The Identity resource defines an authentication identity that can access Edge Server HTTP APIs. Each identity has a credential (such as an API key) and a set of permissions that control what operations they can perform.
For a complete guide on generating API keys and configuring authentication, see the Authentication guide. Basic Configuration
resources:
my_identity:
resource_type: Identity
credential:
api_key: "BASE64_ENCODED_STRING_GENERATED_BY_CLI"
permissions: "my_permission_set" # Reference to a PermissionSet resource
id: "service-account-1" # Optional
Required Fields
| Field | Type | Description |
|---|
resource_type | string | Must be "Identity" |
credential | object | The credential this identity uses to authenticate with Edge Server |
permissions | string | Reference to a PermissionSet resource that defines what this identity can do |
Optional Fields
| Field | Type | Default | Description |
|---|
id | string/null | Uses resource key | Human-readable identifier for this identity. Used in audit logs. If not provided, the YAML key name is used |
Credentials
Credentials define how an identity authenticates with Edge Server. All credentials must be generated using the Edge Server CLI command.
API Key Credential
Currently, API key is the only supported credential type:
credential:
api_key: "BASE64_ENCODED_STRING_GENERATED_BY_CLI"
| Field | Type | Description |
|---|
api_key | string | Base64-encoded string generated by Edge Server CLI |
Credentials must be unique across all Identity resources. Duplicating credentials across multiple identities is not allowed and will cause a configuration error.
Generating API Keys
Use the Edge Server CLI to generate secure API key credentials:
# Generate an API key credential
ditto-edge-server credential generate-api-key
Permissions
The permissions field references a PermissionSet resource defined elsewhere in your configuration. This separation allows you to reuse permission sets across multiple identities.
resources:
# Define a permission set
admin_permissions:
resource_type: PermissionSet
permissions: full
# Create an identity using those permissions
admin_user:
resource_type: Identity
credential:
api_key: "PHC_STRING_1"
permissions: "admin_permissions"
Complete Examples
Basic Identity with Full Permissions
resources:
# Define permissions
full_access:
resource_type: PermissionSet
permissions: full
# Define identity
admin_identity:
resource_type: Identity
credential:
api_key: "YXJnb24yaWQkdj0xOSRtPTE5NDU2LHQ9MixwPTEkLi4u"
permissions: "full_access"
id: "admin-service-account"
# Use identity in HTTP server
api_server:
resource_type: HttpServer
listen_addr: "127.0.0.1:8080"
auth: ["admin_identity"] # Restrict to this identity
databases:
my_db:
db_id: "12345678-1234-4123-1234-123456789012"
http_api: true
Multiple Identities with Shared Permissions
resources:
# Shared permission set
standard_permissions:
resource_type: PermissionSet
permissions: full
# First identity
service_a:
resource_type: Identity
credential:
api_key: "YXJnb24yaWQkdj0xOSRtPTE5NDU2LHQ9MixwPTEkS0VZX0E="
permissions: "standard_permissions"
id: "service-a"
# Second identity
service_b:
resource_type: Identity
credential:
api_key: "YXJnb24yaWQkdj0xOSRtPTE5NDU2LHQ9MixwPTEkS0VZX0I="
permissions: "standard_permissions"
id: "service-b"
# HTTP server accepting both identities
http_api:
resource_type: HttpServer
listen_addr: "127.0.0.1:8080"
auth: ["service_a", "service_b"]
databases:
main:
db_id: "87654321-4321-4123-4321-210987654321"
http_api: true
Identity Without Custom ID
When id is not specified, the resource key is used:
resources:
my_permission_set:
resource_type: PermissionSet
permissions: full
backend_service: # This name will be used as the identity ID
resource_type: Identity
credential:
api_key: "YXJnb24yaWQkdj0xOSRtPTE5NDU2LHQ9MixwPTEkLi4u"
permissions: "my_permission_set"
# No 'id' field - "backend_service" will appear in audit logs
Using Identities with HTTP Servers
Identities are referenced in HttpServer resources to control authentication:
resources:
my_identity:
resource_type: Identity
credential:
api_key: "YXJnb24yaWQkdj0xOSRtPTE5NDU2LHQ9MixwPTEkLi4u"
permissions: "some_permissions"
api_server:
resource_type: HttpServer
listen_addr: "127.0.0.1:8080"
auth: ["my_identity"] # Only this identity can authenticate
databases:
db1:
db_id: "12345678-1234-4123-1234-123456789012"
http_api: true
api_server:
resource_type: HttpServer
listen_addr: "127.0.0.1:8080"
auth: null # No authentication required
databases:
db1:
db_id: "12345678-1234-4123-1234-123456789012"
http_api: true
Security Best Practices
- Generate credentials securely: Always use the Edge Server CLI to generate credentials. Never create API keys manually
- Unique credentials: Each identity must have a unique credential. Never reuse credentials across identities
- Meaningful IDs: Use descriptive
id values to make audit logs easier to understand
- Principle of least privilege: Grant identities only the permissions they need
- Rotate credentials: Regularly rotate API keys by generating new credentials and updating your configuration
- Secure storage: Store credentials securely (e.g., in environment variables or secrets management systems) rather than committing them to version control
Important Notes
- Credential Uniqueness: The same credential cannot be used by multiple Identity resources. Each identity must have its own unique credential
- Audit Logging: The
id field (or resource key if id is not set) appears in audit logs to identify who performed actions
- Permission Set References: The
permissions field must reference an existing PermissionSet resource by its resource key name
- Authentication Flow: When an HTTP request arrives with an API key, Edge Server validates it against all configured Identity resources and checks the associated permissions
