๐ŸŒด
Guardian
  • Guardian
    • ๐ŸŒGetting Started
      • ๐Ÿœ๏ธDiscovering Environmental assets on Hedera
      • ๐ŸŽ“Guardian Glossary
      • ๐Ÿ“–Installation Guide
        • ๐Ÿ—’๏ธPrerequisites
        • ๐Ÿ› ๏ธInstallation
          • ๐Ÿ”จBuilding from source and run using Docker
            • Deploying Guardian using default Environment
            • Deploying Guardian using a specific Environment ( DEVELOP )
            • Deploying Guardian using a specific Environment (QA)
          • ๐Ÿ”จBuilding from Pre-build containers
          • ๐Ÿ”จBuild executables and run manually
          • โ˜๏ธCloud Deployment
          • โฌ†๏ธUpgrading
          • ๐Ÿ”™Backup tools
          • ๐ŸกSetting up environment parameters
          • ๐Ÿ“Summary of URLs and Ports
          • ๐Ÿ’ปLaunching Guardian
          • ๐ŸงชHow to perform Unit Tests?
        • ๐Ÿ”จHow to Configure Hedera Local Node
        • ๐Ÿ”จHow to Configure HashiCorp Vault
        • ๐Ÿ”จHow to create Operator ID and Operator Key
        • ๐Ÿ”จHow to generate Web3.Storage API values
        • ๐Ÿ”จHow to Change Explorer URL
        • ๐Ÿ”จHow to Restore Account from Database/Hashicorp Vault during Setup
      • ๐Ÿ™Contributing
        • ๐Ÿš‡Contribute a New Policy
      • ๐Ÿ“–Frameworks/Libraries
        • ๐Ÿ’ปGuardian CLI
      • โš™๏ธAPI Guideline
      • ๐Ÿ”Guardian Vault
      • ๐ŸŒŽEnvironments
        • ๐ŸŒŽMulti session consistency according to Environment
        • ๐Ÿ”‘Dynamic Vault/KMS path configuration according to the environment
        • ๐ŸกEcosystem Environments
      • ๐Ÿ“ƒChange Log
      • ๐Ÿ›ฃ๏ธRoadmap
      • ๐ŸšจLicense
      • ๐Ÿ“žContact
      • ๐Ÿ”Security
      • ๐Ÿ”‘Meeco authentication
        • ๐Ÿ”กHow it works
    • ๐Ÿ‘ทArchitecture
      • โฌ‡๏ธDeep Dive Architecture
      • ๐Ÿ”บHigh Level Architecture
      • ๐Ÿ‘Policies,Projects and Topics Mapping Architecture
      • โž—MRV Splitting Logic
      • ๐Ÿ”‘Internal (with Vault)Signing Sequence Diagram
      • ๐Ÿ”ฅFireBlocks Signing Sequence Diagram
    • ๐Ÿ“‡Global Indexer
      • ๐Ÿ’ปIndexer User Guide
      • โš™๏ธIndexer APIs
        • Full Text Indexer Search
        • Returns Standard Registries
        • Returns Registry as per MessageID
        • Returns Registry Users
        • Returns Registry User as per MessageID
        • Returns Policies
        • Returns policy as per MessageID
        • Returns Tools
        • Returns Tool as per MessageID
        • Returns Modules
        • Returns Module as per MessageID
        • Returns Schemas
        • Returns Schema as per MessageID
        • Returns Schema Tree
        • Returns Tokens
        • Returns Token as per TokenID
        • Returns Roles
        • Returns Role as per MessageID
        • Returns DIDs
        • Returns DID as per MessageID
        • Returns DID Relationships
        • Returns VP Documents
        • Returns VP Document as per MessageID
        • Returns VP Relationships
        • Returns VC Documents
        • Returns VC Document as per MessageID
        • Returns VC Relationships
        • Returns NFTs
        • Returns NFT as per Serial No.
