Skip to main content
POST
/
credentials
Create Credentials
curl --request POST \
  --url https://api.env0.com/credentials \
  --header 'Authorization: Basic <encoded-value>' \
  --header 'Content-Type: application/json' \
  --data '{
  "organizationId": "<string>",
  "projectId": "<string>",
  "type": "AWS_ASSUMED_ROLE",
  "createdByUser": {
    "email": "<string>",
    "user_id": "<string>",
    "created_at": "<string>",
    "app_metadata": {},
    "picture": "<string>",
    "name": "<string>",
    "last_login": "<string>",
    "given_name": "<string>",
    "family_name": "<string>"
  },
  "value": {},
  "encryptionMethod": "<string>",
  "name": "<string>"
}'
{
  "type": "AWS_ASSUMED_ROLE",
  "createdByUser": {
    "email": "<string>",
    "user_id": "<string>",
    "created_at": "<string>",
    "app_metadata": {},
    "picture": "<string>",
    "name": "<string>",
    "last_login": "<string>",
    "given_name": "<string>",
    "family_name": "<string>"
  },
  "value": null,
  "id": "<string>",
  "name": "<string>",
  "organizationId": "<string>",
  "projectId": "<string>",
  "updatedAt": "2023-11-07T05:31:56Z"
}

Authorizations

Authorization
string
header
required

env0 API authentication is done via API keys. An API Key can either be created by an organization administrator, in which case it will not be connected to any specific user, or via Personal API Keys to authenticate as a user.

Creating an API Key with a Specific Role

  • Once you've created your organization, you can set up and manage API Keys.

  • Navigate to the Organization Settings page and click the API Keys tab.

  • Click Add API Key and enter a name for your key in the Name field. This name is for reference purposes only and isn't used directly in authentication.

    ❗️Save Your API Key ID and secret The secret will not be available after you close this window.

Creating a Personal API Key

  • Click on your avatar (located on the top right of the screen)

  • Click on Personal Settings

  • Select the API Keys tab

  • Click Add API Key, and enter a name for your key in the Name field. This name is for reference purposes and isn't used directly in authentication.

    ❗️Save your API Key ID & secret The secret will not be available after you close this window.

Using an API Key to Authenticate

Authentication of the env0 API is done using the Basic Authentication method. Each request made should include the API Key ID as the username, and the API Key secret as the password. For example, when using curl, we can include these parameters via flag --user {API Key ID}:{API Key Secret}.

API Key Permissions

When creating an API key through the organization settings, you will need to choose if you’d like to grant it Organization Admin or User permissions. In case of the latter, you can assign fine-grained permissions per project. Personal API Keys can be created through the user’s profile page and will have the same permissions as the user has.

Rate Limits

env0 API allows up to 1K requests per 60 seconds, requests are aggregated by IP, HTTP Method and URI. If you exceed this limit, you will receive a 429 status code.

Body

application/json
type
enum<string>
required
Available options:
AWS_ASSUMED_ROLE,
AWS_ASSUMED_ROLE_FOR_DEPLOYMENT,
AWS_ACCESS_KEYS_FOR_DEPLOYMENT,
AWS_OIDC,
GCP_CREDENTIALS,
GCP_SERVICE_ACCOUNT_FOR_DEPLOYMENT,
GCP_OIDC,
AZURE_CREDENTIALS,
AZURE_SERVICE_PRINCIPAL_FOR_DEPLOYMENT,
AZURE_OIDC,
K8S_KUBECONFIG_FILE,
K8S_EKS_AUTH,
K8S_AZURE_AKS_AUTH,
K8S_GCP_GKE_AUTH,
VAULT_OIDC,
OCI_API_KEY_FOR_DEPLOYMENT,
AWS_ASSUMED_ROLE,
AWS_ASSUMED_ROLE_FOR_DEPLOYMENT,
AWS_ACCESS_KEYS_FOR_DEPLOYMENT,
AWS_OIDC,
GCP_CREDENTIALS,
GCP_SERVICE_ACCOUNT_FOR_DEPLOYMENT,
GCP_OIDC,
AZURE_CREDENTIALS,
AZURE_SERVICE_PRINCIPAL_FOR_DEPLOYMENT,
AZURE_OIDC,
K8S_KUBECONFIG_FILE,
K8S_EKS_AUTH,
K8S_AZURE_AKS_AUTH,
K8S_GCP_GKE_AUTH,
VAULT_OIDC,
OCI_API_KEY_FOR_DEPLOYMENT
value
object
required

A JSON representation of the provider credentials.

