Register Database Role
const url = 'https://example.com/vault/v1/workspaces/example/engines/qibdo/databaseroles:register';const options = { method: 'POST', headers: {'Content-Type': 'application/json'}, body: '{"workspace":"example","database_role":{},"location_id":"example"}'};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request POST \ --url https://example.com/vault/v1/workspaces/example/engines/qibdo/databaseroles:register \ --header 'Content-Type: application/json' \ --data '{ "workspace": "example", "database_role": {}, "location_id": "example" }'Creates a new database role. The creation + revocation statements are
first checked against the forbidden-keyword allowlist (DROP TABLE,
GRANT ALL, ALTER SYSTEM, etc.), then dry-run executed against the
target database in a transaction that always rolls back. On success
the role is persisted and projected to the vault backend.
Parameters
Section titled “ Parameters ”Path Parameters
Section titled “Path Parameters ”The workspace the role belongs to.
Request Body required
Section titled “Request Body required ”Request payload for Register Qibdo Database Role
Carries the input fields required to register qibdo database role.
object
The workspace the role belongs to.
The role to register.
object
The unique identifier of the database role (UUID).
The workspace this role belongs to (UUID, weak reference to taxonomy.workspaces).
Workspace-unique human-readable role name. Mirrored as the role name on the vault side.
Target database engine.
Reference to the target database connection (engine-specific opaque string — e.g., the vault’s database connection name or a JDBC URL key in the JdbcConnectionRegistry).
SQL statements executed at credential issuance. Engine-specific
placeholders ({{name}}, {{password}}, {{expiration}}) are honoured.
Capped to bound storage in vault.database_roles and prevent abuse:
at most 64 statements, each at most 8 KiB.
SQL statements executed at credential revocation ({{name}} placeholder).
Same caps as creation_statements.
Default time-to-live applied to credentials issued under this role.
Maximum total lifetime any credential under this role can hold.
Timestamp when the row was created (server-managed).
Timestamp when the row was last modified (server-managed).
Weak reference to a topology Location — where this resource resides. Defaults to the global location when omitted at creation and is immutable thereafter. Only the global location is available in this release.
Optional weak reference to a topology Location where the role resides. Defaults to the global location when omitted; immutable after creation. Only the global location is available in this release.
Responses
Section titled “ Responses ”OK
Response payload from Register Qibdo Database Role
Carries the output produced by register qibdo database role.
object
The persisted role metadata.
object
The unique identifier of the database role (UUID).
The workspace this role belongs to (UUID, weak reference to taxonomy.workspaces).
Workspace-unique human-readable role name. Mirrored as the role name on the vault side.
Target database engine.
Reference to the target database connection (engine-specific opaque string — e.g., the vault’s database connection name or a JDBC URL key in the JdbcConnectionRegistry).
SQL statements executed at credential issuance. Engine-specific
placeholders ({{name}}, {{password}}, {{expiration}}) are honoured.
Capped to bound storage in vault.database_roles and prevent abuse:
at most 64 statements, each at most 8 KiB.
SQL statements executed at credential revocation ({{name}} placeholder).
Same caps as creation_statements.
Default time-to-live applied to credentials issued under this role.
Maximum total lifetime any credential under this role can hold.
Timestamp when the row was created (server-managed).
Timestamp when the row was last modified (server-managed).
Weak reference to a topology Location — where this resource resides. Defaults to the global location when omitted at creation and is immutable thereafter. Only the global location is available in this release.
Example
{ "database_role": { "db_engine": "DB_ENGINE_UNSPECIFIED" }}default
Section titled “default ”Default error response
The Status type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by gRPC. Each Status message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the API Design Guide.
object
The status code, which should be an enum value of [google.rpc.Code][google.rpc.Code].
A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the [google.rpc.Status.details][google.rpc.Status.details] field, or localized by the client.
A list of messages that carry the error details. There is a common set of message types for APIs to use.
Contains an arbitrary serialized message along with a @type that describes the type of the serialized message.
object
The type of the serialized message.
Example generated
{ "code": 1, "message": "example", "details": [ { "@type": "example" } ]}