        • Returns Topics
        • Returns Topic as per TopicID
        • Returns Contracts
        • Returns Contract as per MessageID
        • Returns Landing Page Analytics
        • Returns Project Coordinates
        • Returns Search Policy Results
        • Attempts to refresh linked files for the selected documents
        • Returns Hedera Network
        • Returns Hedera Network Explorer Settings
        • Returns Data Loading Progress Result
        • Returns Registry Relationships
        • Returns Policy Relationships
        • Retrieve the list of formulas
        • Retrieve the formula by message ID
        • Retrieve linked documents which are related to formula
        • Returning Topic Data Priority Loading Progress
        • Adding Topic Data Priority Loading
        • Adding Policy Data for Priority Loading
        • Adding Token Data for Priority Loading
        • Adding Document to Data Priority Loading
    • ๐Ÿ—บ๏ธMap Related APIs
      • Returning map API Key
      • Returning Sentinel API Key
    • ๐Ÿ—„๏ธStandard Registry
      • ๐Ÿ› ๏ธSchemas
        • ๐Ÿ“‚Available Schema Types
        • ๐Ÿ“‚Property Glossary
        • โ„น๏ธTypes of Schemas
        • โ„น๏ธSchema Versioning & Deprecation Policy
        • ๐Ÿ“นHow to design a Schema of a Methodology
        • ๐Ÿ’ปCreating Schema using UI
        • โš™๏ธSchema APIs
          • Listing of Schema
          • Publishing Schema based on Schema ID
          • Updating Schema
          • Deleting a Schema
          • Schema Preview from IPFS
          • Schema Preview from Zip
          • Export message IDs of Schema
          • Export Files from Schema
          • Creation of Schema related to the topic
          • Returns all Schemas related to the topic
          • Importing Zip file containing Schema
          • Importing Schema from IPFS
          • Returning Schema by SchemaID
        • โš™๏ธSystem Schema APIs
          • Returns Schema by Type
          • Creates New System Schema
          • Returns Schema by Username
          • Updates the Schema
          • Delete System Schema
          • Publishes the Schema
          • Schema Type
          • Returns Map API Key
        • โš™๏ธSchema APIs for Asynchronous Execution
          • Creation of Schema
          • Publishing Schema
          • Previews the Schema from IPFS
          • Importing Schema from IPFS
          • Importing Schema from .zip
        • ๐Ÿ“Schema Differentiation
          • ๐Ÿ’ปSchema Differentiation using UI
          • โš™๏ธSchema Differentiation APIs
            • Compare Schemas
            • Exports Schema Differentiation Results
        • ๐Ÿ“Example Data
          • ๐Ÿ’ปAdding Example data using UI
        • ๐Ÿ“‚Schema Tree
          • ๐Ÿ’ปSchema Tree UI
          • โš™๏ธAPI for Returning Schema Tree
        • ๐Ÿ“Tag Schema
          • ๐Ÿ’ปCreating Tag Schemas using UI
          • โš™๏ธSchema Tags APIs
            • Returning all Schema Tags
            • Creating new Schema Tag
            • Deleting Schema Tag
            • Updating Schema Tag
            • Publishing Schema
            • Returning list of published schemas
        • Schema Predefined Values using UI
        • Schema Rules
          • Defining Schema Rules using UI
          • APIs related to Schema Rules
            • Creation of the new schema rule
            • Retrieve the schema rules
            • Retrieve the configuration of the rule by its ID
            • Update the configuration of the rule with the corresponding ID
            • Delete the rule by its ID
            • Activate the rule with the specified ID
            • Deactivate the rule with the specified ID
            • List all the schemas and policy relevant to the rule with the specified ID
            • Retrieve all the data needed for evaluating the rules
            • Create a new rule from the file
            • Load the file and return its preview
            • Export the selected rule (by ID) into the file
      • ๐Ÿ› ๏ธPolicies
        • ๐ŸŽ“Policy Glossary
        • ๐Ÿ“Versioning and Deprecation Policy
          • โ„น๏ธPolicy Versioning & Deprecation Policy
          • โ„น๏ธAPI Versioning & Deprecation Policy
          • โ„น๏ธInternal APIs Versioning & Deprecation Policy
        • ๐Ÿ”ฉPolicy Creation
          • ๐Ÿ”„Available Policy Workflow Blocks
            • InterfaceContainerBlock
            • PolicyRolesBlock
            • InterfaceStepBlock
            • requestVCDocumentBlock
            • sendToGuardianBlock
