service Certificate {
rpc SignCSR (CertificateSigningRequest) returns (SignedCertificate);
rpc GetCertificate (CertificateSerialNumber) returns (CertificateParameter);
rpc ListCertificates (ListCertificatesRequest) returns (CertificatesParameter);
rpc RevokeCertificate (RevokeCertificateRequest) returns (RevokeCertificateResponse);
rpc OperationsSignCSR (OperationsSignRequest) returns (SignedCertificate);
rpc QueryCertificateMetadata (QueryCertificateMetadataRequest) returns (CertificatesParameter);
}service Service {
rpc CreateServiceAccount (CreateServiceAccountRequest) returns (CreateServiceAccountResponse);
rpc CreateProvisionerAccount(CreateProvisionerAccountRequest) returns (CreateProvisionerAccountResponse);
rpc GetProvisionerAccount (AccountId) returns (ProvisionerAccount);
rpc GetServiceAccount (AccountId) returns (ServiceAccount);
rpc GetServiceAccountMetadata (GetServiceAccountMetadataRequest) returns (ServiceAccounts);
rpc DeleteServiceAccount (AccountId) returns (google.protobuf.Empty);
rpc DeleteProvisionedServiceAccount (AccountId) returns (google.protobuf.Empty);
rpc ProvisionServiceAccount (ProvisionServiceAccountRequest) returns (ProvisionServiceAccountResponse);
rpc ListServiceAccounts (QueryParameter) returns (ServiceAccounts);
rpc ListProvisionerAccounts (QueryParameter) returns (ProvisionerAccounts);
}service Account {
rpc LoginUser (LoginUserRequest) returns (LoginUserResponse);
rpc DeleteUser (UsernameRequest) returns (google.protobuf.Empty);
rpc GetUser (UsernameRequest) returns (User);
rpc ListUsers (QueryParameter) returns (Users);
rpc CreateUser (CreateUserRequest) returns (User);
rpc UpdateUserCredentials (UpdateCredentialsRequest) returns (User);
rpc UpdateUserPermissions (UpdatePermissionsRequest) returns (User);
}rpc SignCSR (CertificateSigningRequest) returns (SignedCertificate);Description Sign Certificate Signing Request (CSR)
Authentication Service Account Authentication
Client Example sign_csr.go
Request
message CertificateSigningRequest {
string certificate_signing_request = 1;
}Response
message SignedCertificate {
string certificate = 1;
string intermediate_certificate_chain = 2;
string root_certificate_chain = 3;
CertificateParameter metadata = 4;
}
message CertificateParameter {
string serial_number = 1;
string common_name = 2;
repeated string subject_alternative_name = 3;
google.protobuf.Timestamp expiration_date = 4;
google.protobuf.Timestamp issued_date = 5;
bool revoked = 6;
string revoked_by = 7;
google.protobuf.Timestamp revoke_date = 8;
string ca_serial_number = 9;
string certificate_authority_arn = 10;
}{
"certificate": "-----BEGIN CERTIFICATE-----",
"intermediate_certificate_chain": "-----BEGIN CERTIFICATE-----",
"root_certificate_chain": "-----BEGIN CERTIFICATE-----",
"metadata": {
"serial_number": "4c15b9ec07c2779f5319ab68ea16b7fc5f452f36",
"common_name": "sandbox.example.com",
"subject_alternative_name": ["test.example.com"],
"expiration_date": {
"seconds": 1685128356,
"nanos": 876043203
},
"issued_date": {
"seconds": 1682536356,
"nanos": 876043115
},
"revoke_date": {
"seconds": -62135596800
},
"ca_serial_number": "50919db8e90a157cb5d44f8b1eb87879",
"certificate_authority_arn": "arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/11111111-22222-3333-4444-555555555555"
}
}rpc QueryCertificateMetadata (QueryCertificateMetadataRequest) returns (CertificatesParameter);Description
Query for Non-Ephemeral Certificate Issued from Provisioner, Certificates Issued from baseca.v1.Certificate/SignCSR are Excluded
Authentication Provisioner Account Authentication
Request
message QueryMetadataRequest {
string serial_number = 1;
string account = 2;
string environment = 3;
string extended_key = 4;
repeated string subject_alternative_name = 5;
}Response
message CertificatesParameter {
repeated CertificateParameter certificates = 1;
}
message CertificateAuthorityParameter {
string region = 1;
string ca_arn = 2;
