Update Access Policy
const url = 'https://example.com/vault/v1/workspaces/example/engines/qibdo/accessPolicies/example';const options = { method: 'PATCH', headers: {'Content-Type': 'application/json'}, body: '{"name":"example","document":{"rules":[{"resource_name_pattern":"example","permissions":["example"],"ttl_cap_seconds":"example","conditions":[{"source_ip":{"operator":"example","cidrs":["example"]},"time_window":{"operator":"example","from":"example","to":"example","timezone":"example"}}]}]}}'};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request PATCH \ --url https://example.com/vault/v1/workspaces/example/engines/qibdo/accessPolicies/example \ --header 'Content-Type: application/json' \ --data '{ "name": "example", "document": { "rules": [ { "resource_name_pattern": "example", "permissions": [ "example" ], "ttl_cap_seconds": "example", "conditions": [ { "source_ip": { "operator": "example", "cidrs": [ "example" ] }, "time_window": { "operator": "example", "from": "example", "to": "example", "timezone": "example" } } ] } ] } }'Replaces the active policy document with a new one. The previous document
is pushed onto the policy’s version_history. Per AIP-134, supply the
resource fields to update alongside a FieldMask; * requests full
replacement semantics.
Parameters
Section titled “ Parameters ”Path Parameters
Section titled “Path Parameters ”The workspace the access policy belongs to.
The unique identifier of the access policy to update.
Query Parameters
Section titled “Query Parameters ”AIP-134 FieldMask. Omit for implicit mask of populated fields; * for
full replacement.
Request Body required
Section titled “Request Body required ”QibdoAccessPolicy resource — workspace-scoped access policy document layered
on top of Qibdo IAM. The policy document composes one or more rules that
grant a set of permissions on a resource-name pattern, optionally constrained
by source IP ranges or time windows. The version_history list is a
Qibdo-invented enhancement: every update appends the previous document so the
full revision trail is auditable. Policies are consulted as a second-pass
check after the IAM @PreAuthorize gate.
object
The unique identifier of the access policy (UUID).
The workspace this policy belongs to (UUID, weak reference to taxonomy).
Human-readable name of the policy, unique within the workspace (3–256 chars, lowercase alphanumerics plus / - _).
The JSONB schema version governing the shape of document and
version_history entries. Server-managed.
The active policy document (rules + conditions).
object
The rules that make up this policy. Every rule’s resource_name_pattern MUST be unique within a document.
AccessPolicyRule — grants a set of permissions on a resource-name pattern, optionally bounded by TTL and conditions.
object
Resource-name pattern, e.g. “workspaces//secrets/”. The wildcard semantics follow Google AIP-159.
Permissions granted when the rule matches, e.g. “vault.secret.get”. At least one permission is required per rule.
Optional upper bound on credentials issued via this rule (seconds). Unset means no TTL cap imposed by this rule.
Conjunctive constraints; all listed conditions must evaluate to true for the rule to apply.
AccessPolicyCondition — a constraint evaluated at authorization time. Mirrors IAM’s Condition hierarchy structurally (DOM-003: no shared domain types across bounded contexts).
object
SourceIpCondition — restricts access to callers whose source IP falls inside (or outside) a set of CIDR ranges.
object
IN_RANGE grants the rule when the source IP is in any listed CIDR; NOT_IN_RANGE grants the rule when it is in none.
List of CIDR ranges to match against the caller’s source IP.
TimeWindowCondition — restricts access to callers whose request timestamp falls inside (or outside) a daily time window in the given timezone.
object
WITHIN grants the rule when the current time is inside [from, to]; OUTSIDE grants the rule when it is not.
Start of the window in HH:mm 24-hour notation.
End of the window in HH:mm 24-hour notation.
IANA timezone identifier, e.g. “Europe/Amsterdam”.
Append-only list of previous document revisions. Each update pushes the pre-mutation document onto this list. Server-managed.
