Skip to main content
Version: 1.5.x

Teams Service

Teams

The Teams service provides methods to manage the Users and Teams that exist in an Organization.

Users and Teams are periodically synchronized from the Identity Provider (IdP) configured for the Organization, but TSB allows creating local teams to provide extended flexibility in how Users and Teams are grouped, and to provide a comprehensive way of creating more fine-grained access control policies.

GetUser

rpc GetUser (tetrateio.api.tsb.v2.GetUserRequest) returns (tetrateio.api.tsb.v2.User)

Requires ReadUser

Get the details of an existing user.

ListUsers

rpc ListUsers (tetrateio.api.tsb.v2.ListUsersRequest) returns (tetrateio.api.tsb.v2.ListUsersResponse)

List existing users.

GenerateTokens

rpc GenerateTokens (tetrateio.api.tsb.v2.GenerateTokensRequest) returns (tetrateio.api.tsb.v2.TokenResponse)

Requires CreateUser

Deprecated. This method will be removed in future versions of TSB. Use Service Accounts instead.

Generate the tokens for a local user account so it can authenticate against management plane. This method will return an error if the user account is not of type MANUAL. Credentials for normal platform users must be configured in the corresponding Identity Provider.

CreateTeam

rpc CreateTeam (tetrateio.api.tsb.v2.CreateTeamRequest) returns (tetrateio.api.tsb.v2.Team)

Requires CreateTeam

Create a new team.

GetTeam

rpc GetTeam (tetrateio.api.tsb.v2.GetTeamRequest) returns (tetrateio.api.tsb.v2.Team)

Requires ReadTeam

Get the details of an existing team.

UpdateTeam

rpc UpdateTeam (tetrateio.api.tsb.v2.Team) returns (tetrateio.api.tsb.v2.Team)

Requires WriteTeam

Modify an existing team.

ListTeams

rpc ListTeams (tetrateio.api.tsb.v2.ListTeamsRequest) returns (tetrateio.api.tsb.v2.ListTeamsResponse)

List all existing teams.

DeleteTeam

rpc DeleteTeam (tetrateio.api.tsb.v2.DeleteTeamRequest) returns (google.protobuf.Empty)

Requires DeleteTeam

Delete a team. Note that deleting a team only deletes the team itself, but not its members.

CreateServiceAccount

rpc CreateServiceAccount (tetrateio.api.tsb.v2.CreateServiceAccountRequest) returns (tetrateio.api.tsb.v2.ServiceAccount)

Requires CreateServiceAccount

Create Service Account in TSB. Service Accounts are local to TSB and can be used to access the platform using JWT tokens signed with the Service Account's private key for authentication.

GetServiceAccount

rpc GetServiceAccount (tetrateio.api.tsb.v2.GetServiceAccountRequest) returns (tetrateio.api.tsb.v2.ServiceAccount)

Requires ReadServiceAccount

Get the details of an existing Service Account.

GetServiceAccountJWKS

rpc GetServiceAccountJWKS (tetrateio.api.tsb.v2.GetServiceAccountJWKSRequest) returns (tetrateio.api.tsb.v2.JWKS)

Get all the public keys available in the service account and return them in a JWKS document. See: https://datatracker.ietf.org/doc/html/rfc7517 Requests to this endpoint require read permissions on the service account, or a token signed with one of the service acount keys.

UpdateServiceAccount

rpc UpdateServiceAccount (tetrateio.api.tsb.v2.ServiceAccount) returns (tetrateio.api.tsb.v2.ServiceAccount)

Requires WriteServiceAccount

Update the details of a service account. Updating the details of the service account does not regenerate its keys.

ListServiceAccounts

rpc ListServiceAccounts (tetrateio.api.tsb.v2.ListServiceAccountsRequest) returns (tetrateio.api.tsb.v2.ListServiceAccountsResponse)

List existing Service Accounts.

DeleteServiceAccount

rpc DeleteServiceAccount (tetrateio.api.tsb.v2.DeleteServiceAccountRequest) returns (google.protobuf.Empty)

Requires DeleteServiceAccount

Delete the given Service account.

GenerateServiceAccountKey

rpc GenerateServiceAccountKey (tetrateio.api.tsb.v2.GenerateServiceAccountKeyRequest) returns (tetrateio.api.tsb.v2.ServiceAccount)

Requires WriteServiceAccount

Generate a new key-pair for the service account. Note that TSB does not store the generated private key, so the client must read it and store it securely.

DeleteServiceAccountKey

rpc DeleteServiceAccountKey (tetrateio.api.tsb.v2.DeleteServiceAccountKeyRequest) returns (tetrateio.api.tsb.v2.ServiceAccount)

Requires WriteServiceAccount

Delete a key-pair associated the service account.

CreateServiceAccountRequest

Request to create a ServiceAccount.

FieldDescriptionValidation Rule

parent

string
REQUIRED
Parent resource where the User will be created.

string = {
  min_len: 1
}

name

string
REQUIRED
The short name for the resource to be created.

string = {
  min_len: 1
}

serviceAccount

tetrateio.api.tsb.v2.ServiceAccount
REQUIRED
Details of the Service Account to be created.

message = {
  required: true
}

keyEncoding

tetrateio.api.tsb.v2.ServiceAccount.KeyPair.Encoding
The format in which the generated key pairs will be returned. If not set keys are returned in PEM format.