string sign_algorithm = 3;
bool assume_role = 4;
string role_arn = 5;
int32 validity = 6;
}rpc GetCertificate (CertificateSerialNumber) returns (CertificateParameter);Description Query Issued Certificate Metadata from Database
Authentication User Authentication
Request
message CertificateSerialNumber {
string serial_number = 1;
}grpcurl -vv -plaintext -H "Authorization: Bearer ${AUTH_TOKEN}" \
-d '{
"serial_number": "4c15b9ec07c2779f5319ab68ea16b7fc5f452f36"
}' \
localhost:9090 baseca.v1.Certificate/GetCertificateResponse
message CertificateParameter {
string serial_number = 1;
string common_name = 2;
repeated string subject_alternative_name = 3;
google.protobuf.Timestamp expiration_date = 4;
google.protobuf.Timestamp issued_date = 5;
bool revoked = 6;
string revoked_by = 7;
google.protobuf.Timestamp revoke_date = 8;
string ca_serial_number = 9;
string certificate_authority_arn = 10;
}{
"metadata": {
"serial_number": "4c15b9ec07c2779f5319ab68ea16b7fc5f452f36",
"common_name": "sandbox.example.com",
"subject_alternative_name": ["test.example.com"],
"expiration_date": "2023-09-25T03:30:11Z",
"issued_date": "2023-08-25T03:30:11Z",
"revoke_date": "0001-01-01T00:00:00Z",
"ca_serial_number": "50919db8e90a157cb5d44f8b1eb87879",
"certificate_authority_arn": "arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/11111111-22222-3333-4444-555555555555"
}
}rpc ListCertificates (ListCertificatesRequest) returns (CertificatesParameter);Description List Issued Certificates via Common Name (CN)
Authentication User Authentication
Request
message ListCertificatesRequest {
string common_name = 1;
int32 page_id = 3;
int32 page_size = 4;
}grpcurl -vv -plaintext -H "Authorization: Bearer ${AUTH_TOKEN}" \
-d '{
"common_name": "sandbox.example.com",
"page_id": 1,
"page_size": 20
}' \
localhost:9090 baseca.v1.Certificate/ListCertificatesResponse
message CertificatesParameter {
repeated CertificateParameter certificates = 1;
}
message CertificateAuthorityParameter {
string region = 1;
string ca_arn = 2;
string sign_algorithm = 3;
bool assume_role = 4;
string role_arn = 5;
int32 validity = 6;
}rpc RevokeCertificate (RevokeCertificateRequest) returns (RevokeCertificateResponse);Description Revoke Subordinate CA Certificate from ACM Private CA
Authentication User Authentication
Request
message RevokeCertificateRequest {
string serial_number = 1;
string revocation_reason = 2;
}AFFILIATION_CHANGED
CESSATION_OF_OPERATION
A_A_COMPROMISE
PRIVILEGE_WITHDRAWN
SUPERSEDED
UNSPECIFIED
KEY_COMPROMISE
CERTIFICATE_AUTHORITY_COMPROMISE
grpcurl -vv -plaintext -H "Authorization: Bearer ${AUTH_TOKEN}" \
-d '{
"serial_number": "50919db8e90a157cb5d44f8b1eb87879",
"revocation_reason": "PRIVILEGE_WITHDRAWN"
}' \
localhost:9090 baseca.v1.Certificate/RevokeCertificateResponse
message RevokeCertificateResponse {
string serial_number = 1;
google.protobuf.Timestamp revocation_date = 2;
string status = 3;
}{
"serialNumber": "50919db8e90a157cb5d44f8b1eb87879",
"revocationDate": "2023-04-26T21:49:59.846588Z",
"status": "PRIVILEGE_WITHDRAWN"
}rpc OperationsSignCSR (OperationsSignRequest) returns (SignedCertificate);Description Manual Sign Certificate Signing Request (CSR)
Authentication Provisioner Account Authentication
Client Example operations_sign_csr.go
Request
message OperationsSignRequest {
string certificate_signing_request = 1;
optional CertificateAuthorityParameter certificate_authority = 2;
string service_account = 3;
string environment = 4;
string extended_key = 5;
}Response
message SignedCertificate {
string certificate = 1;
string intermediate_certificate_chain = 2;
string root_certificate_chain = 3;
CertificateParameter metadata = 4;
}
message CertificateParameter {
string serial_number = 1;
string common_name = 2;
repeated string subject_alternative_name = 3;
google.protobuf.Timestamp expiration_date = 4;
google.protobuf.Timestamp issued_date = 5;
bool revoked = 6;
string revoked_by = 7;
