Skip to main content

Creating a Key Manager API User

On the Key Manager side. Prepare a Key Manager admin account with permissions to connect to the Key Manager API. This account is used by the User Portal to connect to the Key Manager API.

  1. Access the Key Manager web GUI by navigating to the address of the Key Manager front end. Log in as a user who has permissions to create and modify Key Manager accounts. For example, accounts that have the Administrators role can be used for this. Superuser accounts can also be used.

  2. Key Manager permissions are given to accounts using roles. On the Accounts→Roles page, ensure that you have a role that grants the permissions required by the API user. You may need to create such a role if one does not exist already.

    The exact permissions required by the API user depend on whether the User Portal can be used to submit requests that skip Key Manager administrator approval. This is because requests that skip Key Manager administrator approval are executed as the API user. Requests skip Key Manager administrator approval if they are submitted using the Direct delegation, or if the application policy is set to require zero admin approvals.

    The API user requires the following permissions if all requests are to require Key Manager administrator approval (granted by the default role User Portal (Minimal)):

    • Connect through external API

    • Process authorization requests

    • Process key requests

    • View settings

    If you want to allow requests that do not require Key Manager administrator approval, the API user will require the following permissions (granted by the default role User Portal (Maximal)):

    • Approve authorized keys

    • Approve new private keys

    • Authorize keys

    • Connect through external API

    • Create new private keys

    • Delete authorized keys

    • Delete private keys

    • Edit authorized keys

    • Edit private key passphrases

    • Edit private keys

    • Process authorization requests

    • Process key requests

    • Renew private keys

    • View private key passphrases

    • View settings

  3. Create the API user. To do this, navigate to the Accounts→Accounts page, and click Create New Account.

    Fill in the required account information, including at least the credentials and an email address for the account. To provide the account with the required permissions, associate the account to the role that was chosen or created earlier.

You have now set up an API user account. The name of the account will be needed later when creating client certificates.