boundary/internal/proto/controller/api/services/v1/credential_library_service.proto

// Copyright IBM Corp. 2020, 2025
// SPDX-License-Identifier: MPL-2.0

syntax = "proto3";

package controller.api.services.v1;

import "controller/api/resources/credentiallibraries/v1/credential_library.proto";
import "controller/custom_options/v1/options.proto";
import "google/api/annotations.proto";
import "google/protobuf/field_mask.proto";
import "protoc-gen-openapiv2/options/annotations.proto";

option go_package = "github.com/hashicorp/boundary/internal/gen/controller/api/services;services";
option (custom_options.v1.domain) = "credential";

service CredentialLibraryService {
  option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_tag) = {
    name: "Credential library service"
    description:
      "The credential library service acts as a centralized repository for managing credentials used during sessions. "
      "It offers a secure and efficient way to store, rotate, and manage various the various types of credentials that "
      "are required for infrastructure access. The credential library service provides endpoints for interacting with "
      "credential libraries."
    external_docs: {
      url: "https://developer.hashicorp.com/boundary/docs/concepts/domain-model/credential-libraries";
      description: "Read about credential libraries in the Boundary domain model";
    }
  };

  // GetCredentialLibrary returns a stored Credential Library if present.  The provided request
  // must include the Credential Store id. If missing, malformed or referencing a
  // non existing resource an error is returned.
  rpc GetCredentialLibrary(GetCredentialLibraryRequest) returns (GetCredentialLibraryResponse) {
    option (google.api.http) = {
      get: "/v1/credential-libraries/{id}"
      response_body: "item"
    };
    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Gets a single Credential Library."};
  }

  // ListCredentialLibraries returns a list of stored Credential Libraries which are in the
  // provided scope. The request must include the Credential Store id and if missing,
  // malformed, or referencing a non existing scope, an error is returned.
  rpc ListCredentialLibraries(ListCredentialLibrariesRequest) returns (ListCredentialLibrariesResponse) {
    option (google.api.http) = {get: "/v1/credential-libraries"};
    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Lists all Credential Library."};
  }

  // CreateCredentialLibrary creates and stores an Credential Library in boundary.  The
  // provided request must include the scope in which the Credential Library will be
  // created. If the scope id is missing, malformed or referencing a
  // non existing resource an error is returned.  If a name is provided that is
  // in use in another Credential Library in the same scope, an error is returned.
  rpc CreateCredentialLibrary(CreateCredentialLibraryRequest) returns (CreateCredentialLibraryResponse) {
    option (google.api.http) = {
      post: "/v1/credential-libraries"
      body: "item"
      response_body: "item"
    };
    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Creates a single Credential Library."};
  }

  // UpdateCredentialLibrary updates an existing Credential Library in boundary.  The provided
  // Credential Library must not have any read only fields set.  The update mask must be
  // included in the request and contain at least 1 mutable field.  To unset
  // a field's value, include the field in the update mask and don't set it
  // in the provided user. An error is returned if the Credential Library id is missing
  // or reference a non existing resource.  An error is also returned if the
  // request attempts to update the name to one that is already in use by
  // another Credential Library in the parent scope.
  rpc UpdateCredentialLibrary(UpdateCredentialLibraryRequest) returns (UpdateCredentialLibraryResponse) {
    option (google.api.http) = {
      patch: "/v1/credential-libraries/{id}"
      body: "item"
      response_body: "item"
    };
    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Updates a Credential Library."};
  }

  // DeleteCredentialLibrary removes an Credential Library from Boundary. If the Credential Library id
  // is malformed or not provided an error is returned.
  rpc DeleteCredentialLibrary(DeleteCredentialLibraryRequest) returns (DeleteCredentialLibraryResponse) {
    option (google.api.http) = {delete: "/v1/credential-libraries/{id}"};
    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {summary: "Deletes a Credential Library"};
  }
}

message GetCredentialLibraryRequest {
  string id = 1; // @gotags: `class:"public"`
}

message GetCredentialLibraryResponse {
  resources.credentiallibraries.v1.CredentialLibrary item = 1;
}

message ListCredentialLibrariesRequest {
  string credential_store_id = 1 [json_name = "scope_id"]; // @gotags: `class:"public"`
  // You can specify that the filter should only return items that match.
  // Refer to [filter expressions](https://developer.hashicorp.com/boundary/docs/concepts/filtering) for more information.
  string filter = 30 [json_name = "filter"]; // @gotags: `class:"public"`
  // An opaque token that Boundary uses to continue an existing iteration or
  // request updated items. If you do not specify a token, pagination
  // starts from the beginning. To learn more about list pagination
  // in Boundary, refer to [list pagination](https://developer.hashicorp.com/boundary/docs/api-clients/api/pagination).
  string list_token = 40 [json_name = "list_token"]; // @gotags: `class:"public"`
  // The maximum size of a page in this iteration.
  // If you do not set a page size, Boundary uses the configured default page size.
  // If the page_size is greater than the default page size configured,
  // Boundary truncates the page size to this number.
  uint32 page_size = 50 [json_name = "page_size"]; // @gotags: `class:"public"`
}

message ListCredentialLibrariesResponse {
  // The items returned in this page.
  repeated resources.credentiallibraries.v1.CredentialLibrary items = 1;
  // The type of response, either "delta" or "complete".
  // Delta signifies that this is part of a paginated result
  // or an update to a previously completed pagination.
  // Complete signifies that it is the last page.
  string response_type = 2 [json_name = "response_type"]; // @gotags: `class:"public"`
  // An opaque token used to continue an existing pagination or
  // request updated items. Use this token in the next list request
  // to request the next page.
  string list_token = 3 [json_name = "list_token"]; // @gotags: `class:"public"`
  // The name of the field which the items are sorted by.
  string sort_by = 4 [json_name = "sort_by"]; // @gotags: `class:"public"`
  // The direction of the sort, either "asc" or "desc".
  string sort_dir = 5 [json_name = "sort_dir"]; // @gotags: `class:"public"`
  // A list of item IDs that have been removed since they were returned
  // as part of a pagination. They should be dropped from any client cache.
  // This may contain items that are not known to the cache, if they were
  // created and deleted between listings.
  repeated string removed_ids = 6 [json_name = "removed_ids"]; // @gotags: `class:"public"`
  // An estimate at the total items available. This may change during pagination.
  uint32 est_item_count = 7 [json_name = "est_item_count"]; // @gotags: `class:"public"`
}

message CreateCredentialLibraryRequest {
  resources.credentiallibraries.v1.CredentialLibrary item = 1;
}

message CreateCredentialLibraryResponse {
  string uri = 1; // @gotags: `class:"public"`
  resources.credentiallibraries.v1.CredentialLibrary item = 2;
}

message UpdateCredentialLibraryRequest {
  string id = 1; // @gotags: `class:"public"`
  resources.credentiallibraries.v1.CredentialLibrary item = 2;
  google.protobuf.FieldMask update_mask = 3 [json_name = "update_mask"];
}

message UpdateCredentialLibraryResponse {
  resources.credentiallibraries.v1.CredentialLibrary item = 1;
}

message DeleteCredentialLibraryRequest {
  string id = 1; // @gotags: `class:"public"`
}

message DeleteCredentialLibraryResponse {}