            • reassigningBlock
            • InformationBlock
            • InterfaceDocumentsSourceBlock
            • paginationAddon
            • DocumentsSourceAddOn
            • filtersAddOnBlock
            • InterfaceActionBlock
            • externalDataBlock
            • retirementDocumentBlock
            • calculateContainerBlock & calculateMathAddOnBlock
            • reportBlock & reportItemBlock
            • switchBlock
            • aggregateDocumentBlock
            • TimerBlock
            • revokeBlock
            • setRelationshipsBlock
            • buttonBlock
            • documentValidatorBlock
            • tokenActionBlock
            • tokenConfirmationBlock
            • mintDocumentBlock
            • Events
            • groupManagerBlock
            • multiSignBlock
            • customLogicBlock
            • splitBlock
            • wipeDocumentBlock
            • Create Token Block
            • impactAddon
            • Http Request Block
            • historyAddon
            • selectiveAttributes Block
            • tagsManagerBlock
            • extractDataBlock
            • externalTopicBlock
            • messagesReportBlock
            • notificationBlock
            • Button Block Addon (buttonBlockAddon)
            • Dropdown Block Addon (dropdownBlockAddon)
            • Request Vc Document Block Addon (requestVcDocumentBlockAddon)
            • Data Transformation Addon
          • ๐Ÿ’ปCreating Policy using UI
          • ๐Ÿ’ปCreating a Policy through Policy Configurator
            • Getting Started with the Policy Workflows
            • Policy Workflow Step 1
            • Policy Workflow Step 2
            • Policy Workflow Step 3
            • Policy Workflow Step 4
            • Policy Workflow Step 5
            • Policy Workflow Step 6
            • Policy Workflow Step 7
            • Policy Workflow Step 8
            • Policy Workflow Step 9
            • Policy Workflow Step 10
            • Policy Workflow Step 11
            • Policy Workflow Step 12
            • Policy Workflow Step 13
            • Policy Workflow Step 14
            • Policy Workflow Step 15
            • Policy Workflow Step 16
            • Policy Workflow Step 17
            • Policy Workflow Step 18
            • Policy Workflow Step 19
            • Policy Workflow Step 20
            • Policy Workflow Step 21
            • Policy Workflow Step 22
            • Policy Workflow Step 23
            • Policy Workflow Step 24
            • Policy Workflow Step 25
            • Policy Workflow Wrap Up
          • โš™๏ธCreating a Policy using APIs
            • Prerequesite Steps
            • Creation of a Policy
            • Policy Listing
            • Import a Policy from IPFS
            • Policy Preview from IPFS
            • Retrieves Policy Configuration
            • Updates Policy Configuration
            • Publish a Policy
            • Policy Validation
            • Retrieval of Data for Root Policy Block
            • Request Block Data
            • Sends Data to Specified Block
            • Returns Block ID by tag
            • Exporting Message ID
            • Export to zip file
            • Import from zip file
            • Retrieves Block Data by Tag
            • Sends Data to specified Block by Tag
            • Returns list of Groups of a particular user
            • Make the selected Group active
            • Creating link between policies
            • Requesting Multi Policy Config
            • Importing Policy from a Zip file with Metadata
          • โš™๏ธAPIs for Asynchronous Execution
            • Creates new Policy
            • Publishing a Policy
            • Importing a Policy from IPFS
            • Importing a Policy from file
            • Policy Review
            • Importing Policy from a Zip file with Metadata
        • ๐Ÿ“Dry Run
          • ๐Ÿ’ปDry Run Mode using UI
          • โš™๏ธDry Run Mode using APIs
            • Running Policy without making any changes
            • Returning all Virtual Users
            • Creating Virtual Account
            • Logging Virtual User
            • Restarting the execution of Policy
            • Returns List of Transactions
            • Returns List of Artifacts
            • Returns List of IPFS Files
            • Returning Policy to Editing
            • Create Savepoint
            • Returns Savepoint State
            • Restoring SavePoint
            • Deletes SavePoint
