Skip to main content
GET
/
resources
/
{resource_id}
Get resource by ID
curl --request GET \
  --url https://api.opal.dev/v1/resources/{resource_id} \
  --header 'Authorization: Bearer <token>'
{
  "resource_id": "f454d283-ca87-4a8a-bdbb-df212eca5353",
  "app_id": "b5a5ca27-0ea3-4d86-9199-2126d57d1fbd",
  "description": "This resource represents AWS IAM role \"SupportUser\".",
  "admin_owner_id": "7c86c85d-0651-43e2-a748-d69d658418e8",
  "remote_id": 318038399,
  "remote_name": "repo-name",
  "max_duration": 120,
  "require_manager_approval": false,
  "require_support_ticket": false,
  "parent_resource_id": "f454d283-ca67-4a8a-bdbb-df212eca5345",
  "ancestor_resource_ids": [
    "f454d283-ca67-4a8a-bdbb-df212eca5345"
  ],
  "descendant_resource_ids": [
    "f454d283-ca67-4a8a-bdbb-df212eca5345"
  ]
}

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Path Parameters

resource_id
string<uuid>
required

The ID of the resource.

Response

200 - application/json

The requested resource.

Resource Object

Description

The Resource object is used to represent a resource.

Usage Example

Update from the UPDATE Resources endpoint.

resource_id
string<uuid>
required

The ID of the resource.

Example:

"f454d283-ca87-4a8a-bdbb-df212eca5353"

app_id
string<uuid>

The ID of the app.

Example:

"b5a5ca27-0ea3-4d86-9199-2126d57d1fbd"

name
string

The name of the resource.

Example:

"mongo-db-prod"

description
string

A description of the resource.

Example:

"This resource represents AWS IAM role \"SupportUser\"."

admin_owner_id
string<uuid>

The ID of the owner of the resource.

Example:

"7c86c85d-0651-43e2-a748-d69d658418e8"

remote_resource_id
string

The ID of the resource on the remote system.

Example:

318038399

remote_resource_name
string

The name of the resource on the remote system.

Example:

"repo-name"

resource_type
enum<string>

The type of the resource.

Available options:
AWS_IAM_ROLE,
AWS_EC2_INSTANCE,
AWS_EKS_CLUSTER,
AWS_RDS_POSTGRES_CLUSTER,
AWS_RDS_POSTGRES_INSTANCE,
AWS_RDS_MYSQL_CLUSTER,
AWS_RDS_MYSQL_INSTANCE,
AWS_ACCOUNT,
AWS_SSO_PERMISSION_SET,
AWS_ORGANIZATIONAL_UNIT,
AZURE_MANAGEMENT_GROUP,
AZURE_RESOURCE_GROUP,
AZURE_SUBSCRIPTION,
AZURE_VIRTUAL_MACHINE,
AZURE_STORAGE_ACCOUNT,
AZURE_STORAGE_CONTAINER,
AZURE_SQL_SERVER,
AZURE_SQL_MANAGED_INSTANCE,
AZURE_SQL_DATABASE,
AZURE_SQL_MANAGED_DATABASE,
AZURE_USER_ASSIGNED_MANAGED_Identity,
AZURE_ENTRA_ID_ROLE,
AZURE_ENTERPRISE_APP,
CUSTOM,
CUSTOM_CONNECTOR,
DATABRICKS_ACCOUNT_SERVICE_PRINCIPAL,
GCP_ORGANIZATION,
GCP_BUCKET,
GCP_COMPUTE_INSTANCE,
GCP_FOLDER,
GCP_GKE_CLUSTER,
GCP_PROJECT,
GCP_CLOUD_SQL_POSTGRES_INSTANCE,
GCP_CLOUD_SQL_MYSQL_INSTANCE,
GCP_BIG_QUERY_DATASET,
GCP_BIG_QUERY_TABLE,
GCP_SERVICE_ACCOUNT,
GIT_HUB_REPO,
GIT_HUB_ORG_ROLE,
GIT_LAB_PROJECT,
GOOGLE_WORKSPACE_ROLE,
MONGO_INSTANCE,
MONGO_ATLAS_INSTANCE,
OKTA_APP,
OKTA_ROLE,
OPAL_ROLE,
OPAL_SCOPED_ROLE,
PAGERDUTY_ROLE,
TAILSCALE_SSH,
SALESFORCE_PERMISSION_SET,
SALESFORCE_PROFILE,
SALESFORCE_ROLE,
SNOWFLAKE_DATABASE,
SNOWFLAKE_SCHEMA,
SNOWFLAKE_TABLE,
WORKDAY_ROLE,
MYSQL_INSTANCE,
MARIADB_INSTANCE,
POSTGRES_INSTANCE,
TELEPORT_ROLE,
ILEVEL_ADVANCED_ROLE,
DATASTAX_ASTRA_ROLE,
COUPA_ROLE,
CURSOR_ORGANIZATION,
OPENAI_PLATFORM_PROJECT,
OPENAI_PLATFORM_SERVICE_ACCOUNT,
ANTHROPIC_WORKSPACE,
GIT_HUB_ORG,
ORACLE_FUSION_ROLE
Example:

