": "example",
"permissions": [
"example"
],
"ttl_cap_seconds": "example",
"conditions": [
{
"source_ip": {
"operator": "example",
"cidrs": [
"example"
]
},
"time_window": {
"operator": "example",
"from": "example",
"to": "example",
"timezone": "example"
}
}
]
}
]
}
}

OK

Media type application/json

Vault Operation

Tracks the result of a vault command (secret, crypto key, lease, certificate authority, certificate, access policy, or vault-level lifecycle action).

object
id

Operation ID

Unique identifier of the operation.

stringOutput only
workspace_id

Workspace ID

The workspace in whose namespace the operation was executed.

stringOutput only
resource_id

Resource ID

ID of the affected resource (nullable for vault-level lifecycle ops such as snapshot).

stringOutput only
resource_type

Resource Type

URN of the affected resource type (e.g., “com.qibdo.cloud.vault:secret”).

stringOutput only
operation_type

Operation Type

The action performed (CREATE, ROTATE, REVOKE, ENCRYPT, …).

stringOutput only
status

Status

The operation status (PENDING, RUNNING, DONE, FAILED).

stringOutput only
insert_time

Insert Time

When the operation was created.

string format: date-time Output only
start_time

Start Time

When execution started (nullable).

string format: date-time Output only
end_time

End Time

When execution completed (nullable).

string format: date-time Output only
progress

Progress

Progress percentage (0–100).

integer format: int32 Output only
warnings

Warnings

Non-fatal notices emitted during the operation.

Array<object>Output only

Vault Warning

A non-fatal notice emitted by a vault operation. The operation still completed; the warning surfaces unsupported features or capability gaps in the underlying engine.

Warning codes follow the S_SSS_EEE convention:

  • Millions digit: service (9 = vault)
  • Thousands: group
  • Units: specific warning
object
code

Warning Code

Numeric identifier of the warning type.

integer format: uint32 Output only
description

Description

Human-readable explanation of what was ignored or degraded.

stringOutput only
Example generated
{}

Default error response

Media type application/json

The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.

object
code

The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].

integer format: int32
message

A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.

string
details

A list of messages that carry the error details. There is a common set of message types for APIs to use.

Array<object>

Contains an arbitrary serialized message along with a @type that describes the type of the serialized message.

object
@type

The type of the serialized message.

string
key
additional properties
any
Example generated
{
"code": 1,
"message": "example",
"details": [
{
"@type": "example"
}
]
}