  • For AWS_ASSUMED_ROLE_FOR_DEPLOYMENT and AWS_ASSUMED_ROLE types use: { roleArn: "your-role-arn", duration?: "duration-in-seconds" }

  • For GCP_CREDENTIALS type use: { tableId: "your-table-id", secret: "your-secret" }

  • For AZURE_CREDENTIALS type use: { clientId: "your-clientId", clientSecret: "your-clientSecret", tenantId: "your-tenantId", subscriptionId: "your-subscriptionId" }

  • For AWS_ACCESS_KEYS_FOR_DEPLOYMENT type use: { accessKeyId: "your-access-key-id", secretAccessKey: "your-secret-access-key" }

  • For AWS_OIDC type use: { roleArn: "your-role-arn", duration?: "duration-in-seconds" }

  • For AZURE_OIDC type use: { clientId: "your-clientId", tenantId: "your-tenantId", subscriptionId: "your-subscriptionId" }

  • For GCP_SERVICE_ACCOUNT_FOR_DEPLOYMENT type use: { serviceAccountKey: "your-service-account-key", projectId?: "your-project-id" }

  • For GCP_OIDC type use: { credentialConfigurationFileContent: "your-credential-configuration-file-content" }

  • For K8S_KUBECONFIG_FILE type use: { kubeConfig: "your-kube-config" }

  • For K8S_EKS_AUTH type use: { clusterName: "your-cluster-name", clusterRegion: "your-cluster-region" }

  • For K8S_AZURE_AKS_AUTH type use: { clusterName: "your-cluster-name", resourceGroup: "your-resource-group" }

  • For K8S_GCP_GKE_AUTH type use: { clusterName: "your-cluster-name", computeRegion: "your-compute-region" }

  • For VAULT_OIDC type use: { roleName: "your-role-name", namespace?: "your-namespace", address: "your-address", version: "your-version", jwtAuthBackendPath: "your-jwt-auth-backend-path" }

  • For OCI_API_KEY_FOR_DEPLOYMENT type use: { tenancyOcid: "your-tenancy-ocid", userOcid: "your-user-ocid", fingerprint: "your-fingerprint", privateKey: "your-private-key", region: "your-region" }

name
string
required
organizationId
string
projectId
string
createdByUser
object
encryptionMethod
string
Allowed value: "kms"

Response

200 - application/json
type
enum<string>
required
Available options:
AWS_ASSUMED_ROLE,
AWS_ASSUMED_ROLE_FOR_DEPLOYMENT,
AWS_ACCESS_KEYS_FOR_DEPLOYMENT,
AWS_OIDC,
GCP_CREDENTIALS,
GCP_SERVICE_ACCOUNT_FOR_DEPLOYMENT,
GCP_OIDC,
AZURE_CREDENTIALS,
AZURE_SERVICE_PRINCIPAL_FOR_DEPLOYMENT,
AZURE_OIDC,
K8S_KUBECONFIG_FILE,
K8S_EKS_AUTH,
K8S_AZURE_AKS_AUTH,
K8S_GCP_GKE_AUTH,
VAULT_OIDC,
OCI_API_KEY_FOR_DEPLOYMENT,
AWS_ASSUMED_ROLE,
AWS_ASSUMED_ROLE_FOR_DEPLOYMENT,
AWS_ACCESS_KEYS_FOR_DEPLOYMENT,
AWS_OIDC,
GCP_CREDENTIALS,
GCP_SERVICE_ACCOUNT_FOR_DEPLOYMENT,
GCP_OIDC,
AZURE_CREDENTIALS,
AZURE_SERVICE_PRINCIPAL_FOR_DEPLOYMENT,
AZURE_OIDC,
K8S_KUBECONFIG_FILE,
K8S_EKS_AUTH,
K8S_AZURE_AKS_AUTH,
K8S_GCP_GKE_AUTH,
VAULT_OIDC,
OCI_API_KEY_FOR_DEPLOYMENT
value
null
required
id
string
required
Minimum length: 1
name
string
required
organizationId
string
required
updatedAt
string<date-time>
required
createdByUser
object
projectId
string
I