google.protobuf.Timestamp revoke_date = 8;
string certificate_authority_arn = 9;
string account = 10;
string environment = 11;
string extended_key = 12;rpc CreateServiceAccount (CreateServiceAccountRequest) returns (CreateServiceAccountResponse);Description Create Service Account Record
Authentication User Authentication
Request
message CreateServiceAccountRequest {
string service_account = 1;
string environment = 2;
optional string regular_expression = 3;
repeated string subject_alternative_names = 4;
repeated string certificate_authorities = 5;
string extended_key = 6;
int32 certificate_validity = 7;
string subordinate_ca = 8;
optional NodeAttestation node_attestation = 9;
string team = 10;
string email = 11;
}
message NodeAttestation {
AWSInstanceIdentityDocument aws_iid = 1;
}
message AWSInstanceIdentityDocument {
string role_arn = 1;
string assume_role = 2;
repeated string security_groups = 3;
string region = 4;
string instance_id = 5;
string image_id = 6;
map<string, string> instance_tags = 7;
}grpcurl -vv -plaintext -H "Authorization: Bearer ${AUTH_TOKEN}" \
-d '{
"service_account": "example",
"environment": "development",
"subject_alternative_names": [
"development.coinbase.com"
],
"extended_key": "EndEntityServerAuthCertificate",
"node_attestation": {
"aws_iid": {
"role_arn": "arn:aws:iam::123456789012:instance-profile/instance-profile-name",
"assume_role": "arn:aws:iam::123456789012:role/assumed-role",
"security_groups": ["sg-0123456789abcdef0"],
"region": "us-east-1"
}
},
"certificate_authorities": [
"development_use1"
],
"certificate_validity": 30,
"subordinate_ca": "infrastructure",
"team": "Infrastructure Security",
"email": "[email protected]"
}' \
localhost:9090 baseca.v1.Service/CreateServiceAccountResponse
message CreateServiceAccountResponse {
string client_id = 1;
string client_token = 2;
string service_account = 3;
string environment = 4;
string regular_expression = 5;
repeated string subject_alternative_names = 6;
repeated string certificate_authorities = 7;
string extended_key = 8;
NodeAttestation node_attestation = 9;
int32 certificate_validity = 10;
string subordinate_ca = 11;
string team = 12;
string email = 13;
google.protobuf.Timestamp created_at = 14;
string created_by = 15;
}{
"clientId": "585c2f84-9a0e-4775-827a-a0a99c7dddcc",
"clientToken": "[CLIENT_TOKEN]",
"serviceAccount": "example",
"environment": "development",
"subjectAlternativeNames": ["development.coinbase.com"],
"certificateAuthorities": ["development_use1"],
"extendedKey": "EndEntityServerAuthCertificate",
"nodeAttestation": {
"awsIid": {
"roleArn": "arn:aws:iam::123456789012:instance-profile/instance-profile-name",
"assumeRole": "arn:aws:iam::123456789012:role/assumed-role",
"securityGroups": ["sg-0123456789abcdef0"],
"region": "us-east-1"
}
},
"certificateValidity": 30,
"subordinateCa": "infrastructure",
"team": "Infrastructure Security",
"email": "[email protected]",
"createdAt": "2023-04-26T22:24:42.873116Z",
"createdBy": "830b9b81-37c0-4180-9dba-9f21b1f6ae21"
}rpc ListServiceAccounts (QueryParameter) returns (ServiceAccounts);Description Query Service Accounts from Database
Authentication User Authentication
Request
message QueryParameter {
int32 page_id = 2;
int32 page_size = 3;
} grpcurl -vv -plaintext -H "Authorization: Bearer ${AUTH_TOKEN}" \
-d '{
"page_id": 1,
"page_size": 20
}' \
localhost:9090 baseca.v1.Service/ListServiceAccountsResponse
message ServiceAccounts {
repeated ServiceAccount service_accounts = 1;
}
message ServiceAccount {
string client_id = 1;
string service_account = 2;
string environment = 3;
string regular_expression = 4;
repeated string subject_alternative_names = 5;
repeated string certificate_authorities = 6;
string extended_key = 7;
NodeAttestation node_attestation = 8;
int32 certificate_validity = 9;
string subordinate_ca = 10;
bool provisioned = 11;
string team = 12;
string email = 13;
google.protobuf.Timestamp created_at = 14;
