POST /projects
Request Body
{
"name": "project1",
"repository": "[email protected]:myorg/myrepo.git"
}Response Body
{
"token": "abcd-1234",
"token_id": "dcba-4321"
}GET /projects/<project_name>
Response Body
{
"name": "myproject",
"repository": "[email protected]:myorg/myrepo.git"
}DELETE /projects/<project_name>
Projects can only be deleted if they have no targets
Response Body
POST /projects/<project_name>/tokens
Request Body
Response Body
{
"created_at": "2022-06-27T21:59:58-07:00",
"expires_at": "2023-06-27T21:59:58-07:00",
"token": "vault:98765432-abcd-1234-5678-abcdef123456:abcdef12-3456-7890-abcd-ef1234567890",
"token_id": "abcdef12-3456-7890-abcd-ef1234567890"
}POST /projects/<project_name>/targets
Request Body
{
"name": "target1",
"type": "aws_account",
"properties": {
"credential_type": "assumed_role",
"policy_arns": [
"arn:aws:iam::aws:policy/AmazonS3FullAccess",
"arn:aws:iam::aws:policy/AmazonSNSFullAccess",
"arn:aws:iam::aws:policy/AmazonSQSFullAccess",
"arn:aws:iam::aws:policy/AWSCloudFormationFullAccess"
],
"policy_document": "{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Action\": \"s3:ListBuckets\", \"Resource\": \"*\" } ] }",
"role_arn": "arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>"
}
}Note: role_arn will be assumed as the target by vault. Vault's IAM
credentials must be a principle authorized to assume this role. The
policy_arns and policy_document will be applied at role assumption time to
scope down permissions. Today only type is only aws_account and
credential_type is only assumed role.
Response Body
{}GET /projects/<project_name>/targets
Response Body
["target1", "target2"]GET /projects/<project_name>/targets/<target_name>
Response Body
{
"name": "target1",
"type": "aws_account",
"properties": {
"credential_type": "assumed_role",
"policy_arns": [
"arn:aws:iam::aws:policy/AmazonS3FullAccess",
"arn:aws:iam::aws:policy/AmazonSNSFullAccess",
"arn:aws:iam::aws:policy/AmazonSQSFullAccess",
"arn:aws:iam::aws:policy/AWSCloudFormationFullAccess"
],
"policy_document": "{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Action\": \"s3:ListBuckets\", \"Resource\": \"*\" } ] }",
"role_arn": "arn:aws:iam::123456789012:role/CelloSampleRole"
}
}PATCH /projects/<project_name>/targets/<target_name>
Request Body
{
"properties": {
"policy_arns": [
"arn:aws:iam::aws:policy/AmazonS3FullAccess",
"arn:aws:iam::aws:policy/AmazonSNSFullAccess",
"arn:aws:iam::aws:policy/AmazonSQSFullAccess",
"arn:aws:iam::aws:policy/AWSCloudFormationFullAccess"
],
"policy_document": "{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Action\": \"s3:ListBuckets\", \"Resource\": \"*\" } ] }",
"role_arn": "arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME>"
}
}Note: Target properties that are provided will be updated with the new values provided.
Properties that are not provided in the PATCH request will remain with their current values.
credential_type cannot be updated
Response Body
{
"name": "target1",
"type": "aws_account",
"properties": {
"credential_type": "assumed_role",
"policy_arns": [
"arn:aws:iam::aws:policy/AmazonS3FullAccess",
"arn:aws:iam::aws:policy/AmazonSNSFullAccess",
"arn:aws:iam::aws:policy/AmazonSQSFullAccess",
"arn:aws:iam::aws:policy/AWSCloudFormationFullAccess"
],
"policy_document": "{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Action\": \"s3:ListBuckets\", \"Resource\": \"*\" } ] }",
"role_arn": "arn:aws:iam::123456789012:role/CelloSampleRole"
}
}DELETE /projects/<project_name>/targets/<target_name>
Response Body
DELETE /projects/<project_name>/tokens/<token_id>
Response Body
GET /projects/<project_name>/tokens
Response Body
[
{
"created_at": "2022-06-21T14:56:10.341066-07:00",
"expires_at": "2023-06-21T14:56:10.341066-07:00",
"token_id": "ghi789"
},
{
"created_at": "2022-06-21T14:43:16.172896-07:00",
"expires_at": "2023-06-21T14:43:16.172896-07:00",
"token_id": "def456"
},
]POST /workflows
Request Body
{
"arguments": {
"execute": [
"-auto-approve",
"-no-color"
],
"init": [
"-no-color"
]
},
"environment_variables": {
"AWS_REGION": "us-west-2",
"CODE_URI": "s3://cello-cet-dev/terraform-example.zip",
"VAULT_ADDR": "http://docker.for.mac.localhost:8200"
},
"framework": "terraform",
"parameters": {
"execute_container_image_uri": "a80addc4/cello-terraform:0.14.5"
},
"project_name": "project1",
"target_name": "target1",
"type": "sync",
"workflow_template_name": "cello-single-step-vault-aws"
}Note: Arguments will be concatenated with spaces before appended to the command.
Response Body
{
"workflow_name": "abcd"
}POST /projects/<project_name>/targets/<target_name>/operations
Request Body
{
"sha": "1234abdc5678efgh9012ijkl3456mnop7890qrst",
"path": "path/to/manifest.yaml"
}Response Body
{
"workflow_name": "abcd"
}GET /workflows/<workflow_name>
Response Body
{
"name":"workflow1",
"status":"failed",
"created":"1618515183",
"finished":"1618515193"
}GET /workflows/<workflow_name>/logs
Response Body
{
"logs": [
"Log line 1",
"Log line 2"
]
}GET /workflows/<workflow_name>/logstream
Response Body
Log line 1
Log line 2
GET /projects/<project_name>/targets/<target_name>/workflows
Response Body
[
{"name":"workflow1","status":"failed","created":"1618515183","finished":"1618515193"},
{"name":"workflow2","status":"failed","created":"1618512676","finished":"1618512686"}
]