CreateTeamRequest

Request to create a Team.

FieldDescriptionValidation Rule

parent

string
REQUIRED
Parent resource where the Team will be created.

string = {
  min_len: 1
}

name

string
REQUIRED
The short name for the resource to be created.

string = {
  min_len: 1
}

team

tetrateio.api.tsb.v2.Team
REQUIRED
Details of the Team to be created.

message = {
  required: true
}

DeleteServiceAccountKeyRequest

Delete a key-pair associated with the Service Account.

FieldDescriptionValidation Rule

fqn

string
REQUIRED
Fully-qualified name of the Service Account.

string = {
  min_len: 1
}

id

string
REQUIRED
ID of the key-pair to delete.

string = {
  min_len: 1
}

DeleteServiceAccountRequest

Request to delete a ServiceAccount.

FieldDescriptionValidation Rule

fqn

string
REQUIRED
Fully-qualified name of the Service Account.

string = {
  min_len: 1
}

DeleteTeamRequest

Request to delete a Team.

FieldDescriptionValidation Rule

fqn

string
REQUIRED
Fully-qualified name of the Team.

string = {
  min_len: 1
}

GenerateServiceAccountKeyRequest

Request to generate a new key-pair for the Service Account.

FieldDescriptionValidation Rule

fqn

string
REQUIRED
Fully-qualified name of the Service Account.

string = {
  min_len: 1
}

keyEncoding

tetrateio.api.tsb.v2.ServiceAccount.KeyPair.Encoding
The format in which the key pairs will be returned. If not set keys are returned in PEM format.

GetServiceAccountJWKSRequest

Request to retrieve all the public keys under a service account.

FieldDescriptionValidation Rule

fqn

string
REQUIRED
Fully-qualified name of the service account.

string = {
  min_len: 1
}

GetServiceAccountRequest

Request to retrieve a Service Account.

FieldDescriptionValidation Rule

fqn

string
REQUIRED
Fully-qualified name of the Service Account.

string = {
  min_len: 1
}

keyEncoding

tetrateio.api.tsb.v2.ServiceAccount.KeyPair.Encoding
The format in which the key pairs will be returned. If not set keys are returned in PEM format.

GetTeamRequest

Request to retrieve a Team.

FieldDescriptionValidation Rule

fqn

string
REQUIRED
Fully-qualified name of the Team.

string = {
  min_len: 1
}

GetUserRequest

Request to retrieve a User.

FieldDescriptionValidation Rule

fqn

string
REQUIRED
Fully-qualified name of the User.

string = {
  min_len: 1
}

JWKS

JSON Web Key Set. Refer to https://datatracker.ietf.org/doc/html/rfc7517

FieldDescriptionValidation Rule

keys

List of tetrateio.api.tsb.v2.JWKS.JWK
List of public JWKs

JWK

JSON Web Key. Refer to https://datatracker.ietf.org/doc/html/rfc7517

FieldDescriptionValidation Rule

alg

string
The specific cryptographic algorithm used with the key.

kty

string
The family of cryptographic algorithms used with the key.

use

string
How the key was meant to be used; sig represents the signature.

n

string
The modulus for the RSA public key.

e

string
The exponent for the RSA public key.

kid

string
The unique identifier for the key.

ListServiceAccountsRequest

Request to list Service Accounts.

FieldDescriptionValidation Rule

parent

string
REQUIRED
Parent resource to list Users from.

string = {
  min_len: 1
}

keyEncoding

tetrateio.api.tsb.v2.ServiceAccount.KeyPair.Encoding
The format in which the key pairs for each key will be returned. If not set keys are returned in PEM format.

ListServiceAccountsResponse

List of existing Service Accounts.

FieldDescriptionValidation Rule

serviceAccounts

List of tetrateio.api.tsb.v2.ServiceAccount

ListTeamsRequest

Request to list Teams.

FieldDescriptionValidation Rule

parent

string
REQUIRED
Parent resource to list Teams from.

string = {
  min_len: 1
}

ListTeamsResponse

List of existing teams.

FieldDescriptionValidation Rule

teams

List of tetrateio.api.tsb.v2.Team

ListUsersRequest

Request to list Users.

FieldDescriptionValidation Rule

parent

string
REQUIRED
Parent resource to list Users from.

string = {
  min_len: 1
}

ListUsersResponse

List of existing Users.

FieldDescriptionValidation Rule

users

List of tetrateio.api.tsb.v2.User

TokenResponse

Contains a pair of tokens for a user that can be used to authenticate against TSB.

FieldDescriptionValidation Rule

accessToken

string
Bearer access token that can be used to access TSB. This token is usually short-lived. The refresh token, when present, can be used to obtain a new access token when it expires.

refreshToken

string
Refresh token that can be used to obtain a new Bearer access token. This token is usually long-lived and should be stored securely.