string created_by = 15;
}{
"serviceAccounts": [
{
"clientId": "585c2f84-9a0e-4775-827a-a0a99c7dddcc",
"serviceAccount": "example",
"environment": "development",
"subjectAlternativeNames": ["development.coinbase.com"],
"certificateAuthorities": ["development_use1"],
"extendedKey": "EndEntityServerAuthCertificate",
"nodeAttestation": {
"awsIid": {
"roleArn": "arn:aws:iam::123456789012:instance-profile/instance-profile-name",
"assumeRole": "arn:aws:iam::123456789012:role/assumed-role",
"securityGroups": ["sg-0123456789abcdef0"],
"region": "us-east-1"
}
},
"certificateValidity": 30,
"subordinate_ca": "infrastructure",
"provisioned": false,
"team": "Infrastructure Security",
"email": "[email protected]",
"createdAt": "2023-04-26T22:24:42.873116Z",
"createdBy": "830b9b81-37c0-4180-9dba-9f21b1f6ae21"
}
]
}rpc ListProvisionerAccounts (QueryParameter) returns (ProvisionerAccounts);Description List Provisioner Service Accounts
Request
message QueryParameter {
int32 page_id = 2;
int32 page_size = 3;
}grpcurl -vv -plaintext -H "Authorization: Bearer ${AUTH_TOKEN}" \
-d '{
"page_id": 1,
"page_size": 25
}' \
localhost:9090 baseca.v1.Service/ListProvisionerAccountsResponse
message ProvisionerAccounts {
repeated ProvisionerAccount provisioner_accounts = 1;
}
message ProvisionerAccount {
string client_id = 1;
string provisioner_account = 2;
repeated string environments = 3;
string regular_expression = 4;
repeated string subject_alternative_names = 5;
repeated string extended_keys = 7;
NodeAttestation node_attestation = 8;
uint32 max_certificate_validity = 9;
string team = 10;
string email = 11;
google.protobuf.Timestamp created_at = 12;
string created_by = 13;
}
message NodeAttestation {
AWSInstanceIdentityDocument aws_iid = 1;
}
message AWSInstanceIdentityDocument {
string role_arn = 1;
string assume_role = 2;
repeated string security_groups = 3;
string region = 4;
string instance_id = 5;
string image_id = 6;
map<string, string> instance_tags = 7;
}{
"provisionerAccounts": [
{
"clientId": "650b0ead-1c6b-49b3-810e-48d20a2890ac",
"provisionerAccount": "example",
"environments": ["development", "sandbox"],
"regularExpression": "[A-Za-z0-9.-]",
"subjectAlternativeNames": ["test.coinbase.com"],
"extendedKeys": ["EndEntityServerAuthCertificate"],
"nodeAttestation": {
"awsIid": {
"roleArn": "arn:aws:iam::123456789012:role/role",
"assumeRole": "arn:aws:iam::123456789012:role/assumed-role",
"securityGroups": ["sg-0123456789abcdef0"],
"region": "us-east-1"
}
},
"maxCertificateValidity": 30,
"team": "Security",
"email": "[email protected]",
"createdAt": "2023-04-26T22:24:42.873116Z",
"createdBy": "830b9b81-37c0-4180-9dba-9f21b1f6ae21"
}
]
}rpc GetServiceAccountMetadata (GetServiceAccountMetadataRequest) returns (ServiceAccounts);Description Query Service Account from Database via Metadata
Authentication User Authentication
Request
message GetServiceAccountMetadataRequest{
string service_account = 1;
string environment = 2;
string extended_key = 3;
}grpcurl -vv -plaintext -H "Authorization: Bearer ${AUTH_TOKEN}" \
-d '{
"service_account": "example",
"environment": "development",
"extended_key": "EndEntityServerAuthCertificate"
}' \
localhost:9090 baseca.v1.Service/GetServiceAccountMetadataResponse
message ServiceAccounts {
repeated ServiceAccount service_accounts = 1;
}
message ServiceAccount {
string client_id = 1;
string service_account = 2;
string environment = 3;
string regular_expression = 4;
repeated string subject_alternative_names = 5;
repeated string certificate_authorities = 6;
string extended_key = 7;
NodeAttestation node_attestation = 8;
int32 certificate_validity = 9;
string subordinate_ca = 10;
bool provisioned = 11;
string team = 12;
string email = 13;
google.protobuf.Timestamp created_at = 14;
string created_by = 15;
}{
"serviceAccounts": [
{
"clientId": "585c2f84-9a0e-4775-827a-a0a99c7dddcc",
"serviceAccount": "example",
"environment": "development",