AccessPolicyRevision — a snapshot of a previous policy document captured at update time. Qibdo-invented audit trail (upstream clouds do not expose policy revision history).
object
Monotonically increasing revision number; starts at 1 for the first edit.
The document that was replaced.
object
The rules that make up this policy. Every rule’s resource_name_pattern MUST be unique within a document.
AccessPolicyRule — grants a set of permissions on a resource-name pattern, optionally bounded by TTL and conditions.
object
Resource-name pattern, e.g. “workspaces//secrets/”. The wildcard semantics follow Google AIP-159.
Permissions granted when the rule matches, e.g. “vault.secret.get”. At least one permission is required per rule.
Optional upper bound on credentials issued via this rule (seconds). Unset means no TTL cap imposed by this rule.
Conjunctive constraints; all listed conditions must evaluate to true for the rule to apply.
AccessPolicyCondition — a constraint evaluated at authorization time. Mirrors IAM’s Condition hierarchy structurally (DOM-003: no shared domain types across bounded contexts).
object
SourceIpCondition — restricts access to callers whose source IP falls inside (or outside) a set of CIDR ranges.
object
IN_RANGE grants the rule when the source IP is in any listed CIDR; NOT_IN_RANGE grants the rule when it is in none.
List of CIDR ranges to match against the caller’s source IP.
TimeWindowCondition — restricts access to callers whose request timestamp falls inside (or outside) a daily time window in the given timezone.
object
WITHIN grants the rule when the current time is inside [from, to]; OUTSIDE grants the rule when it is not.
Start of the window in HH:mm 24-hour notation.
End of the window in HH:mm 24-hour notation.
IANA timezone identifier, e.g. “Europe/Amsterdam”.
The principal that performed the edit (UUID, weak reference to IAM user).
When the edit happened (server-managed).
Timestamp when the policy was created (server-managed).
Timestamp when the policy was last updated (server-managed).
Weak reference to a topology Location — where this resource resides. Defaults to the global location when omitted at creation and is immutable thereafter. Only the global location is available in this release.
Example generated
{ "name": "example", "document": { "rules": [ { "resource_name_pattern": "example", "permissions": [ "example" ], "ttl_cap_seconds": "example", "conditions": [ { "source_ip": { "operator": "example", "cidrs": [ "example" ] }, "time_window": { "operator": "example", "from": "example", "to": "example", "timezone": "example" } } ] } ] }}Responses
Section titled “ Responses ”OK
Vault Operation
Tracks the result of a vault command (secret, crypto key, lease, certificate authority, certificate, access policy, or vault-level lifecycle action).
object
Operation ID
Unique identifier of the operation.
Workspace ID
The workspace in whose namespace the operation was executed.
Resource ID
ID of the affected resource (nullable for vault-level lifecycle ops such as snapshot).
Resource Type
URN of the affected resource type (e.g., “com.qibdo.cloud.vault:secret”).
Operation Type
The action performed (CREATE, ROTATE, REVOKE, ENCRYPT, …).
Status
The operation status (PENDING, RUNNING, DONE, FAILED).
Insert Time
When the operation was created.
Start Time
When execution started (nullable).
End Time
When execution completed (nullable).
Progress
Progress percentage (0–100).
Warnings
Non-fatal notices emitted during the operation.
Vault Warning
A non-fatal notice emitted by a vault operation. The operation still completed; the warning surfaces unsupported features or capability gaps in the underlying engine.
Warning codes follow the S_SSS_EEE convention:
- Millions digit: service (9 = vault)
- Thousands: group
- Units: specific warning
object
Warning Code
Numeric identifier of the warning type.
Description
Human-readable explanation of what was ignored or degraded.
Example generated
{}default
Section titled “default ”Default error response
The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.
object
The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].
A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.
A list of messages that carry the error details. There is a common set of message types for APIs to use.
Contains an arbitrary serialized message along with a @type that describes the type of the serialized message.
object
The type of the serialized message.
Example generated
{ "code": 1, "message": "example", "details": [ { "@type": "example" } ]}