Teams Service - Jimmy Song

Service to manage Users and Teams in TSB

Teams

The Teams service provides methods to manage the Users and Teams that exist in an Organization.

Users and Teams are periodically synchronized from the Identity Provider (IdP) configured for the Organization, but TSB allows creating local teams to provide extended flexibility in how Users and Teams are grouped, and to provide a comprehensive way of creating more fine-grained access control policies.

GetUser

rpc GetUser (tetrateio.api.tsb.v2.GetUserRequest) returns (tetrateio.api.tsb.v2.User)

Requires READ

Get the details of an existing user.

ListUsers

rpc ListUsers (tetrateio.api.tsb.v2.ListUsersRequest) returns (tetrateio.api.tsb.v2.ListUsersResponse)

List existing users.

GenerateTokens

rpc GenerateTokens (tetrateio.api.tsb.v2.GenerateTokensRequest) returns (tetrateio.api.tsb.v2.TokenResponse)

Requires CreateUser

Deprecated. This method will be removed in future versions of TSB. Use Service Accounts instead.

Generate the tokens for a local user account so it can authenticate against management plane. This method will return an error if the user account is not of type MANUAL. Credentials for normal platform users must be configured in the corresponding Identity Provider.

CreateTeam

rpc CreateTeam (tetrateio.api.tsb.v2.CreateTeamRequest) returns (tetrateio.api.tsb.v2.Team)

Requires CREATE

Create a new team.

GetTeam

rpc GetTeam (tetrateio.api.tsb.v2.GetTeamRequest) returns (tetrateio.api.tsb.v2.Team)

Requires READ

Get the details of an existing team.

UpdateTeam

rpc UpdateTeam (tetrateio.api.tsb.v2.Team) returns (tetrateio.api.tsb.v2.Team)

Requires WRITE

Modify an existing team.

ListTeams

rpc ListTeams (tetrateio.api.tsb.v2.ListTeamsRequest) returns (tetrateio.api.tsb.v2.ListTeamsResponse)

List all existing teams.

DeleteTeam

rpc DeleteTeam (tetrateio.api.tsb.v2.DeleteTeamRequest) returns (google.protobuf.Empty)

Requires DELETE

Delete a team. Note that deleting a team only deletes the team itself, but not its members.

CreateServiceAccount

rpc CreateServiceAccount (tetrateio.api.tsb.v2.CreateServiceAccountRequest) returns (tetrateio.api.tsb.v2.ServiceAccount)

Requires CREATE

Create Service Account in TSB. Service Accounts are local to TSB and can be used to access the platform using JWT tokens signed with the Service Account’s private key for authentication.

GetServiceAccount

rpc GetServiceAccount (tetrateio.api.tsb.v2.GetServiceAccountRequest) returns (tetrateio.api.tsb.v2.ServiceAccount)

Requires READ

Get the details of an existing Service Account.

GetServiceAccountJWKS

rpc GetServiceAccountJWKS (tetrateio.api.tsb.v2.GetServiceAccountJWKSRequest) returns (tetrateio.api.tsb.v2.JWKS)

Get all the public keys available in the service account and return them in a JWKS document. See: https://datatracker.ietf.org/doc/html/rfc7517 Requests to this endpoint require read permissions on the service account, or a token signed with one of the service account keys.

UpdateServiceAccount

rpc UpdateServiceAccount (tetrateio.api.tsb.v2.ServiceAccount) returns (tetrateio.api.tsb.v2.ServiceAccount)

Requires WRITE

Update the details of a service account. Updating the details of the service account does not regenerate its keys.

ListServiceAccounts

rpc ListServiceAccounts (tetrateio.api.tsb.v2.ListServiceAccountsRequest) returns (tetrateio.api.tsb.v2.ListServiceAccountsResponse)

List existing Service Accounts.

DeleteServiceAccount

rpc DeleteServiceAccount (tetrateio.api.tsb.v2.DeleteServiceAccountRequest) returns (google.protobuf.Empty)

Requires DELETE

Delete the given Service account.

GenerateServiceAccountKey

rpc GenerateServiceAccountKey (tetrateio.api.tsb.v2.GenerateServiceAccountKeyRequest) returns (tetrateio.api.tsb.v2.ServiceAccount)

Requires WriteServiceAccount

Generate a new key-pair for the service account. Note that TSB does not store the generated private key, so the client must read it and store it securely.

DeleteServiceAccountKey

rpc DeleteServiceAccountKey (tetrateio.api.tsb.v2.DeleteServiceAccountKeyRequest) returns (tetrateio.api.tsb.v2.ServiceAccount)

Requires WriteServiceAccount

Delete a key-pair associated the service account.

CreateServiceAccountRequest

Request to create a ServiceAccount.