"subjectAlternativeNames": ["development.coinbase.com"],
"certificateAuthorities": ["development_use1"],
"extendedKey": "EndEntityServerAuthCertificate",
"nodeAttestation": {
"awsIid": {
"roleArn": "arn:aws:iam::123456789012:instance-profile/instance-profile-name",
"assumeRole": "arn:aws:iam::123456789012:role/assumed-role",
"securityGroups": ["sg-0123456789abcdef0"],
"region": "us-east-1"
}
},
"certificateValidity": 30,
"subordinateCa": "infrastructure",
"provisioned": false,
"team": "Infrastructure Security",
"email": "[email protected]",
"createdAt": "2023-04-26T22:24:42.873116Z",
"createdBy": "830b9b81-37c0-4180-9dba-9f21b1f6ae21"
}
]
}rpc GetServiceAccount (AccountId) returns (ServiceAccount);Description Query Service Account from Database By UUID
Authentication User Authentication
Request
message AccountId {
string uuid = 1;
}grpcurl -vv -plaintext -H "Authorization: Bearer ${AUTH_TOKEN}" \
-d '{
"uuid": "585c2f84-9a0e-4775-827a-a0a99c7dddcc"
}' \
localhost:9090 baseca.v1.Service/GetServiceAccountResponse
message ServiceAccount {
string client_id = 1;
string service_account = 2;
string environment = 3;
string regular_expression = 4;
repeated string subject_alternative_names = 5;
repeated string certificate_authorities = 6;
string extended_key = 7;
NodeAttestation node_attestation = 8;
int32 certificate_validity = 9;
string subordinate_ca = 10;
bool provisioned = 11;
string team = 12;
string email = 13;
google.protobuf.Timestamp created_at = 14;
string created_by = 15;
}{
"clientId": "585c2f84-9a0e-4775-827a-a0a99c7dddcc",
"serviceAccount": "example",
"environment": "development",
"subjectAlternativeNames": ["development.coinbase.com"],
"certificateAuthorities": ["development_use1"],
"extendedKey": "EndEntityServerAuthCertificate",
"nodeAttestation": {
"awsIid": {
"roleArn": "arn:aws:iam::123456789012:instance-profile/instance-profile-name",
"assumeRole": "arn:aws:iam::123456789012:role/assumed-role",
"securityGroups": ["sg-0123456789abcdef0"],
"region": "us-east-1"
}
},
"certificateValidity": 30,
"subordinateCa": "infrastructure",
"provisioned": false,
"team": "Infrastructure Security",
"email": "[email protected]",
"createdAt": "2023-04-26T22:24:42.873116Z",
"createdBy": "830b9b81-37c0-4180-9dba-9f21b1f6ae21"
}rpc DeleteServiceAccount (AccountId) returns (google.protobuf.Empty);Description Delete Service Account from Database
Authentication User Authentication
Request
message AccountId {
string uuid = 1;
}grpcurl -vv -plaintext -H "Authorization: Bearer ${AUTH_TOKEN}" \
-d '{
"uuid": "585c2f84-9a0e-4775-827a-a0a99c7dddcc"
}' \
localhost:9090 baseca.v1.Service/DeleteServiceAccountResponse
google.protobuf.Emptyrpc DeleteProvisionedServiceAccount (AccountId) returns (google.protobuf.Empty);Description Delete Service Account Generated from Provisioner
Authentication Provisioner Account Authentication
Request
message AccountId {
string uuid = 1;
}Response
google.protobuf.Emptyrpc CreateProvisionerAccount (CreateProvisionerAccountRequest) returns (CreateProvisionerAccountResponse);Description Create Provisioner Account Record
Authentication User Authentication
Request
message CreateProvisionerAccountRequest {
string provisioner_account = 1;
repeated string environments = 2;
optional string regular_expression = 3;
repeated string subject_alternative_names = 4;
repeated string extended_keys = 5;
uint32 max_certificate_validity = 6;
optional NodeAttestation node_attestation = 7;
string team = 8;
string email = 9;
}
message NodeAttestation {
AWSInstanceIdentityDocument aws_iid = 1;
}
message AWSInstanceIdentityDocument {
string role_arn = 1;
string assume_role = 2;
repeated string security_groups = 3;
string region = 4;
string instance_id = 5;
string image_id = 6;
map<string, string> instance_tags = 7;
}grpcurl -vv -plaintext -H "Authorization: Bearer ${AUTH_TOKEN}" \
-d '{
"provisioner_account": "example",
"environments": ["development"],
"subject_alternative_names": [
