HashiCorp Cloud Platform
Retrieve HCP API token
Endpoint: /oauth/token
Before you can interact with the HCP Vault Secrets API, you must request a OAuth token.
You must pass the HCP service principal key pair (client ID and secret ID) to authenticate with HCP.
HCP_CLIENT_ID
- set the value to your service principal client IDHCP_CLIENT_SECRET
- set the value to your service principal client secret
Example
This example stores the OAuth token in the HCP_API_TOKEN
variable. The HCP_CLIENT_ID
and HCP_CLIENT_SECRET
values are passed in as variables.
$ HCP_API_TOKEN=$(curl --location "https://auth.idp.hashicorp.com/oauth2/token" \
--header "Content-Type: application/x-www-form-urlencoded" \
--data-urlencode "client_id=$HCP_CLIENT_ID" \
--data-urlencode "client_secret=$HCP_CLIENT_SECRET" \
--data-urlencode "grant_type=client_credentials" \
--data-urlencode "audience=https://api.hashicorp.cloud" | jq -r .access_token)
Retrieve HCP organization and project ID
Once you have the HCP OAuth token, you must also retrieve your HCP Vault Secrets application name, the organization ID, and the project ID. You can retrieve these directly from the HCP Portal or using the HCP CLI.
If you've created a profile for your Vault Secrets application using the HCP CLI you can run hcp profile display
.
$ hcp profile display
name = "default"
organization_id = "863491ae-c36e-4c5b-9dd0-e0c82cb425c1"
project_id = "f382333d-acfa-4732-880e-a909c42fcb16"
vault-secrets {
app = "sample-app"
}
API request
You can now make an API request using the HCP OAuth token.
Refer to the HCP Vault Secrets API documentation for a list of all available endpoints and parameters.
Examples
Get available applications
The HCP_API_TOKEN
,HCP_CLIENT_ID
, and HCP_CLIENT_SECRET
values are passed in as variables.
$ curl \
--location "https://api.cloud.hashicorp.com/secrets/2023-11-28/organizations/$HCP_ORG_ID/projects/$HCP_PROJ_ID/apps" \
--request GET \
--header "Authorization: Bearer $HCP_API_TOKEN" | jq
Example output:
{
"apps": [
{
"location": {
"organization_id": "ab35ef-8d87-4443-a8a8-s3asam3st",
"project_id": "ab35ef-d3f4-4fda-b245-s3asam3st",
"region": null
},
"name": "WebApplication",
"description": "",
"created_at": "2023-05-24T12:04:14.279930Z",
"updated_at": null,
"created_by": {
"name": "username",
"type": "TYPE_USER",
"email": "username@example.com"
},
"updated_by": null,
"sync_integrations": [],
"secret_count": 3
}
]
}
Get available secrets
The HCP_API_TOKEN
,HCP_CLIENT_ID
, HCP_CLIENT_SECRET
, and APP_NAME
values are passed in as variables.
$ curl \
--location "https://api.cloud.hashicorp.com/secrets/2023-11-28/organizations/$HCP_ORG_ID/projects/$HCP_PROJ_ID/apps/$APP_NAME/secrets" \
--request GET \
--header "Authorization: Bearer $HCP_API_TOKEN" | jq
Example output:
{
"secrets": [
{
"name": "username",
"type": "kv",
"static_version": {
"version": "2",
"created_at": "2023-05-24T12:34:11.138965Z",
"created_by": {
"name": "username",
"type": "TYPE_USER",
"email": "username@example.com"
}
},
"created_at": "2023-05-24T12:22:18.395158Z",
"latest_version": "2",
"created_by": {
"name": "username",
"type": "TYPE_USER",
"email": "username@example.com"
},
"sync_status": {}
}
]
}