Skip to main content
GET
/
resources
/
{resource_id}
Get resource by ID
curl --request GET \
  --url https://api.opal.dev/v1/resources/{resource_id} \
  --header 'Authorization: Bearer <token>'
{
  "resource_id": "f454d283-ca87-4a8a-bdbb-df212eca5353",
  "app_id": "b5a5ca27-0ea3-4d86-9199-2126d57d1fbd",
  "description": "This resource represents AWS IAM role \"SupportUser\".",
  "admin_owner_id": "7c86c85d-0651-43e2-a748-d69d658418e8",
  "remote_id": 318038399,
  "remote_name": "repo-name",
  "max_duration": 120,
  "require_manager_approval": false,
  "require_support_ticket": false,
  "parent_resource_id": "f454d283-ca67-4a8a-bdbb-df212eca5345",
  "ancestor_resource_ids": [
    "f454d283-ca67-4a8a-bdbb-df212eca5345"
  ],
  "descendant_resource_ids": [
    "f454d283-ca67-4a8a-bdbb-df212eca5345"
  ]
}

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Path Parameters

resource_id
string<uuid>
required

The ID of the resource.

Response

200 - application/json

The requested resource.

Resource Object

Description

The Resource object is used to represent a resource.

Usage Example

Update from the UPDATE Resources endpoint.

resource_id
string<uuid>
required

The ID of the resource.

Example:

"f454d283-ca87-4a8a-bdbb-df212eca5353"

app_id
string<uuid>

The ID of the app.

Example:

"b5a5ca27-0ea3-4d86-9199-2126d57d1fbd"

name
string

The name of the resource.

Example:

"mongo-db-prod"

description
string

A description of the resource.

Example:

"This resource represents AWS IAM role \"SupportUser\"."

admin_owner_id
string<uuid>

The ID of the owner of the resource.

Example:

"7c86c85d-0651-43e2-a748-d69d658418e8"

remote_resource_id
string

The ID of the resource on the remote system.

Example:

318038399

remote_resource_name
string

The name of the resource on the remote system.

Example:

"repo-name"

resource_type
enum<string>

The type of the resource.

Available options:
AWS_IAM_ROLE,
AWS_EC2_INSTANCE,
AWS_EKS_CLUSTER,
AWS_RDS_POSTGRES_CLUSTER,
AWS_RDS_POSTGRES_INSTANCE,
AWS_RDS_MYSQL_CLUSTER,
AWS_RDS_MYSQL_INSTANCE,
AWS_ACCOUNT,
AWS_SSO_PERMISSION_SET,
AWS_ORGANIZATIONAL_UNIT,
AZURE_MANAGEMENT_GROUP,
AZURE_RESOURCE_GROUP,
AZURE_SUBSCRIPTION,
AZURE_VIRTUAL_MACHINE,
AZURE_STORAGE_ACCOUNT,
AZURE_STORAGE_CONTAINER,
AZURE_SQL_SERVER,
AZURE_SQL_MANAGED_INSTANCE,
AZURE_SQL_DATABASE,
AZURE_SQL_MANAGED_DATABASE,
AZURE_USER_ASSIGNED_MANAGED_Identity,
AZURE_ENTRA_ID_ROLE,
AZURE_ENTERPRISE_APP,
CUSTOM,
CUSTOM_CONNECTOR,
DATABRICKS_ACCOUNT_SERVICE_PRINCIPAL,
GCP_ORGANIZATION,
GCP_BUCKET,
GCP_COMPUTE_INSTANCE,
GCP_FOLDER,
GCP_GKE_CLUSTER,
GCP_PROJECT,
GCP_CLOUD_SQL_POSTGRES_INSTANCE,
GCP_CLOUD_SQL_MYSQL_INSTANCE,
GCP_BIG_QUERY_DATASET,
GCP_BIG_QUERY_TABLE,
GCP_SERVICE_ACCOUNT,
GIT_HUB_REPO,
GIT_HUB_ORG_ROLE,
GIT_LAB_PROJECT,
GOOGLE_WORKSPACE_ROLE,
MONGO_INSTANCE,
MONGO_ATLAS_INSTANCE,
OKTA_APP,
OKTA_ROLE,
OPAL_ROLE,
OPAL_SCOPED_ROLE,
PAGERDUTY_ROLE,
TAILSCALE_SSH,
SALESFORCE_PERMISSION_SET,
SALESFORCE_PROFILE,
SALESFORCE_ROLE,
SNOWFLAKE_DATABASE,
SNOWFLAKE_SCHEMA,
SNOWFLAKE_TABLE,
WORKDAY_ROLE,
MYSQL_INSTANCE,
MARIADB_INSTANCE,
POSTGRES_INSTANCE,
TELEPORT_ROLE,
ILEVEL_ADVANCED_ROLE,
DATASTAX_ASTRA_ROLE,
COUPA_ROLE,
CURSOR_ORGANIZATION,
OPENAI_PLATFORM_PROJECT,
OPENAI_PLATFORM_SERVICE_ACCOUNT,
ANTHROPIC_WORKSPACE,
GIT_HUB_ORG,
ORACLE_FUSION_ROLE,
DEVIN_ORGANIZATION,
DEVIN_ROLE
Example:

"AWS_IAM_ROLE"

max_duration
integer

The maximum duration for which the resource can be requested (in minutes).

Example:

120

recommended_duration
integer

The recommended duration for which the resource should be requested (in minutes). -1 represents an indefinite duration.

Example:

120

extensions_duration_in_minutes
integer

The duration for which access can be extended (in minutes). Set to 0 to disable extensions. When > 0, extensions are enabled for the specified duration.

Example:

120

require_manager_approval
boolean
deprecated

A bool representing whether or not access requests to the resource require manager approval.

Example:

false

require_support_ticket
boolean

A bool representing whether or not access requests to the resource require an access ticket.

Example:

false

require_mfa_to_approve
boolean

A bool representing whether or not to require MFA for reviewers to approve requests for this resource.

Example:

false

require_mfa_to_request
boolean

A bool representing whether or not to require MFA for requesting access to this resource.

Example:

false

require_mfa_to_connect
boolean

A bool representing whether or not to require MFA to connect to this resource.

Example:

false

auto_approval
boolean

A bool representing whether or not to automatically approve requests to this resource.

Example:

false

request_template_id
string<uuid>

The ID of the associated request template.

Example:

"06851574-e50d-40ca-8c78-f72ae6ab4304"

is_requestable
boolean

A bool representing whether or not to allow access requests to this resource.

Example:

false

parent_resource_id
string<uuid>

The ID of the parent resource.

Example:

"06851574-e50d-40ca-8c78-f72ae6ab4305"

configuration_template_id
string<uuid>

The ID of the associated configuration template.

Example:

"06851574-e50d-40ca-8c78-f72ae6ab4304"

request_configurations
object[]

A list of configurations for requests to this resource.

request_configuration_list
object[]
deprecated

A list of configurations for requests to this resource. Deprecated in favor of request_configurations.

ticket_propagation
object

Configuration for ticket propagation, when enabled, a ticket will be created for access changes related to the users in this resource.

custom_request_notification
string | null

Custom request notification sent upon request approval.

Maximum string length: 800
risk_sensitivity
enum<string>

The risk sensitivity level for the resource. When an override is set, this field will match that.

Available options:
UNKNOWN,
CRITICAL,
HIGH,
MEDIUM,
LOW,
NONE
risk_sensitivity_override
enum<string>

Indicates the level of potential impact misuse or unauthorized access may incur.

Available options:
UNKNOWN,
CRITICAL,
HIGH,
MEDIUM,
LOW,
NONE
metadata
string
deprecated

JSON metadata about the remote resource. Only set for items linked to remote systems. See this guide for details.

Example:

"{\n \"okta_directory_role\":\n {\n \"role_id\": \"SUPER_ADMIN-b52aa037-4a35-4ac3-9350-f6260fd12345\",\n \"role_type\": \"SUPER_ADMIN\",\n },\n}"

remote_info
object

Information that defines the remote resource. This replaces the deprecated remote_id and metadata fields.

ancestor_resource_ids
string<uuid>[]

List of resource IDs that are ancestors of this resource.

Example:
[
  "f454d283-ca67-4a8a-bdbb-df212eca5345",
  "f454d283-ca67-4a8a-bdbb-df212eca5346"
]
descendant_resource_ids
string<uuid>[]

List of resource IDs that are descendants of this resource.

Example:
[
  "f454d283-ca67-4a8a-bdbb-df212eca5347",
  "f454d283-ca67-4a8a-bdbb-df212eca5348"
]
last_successful_sync
object

Information about the last successful sync of this resource.

Example:
{
  "id": "7c86c85d-0651-43e2-a748-d69d658418e8",
  "completed_at": "2023-10-01T12:00:00.000Z"
}