"development.coinbase.com"
],
"extended_keys": ["EndEntityServerAuthCertificate"],
"node_attestation": {
"aws_iid": {
"role_arn": "arn:aws:iam::123456789012:instance-profile/instance-profile-name",
"assume_role": "arn:aws:iam::123456789012:role/assumed-role",
"security_groups": ["sg-0123456789abcdef0"],
"region": "us-east-1"
}
},
"max_certificate_validity": 30,
"team": "Infrastructure Security",
"email": "[email protected]"
}' \
localhost:9090 baseca.v1.Service/CreateProvisionerAccountResponse
message CreateProvisionerAccountResponse {
string client_id = 1;
string client_token = 2;
string provisioner_account = 3;
repeated string environments = 4;
string regular_expression = 5;
repeated string subject_alternative_names = 6;
repeated string extended_keys = 8;
NodeAttestation node_attestation = 9;
uint32 max_certificate_validity = 10;
string team = 11;
string email = 12;
google.protobuf.Timestamp created_at = 13;
string created_by = 14;
}{
"clientId": "585c2f84-9a0e-4775-827a-a0a99c7dddcc",
"clientToken": "[CLIENT_TOKEN]",
"provisionerAccount": "example",
"environments": ["development"],
"subjectAlternativeNames": ["development.coinbase.com"],
"extendedKeys": ["EndEntityServerAuthCertificate"],
"nodeAttestation": {
"awsIid": {
"roleArn": "arn:aws:iam::123456789012:instance-profile/instance-profile-name",
"assumeRole": "arn:aws:iam::123456789012:role/assumed-role",
"securityGroups": ["sg-0123456789abcdef0"],
"region": "us-east-1"
}
},
"maxCertificateValidity": 30,
"team": "Infrastructure Security",
"email": "[email protected]",
"createdAt": "2023-04-26T22:24:42.873116Z",
"createdBy": "830b9b81-37c0-4180-9dba-9f21b1f6ae21"
}rpc GetProvisionerAccount (AccountId) returns (ProvisionerAccount);Description Query Provisioner Account
Authentication User Authentication
Request
message AccountId {
string uuid = 1;
}grpcurl -vv -plaintext -H "Authorization: Bearer ${AUTH_TOKEN}" \
-d '{
"uuid": "ce337d41-f8b5-4630-b469-5ef896cf4fc1"
}' \
localhost:9090 baseca.v1.Service/GetProvisionerAccountResponse
message ProvisionerAccount {
string client_id = 1;
string provisioner_account = 2;
repeated string environments = 3;
string regular_expression = 4;
repeated string subject_alternative_names = 5;
repeated string extended_keys = 7;
NodeAttestation node_attestation = 8;
uint32 max_certificate_validity = 9;
string team = 10;
string email = 11;
google.protobuf.Timestamp created_at = 12;
string created_by = 13;
}{
"clientId": "585c2f84-9a0e-4775-827a-a0a99c7dddcc",
"provisionerAccount": "example",
"environments": ["development"],
"subjectAlternativeNames": ["development.coinbase.com"],
"extendedKeys": ["EndEntityServerAuthCertificate"],
"nodeAttestation": {
"awsIid": {
"roleArn": "arn:aws:iam::123456789012:instance-profile/instance-profile-name",
"assumeRole": "arn:aws:iam::123456789012:role/assumed-role",
"securityGroups": ["sg-0123456789abcdef0"],
"region": "us-east-1"
}
},
"maxCertificateValidity": 30,
"team": "Infrastructure Security",
"email": "[email protected]",
"createdAt": "2023-04-26T22:24:42.873116Z",
"createdBy": "830b9b81-37c0-4180-9dba-9f21b1f6ae21"
}rpc ProvisionServiceAccount (ProvisionServiceAccountRequest) returns (ProvisionServiceAccountResponse);Description Create Service Account Record
Authentication Provisioner Account Authentication
Request
message ProvisionServiceAccountRequest {
CreateServiceAccountRequest account = 1;
}
message CreateServiceAccountRequest {
string service_account = 1;
string environment = 2;
optional string regular_expression = 3;
repeated string subject_alternative_names = 4;
repeated string certificate_authorities = 5;
string extended_key = 6;
int32 certificate_validity = 7;
string subordinate_ca = 8;
optional NodeAttestation node_attestation = 9;
string team = 10;
string email = 11;
optional string region = 12;
}
message NodeAttestation {
AWSInstanceIdentityDocument aws_iid = 1;
}
message AWSInstanceIdentityDocument {