Field	Description	Validation Rule
parent	string REQUIRED Parent resource where the User will be created.	string = { min_len: `1` }
name	string REQUIRED The short name for the resource to be created.	string = { min_len: `1` }
serviceAccount	tetrateio.api.tsb.v2.ServiceAccount REQUIRED Details of the Service Account to be created.	message = { required: `true` }
keyEncoding	tetrateio.api.tsb.v2.ServiceAccount.KeyPair.Encoding The format in which the generated key pairs will be returned. If not set keys are returned in PEM format.	–

CreateTeamRequest

Request to create a Team.

Field	Description	Validation Rule
parent	string REQUIRED Parent resource where the Team will be created.	string = { min_len: `1` }
name	string REQUIRED The short name for the resource to be created.	string = { min_len: `1` }
team	tetrateio.api.tsb.v2.Team REQUIRED Details of the Team to be created.	message = { required: `true` }

DeleteServiceAccountKeyRequest

Delete a key-pair associated with the Service Account.

Field	Description	Validation Rule
fqn	string REQUIRED Fully-qualified name of the Service Account.	string = { min_len: `1` }
id	string REQUIRED ID of the key-pair to delete.	string = { min_len: `1` }

DeleteServiceAccountRequest

Request to delete a ServiceAccount.

Field	Description	Validation Rule
fqn	string REQUIRED Fully-qualified name of the Service Account.	string = { min_len: `1` }

DeleteTeamRequest

Request to delete a Team.

Field	Description	Validation Rule
fqn	string REQUIRED Fully-qualified name of the Team.	string = { min_len: `1` }

GenerateServiceAccountKeyRequest

Request to generate a new key-pair for the Service Account.

Field	Description	Validation Rule
fqn	string REQUIRED Fully-qualified name of the Service Account.	string = { min_len: `1` }
keyEncoding	tetrateio.api.tsb.v2.ServiceAccount.KeyPair.Encoding The format in which the key pairs will be returned. If not set keys are returned in PEM format.	–

GetServiceAccountJWKSRequest

Request to retrieve all the public keys under a service account.

Field	Description	Validation Rule
fqn	string REQUIRED Fully-qualified name of the service account.	string = { min_len: `1` }

GetServiceAccountRequest

Request to retrieve a Service Account.

Field	Description	Validation Rule
fqn	string REQUIRED Fully-qualified name of the Service Account.	string = { min_len: `1` }
keyEncoding	tetrateio.api.tsb.v2.ServiceAccount.KeyPair.Encoding The format in which the key pairs will be returned. If not set keys are returned in PEM format.	–

GetTeamRequest

Request to retrieve a Team.

Field	Description	Validation Rule
fqn	string REQUIRED Fully-qualified name of the Team.	string = { min_len: `1` }

GetUserRequest

Request to retrieve a User.

Field	Description	Validation Rule
fqn	string REQUIRED Fully-qualified name of the User.	string = { min_len: `1` }

JWKS

JSON Web Key Set. Refer to https://datatracker.ietf.org/doc/html/rfc7517

Field	Description	Validation Rule
keys	List of tetrateio.api.tsb.v2.JWKS.JWK List of public JWKs	–

JWK

JSON Web Key. Refer to https://datatracker.ietf.org/doc/html/rfc7517

Field	Description	Validation Rule
alg	string The specific cryptographic algorithm used with the key.	–
kty	string The family of cryptographic algorithms used with the key.	–
use	string How the key was meant to be used; `sig` represents the signature.	–
n	string The modulus for the RSA public key.	–
e	string The exponent for the RSA public key.	–
kid	string The unique identifier for the key.	–

ListServiceAccountsRequest

Request to list Service Accounts.

Field	Description	Validation Rule
parent	string REQUIRED Parent resource to list Users from.	string = { min_len: `1` }
keyEncoding	tetrateio.api.tsb.v2.ServiceAccount.KeyPair.Encoding The format in which the key pairs for each key will be returned. If not set keys are returned in PEM format.	–

ListServiceAccountsResponse

List of existing Service Accounts.

Field	Description	Validation Rule
serviceAccounts	List of tetrateio.api.tsb.v2.ServiceAccount	–

ListTeamsRequest

Request to list Teams.

Field	Description	Validation Rule
parent	string REQUIRED Parent resource to list Teams from.	string = { min_len: `1` }

ListTeamsResponse

List of existing teams.

Field	Description	Validation Rule
teams	List of tetrateio.api.tsb.v2.Team	–

ListUsersRequest

Request to list Users.

Field	Description	Validation Rule
parent	string REQUIRED Parent resource to list Users from.	string = { min_len: `1` }

ListUsersResponse

List of existing Users.

Field	Description	Validation Rule
users	List of tetrateio.api.tsb.v2.User	–

TokenResponse

Contains a pair of tokens for a user that can be used to authenticate against TSB.

Field	Description	Validation Rule
accessToken	string Bearer access token that can be used to access TSB. This token is usually short-lived. The refresh token, when present, can be used to obtain a new access token when it expires.	–
refreshToken	string Refresh token that can be used to obtain a new Bearer access token. This token is usually long-lived and should be stored securely.	–