"AWS_IAM_ROLE"

max_duration
integer

The maximum duration for which the resource can be requested (in minutes).

Example:

120

recommended_duration
integer

The recommended duration for which the resource should be requested (in minutes). -1 represents an indefinite duration.

Example:

120

extensions_duration_in_minutes
integer

The duration for which access can be extended (in minutes). Set to 0 to disable extensions. When > 0, extensions are enabled for the specified duration.

Example:

120

require_manager_approval
boolean
deprecated

A bool representing whether or not access requests to the resource require manager approval.

Example:

false

require_support_ticket
boolean

A bool representing whether or not access requests to the resource require an access ticket.

Example:

false

require_mfa_to_approve
boolean

A bool representing whether or not to require MFA for reviewers to approve requests for this resource.

Example:

false

require_mfa_to_request
boolean

A bool representing whether or not to require MFA for requesting access to this resource.

Example:

false

require_mfa_to_connect
boolean

A bool representing whether or not to require MFA to connect to this resource.

Example:

false

auto_approval
boolean

A bool representing whether or not to automatically approve requests to this resource.

Example:

false

request_template_id
string<uuid>

The ID of the associated request template.

Example:

"06851574-e50d-40ca-8c78-f72ae6ab4304"

is_requestable
boolean

A bool representing whether or not to allow access requests to this resource.

Example:

false

parent_resource_id
string<uuid>

The ID of the parent resource.

Example:

"06851574-e50d-40ca-8c78-f72ae6ab4305"

configuration_template_id
string<uuid>

The ID of the associated configuration template.

Example:

"06851574-e50d-40ca-8c78-f72ae6ab4304"

request_configurations
object[]

A list of configurations for requests to this resource.

request_configuration_list
object[]
deprecated

A list of configurations for requests to this resource. Deprecated in favor of request_configurations.

ticket_propagation
object

Configuration for ticket propagation, when enabled, a ticket will be created for access changes related to the users in this resource.

custom_request_notification
string | null

Custom request notification sent upon request approval.

Maximum length: 800
risk_sensitivity
enum<string>

The risk sensitivity level for the resource. When an override is set, this field will match that. Indicates the level of potential impact misuse or unauthorized access may incur.

Available options:
UNKNOWN,
CRITICAL,
HIGH,
MEDIUM,
LOW,
NONE
risk_sensitivity_override
enum<string>

Indicates the level of potential impact misuse or unauthorized access may incur.

Available options:
UNKNOWN,
CRITICAL,
HIGH,
MEDIUM,
LOW,
NONE
metadata
string
deprecated

JSON metadata about the remote resource. Only set for items linked to remote systems. See this guide for details.

Example:

"{\n \"okta_directory_role\":\n {\n \"role_id\": \"SUPER_ADMIN-b52aa037-4a35-4ac3-9350-f6260fd12345\",\n \"role_type\": \"SUPER_ADMIN\",\n },\n}"

remote_info
object

Information that defines the remote resource. This replaces the deprecated remote_id and metadata fields.

ancestor_resource_ids
string<uuid>[]

List of resource IDs that are ancestors of this resource.

Example:
[
  "f454d283-ca67-4a8a-bdbb-df212eca5345",
  "f454d283-ca67-4a8a-bdbb-df212eca5346"
]
descendant_resource_ids
string<uuid>[]

List of resource IDs that are descendants of this resource.

Example:
[
  "f454d283-ca67-4a8a-bdbb-df212eca5347",
  "f454d283-ca67-4a8a-bdbb-df212eca5348"
]
last_successful_sync
object

Information about the last successful sync of this resource.

Example:
{
  "id": "7c86c85d-0651-43e2-a748-d69d658418e8",
  "completed_at": "2023-10-01T12:00:00.000Z"
}