string role_arn = 1;
string assume_role = 2;
repeated string security_groups = 3;
string region = 4;
string instance_id = 5;
string image_id = 6;
map<string, string> instance_tags = 7;
}Response
message ProvisionServiceAccountResponse {
CreateServiceAccountResponse account = 1;
}
message CreateServiceAccountResponse {
string client_id = 1;
string client_token = 2;
string service_account = 3;
string environment = 4;
string regular_expression = 5;
repeated string subject_alternative_names = 6;
repeated string certificate_authorities = 7;
string extended_key = 8;
NodeAttestation node_attestation = 9;
int32 certificate_validity = 10;
string subordinate_ca = 11;
string team = 12;
string email = 13;
google.protobuf.Timestamp created_at = 14;
string created_by = 15;
}{
"account": {
"clientId": "585c2f84-9a0e-4775-827a-a0a99c7dddcc",
"clientToken": "[CLIENT_TOKEN]",
"serviceAccount": "example",
"environment": "development",
"subjectAlternativeNames": ["development.coinbase.com"],
"certificateAuthorities": ["sandbox_use1"],
"extendedKey": "EndEntityServerAuthCertificate",
"nodeAttestation": {
"awsIid": {
"roleArn": "arn:aws:iam::123456789012:instance-profile/instance-profile-name",
"assumeRole": "arn:aws:iam::123456789012:role/assumed-role",
"securityGroups": ["sg-0123456789abcdef0"],
"region": "us-east-1"
}
},
"certificateValidity": 30,
"subordinateCa": "infrastructure",
"team": "Infrastructure Security",
"email": "[email protected]",
"createdAt": "2023-04-26T22:24:42.873116Z",
"createdBy": "830b9b81-37c0-4180-9dba-9f21b1f6ae21"
}
}rpc DeleteProvisionerAccount (AccountId) returns (google.protobuf.Empty);Description Delete Provisioner Account from Database
Authentication User Authentication
Request
message AccountId {
string uuid = 1;
}grpcurl -vv -plaintext -H "Authorization: Bearer ${AUTH_TOKEN}" \
-d '{
"uuid": "ce337d41-f8b5-4630-b469-5ef896cf4fc1"
}' \
localhost:9090 baseca.v1.Service/DeleteProvisionerAccountResponse
google.protobuf.Emptyrpc LoginUser (LoginUserRequest) returns (LoginUserResponse);Description Returns JSON Web Token (JWT) for User Authentication Endpoints
Authentication None
Request
message LoginUserRequest {
string username = 1;
string password = 2;
}grpcurl -vv -plaintext \
-d '{
"username": "[USERNAME]",
"password": "[PASSWORD]"
}' \
localhost:9090 baseca.v1.Account/LoginUserResponse
message LoginUserResponse {
string access_token = 1;
User user = 2;
}
message User {
string uuid = 1;
string username = 2;
string full_name = 3;
string email = 4;
string permissions = 5;
google.protobuf.Timestamp credential_changed_at = 6;
google.protobuf.Timestamp created_at = 7;
}{
"accessToken": "[JSON_WEB_TOKEN_OUTPUT]",
"user": {
"uuid": "585c2f84-9a0e-4775-827a-a0a99c7dddcc",
"username": "security_operations",
"fullName": "Example User",
"email": "[email protected]",
"permissions": "ADMIN",
"credentialChangedAt": "0001-01-01T00:00:00Z",
"createdAt": "2023-02-28T07:21:04.221349Z"
}
}rpc DeleteUser (UsernameRequest) returns (google.protobuf.Empty);Description Delete User from Database
Authentication User Authentication
Request
message UsernameRequest {
string username = 1;
}grpcurl -vv -plaintext -H "Authorization: Bearer ${AUTH_TOKEN}" \
-d '{
"username": "[email protected]"
}' \
localhost:9090 baseca.v1.Account/DeleteUserResponse
google.protobuf.Emptyrpc GetUser (UsernameRequest) returns (User);Description Query User from Database
Authentication User Authentication
Request
message UsernameRequest {
string username = 1;
}grpcurl -vv -plaintext -H "Authorization: Bearer ${AUTH_TOKEN}" \
-d '{
"username": "[email protected]"
}' \
localhost:9090 baseca.v1.Account/GetUserResponse
message User {
string uuid = 1;
string username = 2;
string full_name = 3;
string email = 4;
string permissions = 5;
google.protobuf.Timestamp credential_changed_at = 6;
google.protobuf.Timestamp created_at = 7;
}{
"uuid": "585c2f84-9a0e-4775-827a-a0a99c7dddcc",
"username": "[email protected]",
"fullName": "Example User",
"email": "[email protected]",
"permissions": "ADMIN",
"credentialChangedAt": "0001-01-01T00:00:00Z",
"createdAt": "2023-04-06T05:31:03.960297Z"
}rpc ListUsers (QueryParameter) returns (Users);Description Query Users from Database
Authentication User Authentication
Request
message QueryParameter {
int32 page_id = 2;
int32 page_size = 3;
}grpcurl -vv -plaintext -H "Authorization: Bearer ${AUTH_TOKEN}" \
-d '{
"page_id": 1,
"page_size": 20
}' \
localhost:9090 baseca.v1.Account/ListUsersResponse
message Users {
repeated User users = 1;
}
message User {
string uuid = 1;
string username = 2;
string full_name = 3;
string email = 4;
string permissions = 5;
google.protobuf.Timestamp credential_changed_at = 6;
google.protobuf.Timestamp created_at = 7;
}{
"users": [
{
"uuid": "585c2f84-9a0e-4775-827a-a0a99c7dddcc",
"username": "[email protected]",
"fullName": "Example User",
"email": "[email protected]",
"permissions": "ADMIN",
"credentialChangedAt": "0001-01-01T00:00:00Z",
"createdAt": "2023-02-28T07:21:04.221349Z"
},
{
"uuid": "bb8e9e1d-2a11-43ae-86f1-9a19b6c8f47e",
"username": "[email protected]",
"fullName": "Sample User",
"email": "[email protected]",
"permissions": "READ",
"credentialChangedAt": "0001-01-01T00:00:00Z",
"createdAt": "2023-03-28T05:58:07.822324Z"
}
]
}rpc CreateUser (CreateUserRequest) returns (User);Description Create User to Manually Interface with baseca Control Plane
Authentication User Authentication
Request
message CreateUserRequest {
string username = 1;
string password = 2;
string full_name = 3;
string email = 4;
string permissions = 5;
}grpcurl -vv -plaintext -H "Authorization: Bearer ${AUTH_TOKEN}" \
-d '{
"username": "[email protected]",
"password": "[PASSWORD]",
"full_name": "Example User",
"email": "[email protected]",
"permissions": "READ"
}' \
localhost:9090 baseca.v1.Account/CreateUserResponse
message User {
string uuid = 1;
string username = 2;
string full_name = 3;
string email = 4;
string permissions = 5;
google.protobuf.Timestamp credential_changed_at = 6;
google.protobuf.Timestamp created_at = 7;
}{
"uuid": "585c2f84-9a0e-4775-827a-a0a99c7dddcc",
"username": "[email protected]",
"fullName": "Example User",
"email": "[email protected]",
"permissions": "READ",
"credentialChangedAt": "0001-01-01T00:00:00Z",
"createdAt": "2023-04-27T00:38:22.776949Z"
}rpc UpdateUserCredentials (UpdateCredentialsRequest) returns (User);Description Update User Password
Authentication None
Request
message UpdateCredentialsRequest {
string username = 1;
string password = 2;
string updated_password = 3;
}grpcurl -vv -plaintext \
-d '{
"username": "[email protected]",
"password": "[PASSWORD]",
"updated_password": "[UPDATED_PASSWORD]"
}' \
localhost:9090 baseca.v1.Account/UpdateUserCredentialsResponse
message User {
string uuid = 1;
string username = 2;
string full_name = 3;
string email = 4;
string permissions = 5;
google.protobuf.Timestamp credential_changed_at = 6;
google.protobuf.Timestamp created_at = 7;
}rpc UpdateUserPermissions (UpdatePermissionsRequest) returns (User);Description Update Permissions Parameter for User
Authentication User Authentication
Request
message UpdatePermissionsRequest {
string username = 1;
string permissions = 2;
}grpcurl -vv -plaintext -H "Authorization: Bearer ${AUTH_TOKEN}" \
-d '{
"username": "[email protected]",
"permissions": "ADMIN"
}' \
localhost:9090 baseca.v1.Account/UpdateUserPermissionsResponse
message User {
string uuid = 1;
string username = 2;
string full_name = 3;
string email = 4;
string permissions = 5;
google.protobuf.Timestamp credential_changed_at = 6;
google.protobuf.Timestamp created_at = 7;
}{
"uuid": "585c2f84-9a0e-4775-827a-a0a99c7dddcc",
"username": "[email protected]",
"fullName": "Example User",
"email": "[email protected]",
"permissions": "ADMIN",
"credentialChangedAt": "2023-06-04T01:17:48.919754Z",
"createdAt": "2023-06-04T00:53:45.946512Z"
}