        • ๐Ÿ’ปRoles and Groups
          • ๐Ÿ’ปCreating Roles and Groups using Policy Configurator UI
        • ๐Ÿ“Record/Replay
          • ๐Ÿ’ปPolicy execution record and replay using UI
          • โš™๏ธRecord/Replay APIs
            • Get Recording
            • Start Recording
            • Stop Recording
            • Get Recorded Actions
            • Run record from zip file
            • Stop Running
            • Get Running Results
            • Get Running Details
            • Fast Forward
            • Retry Step
            • Skip Step
        • ๐Ÿ“Global Policy Search & Compare
          • ๐Ÿ’ปGlobal search and comparison UI
          • ๐Ÿ’ปPolicy Differentiation using UI
          • โš™๏ธPolicy Compare and Search APIs
            • Comparing Policies
            • Searching Policies
            • Exports Comparison results
        • ๐Ÿ”Block/Policy Discoverability
          • ๐Ÿ’ปSearch Policy using UI
          • โš™๏ธSearch Policy APIs
            • Search Policy
          • ๐Ÿ’ปSearch Block using UI
          • โš™๏ธSearch Block APIs
            • Searching Same Blocks
        • ๐Ÿ“‚Document Comparison
          • ๐Ÿ’ปDocument Comparison using UI
          • โš™๏ธDocument Comparison APIs
            • Compare Documents
            • Export Comparison Results
        • ๐Ÿ“‚Tools
          • ๐Ÿ’ปTools using UI
          • โš™๏ธTools APIs
            • Creating new Tool
            • Returns list of tools
            • Creating new tool asynchronously
            • Deletes the Tool
            • Retrieves Tool Configuration
            • Updates Tool Configuration
            • Publishes Tool onto IPFS
            • Publishes Tool into IPFS asynchronously
            • Validates Selected Tool
            • Returns Tools and its artifacts in zip format
            • Retrieves Hedera Message ID
            • Previews Imported Tool from IPFS
            • Imported Tool from IPFS
            • Previews Imported Tool from Zip
            • Importing Tool from Zip
            • Imports new tool from Zip Asynchronously
            • Imports new tool from IPFS Asynchronously
            • Returns List of Tools
            • Importing Tool from a Zip file
            • Importing Tool from a Zip file asynchronously
        • ๐Ÿ“Modules
          • ๐Ÿ’ปModules using UI
          • โš™๏ธModules APIs
            • Returns all Modules
            • Creating new Module
            • Returns Module Menu
            • Retrieves Module Configuration
            • Updates Module Configuration
            • Delete the Module
            • Publishing Module onto IPFS
            • Returns Hedera ID for specific Module
            • Exporting Module in zip format
            • Import Module from IPFS
            • Import module from zip file
            • Preview Module from IPFS
            • Preview Module from zip file
            • Validates Module
          • ๐Ÿ“Modules Differentiation
            • ๐Ÿ’ปModule Differentiation using UI
            • โš™๏ธModule Differentiation APIs
              • Returns result of Module Comparison
              • Exports Comparison Result
        • ๐Ÿ“Tagging
          • ๐Ÿ’ปTagging using UI
          • โš™๏ธTagging APIs
            • Creating Tag
            • Searching Tag
            • Deleting Tag
            • Synchronization of tags
        • ๐Ÿ“Themes
          • ๐Ÿ’ปThemes using UI
          • โš™๏ธThemes APIs
            • Returning all themes
            • Creating theme
            • Updating theme Configuration
            • Deleting theme
            • Returning zip file containing themes
            • Importing theme
        • ๐Ÿ“Policy Wizard
          • ๐Ÿ’ปDemo on Policy Wizard using UI
          • โš™๏ธPolicy Wizard APIs
            • Creating new Policy
            • Getting Policy Configuration
        • ๐Ÿ“‚Auto Suggestion
          • ๐Ÿ’ปDemo using UI
          • โš™๏ธAuto Suggestion APIs
            • Get next and nested suggested block types
            • Get suggestions configuration
            • Set suggestions configuration
        • ๐Ÿ“Auto Testing of the Policies
          • ๐Ÿ’ปAuto Testing using UI
          • โš™๏ธAuto Testing Policies APIs
            • Adding new Test to the policy
            • Returning Policy Test by ID
            • Running the Policy Test
            • Stopping the Specified Test
            • Deleting the Specified Test
            • Returning details of the most recent test run
        • ๐Ÿ“”Library of Policy Examples
          • ๐Ÿ’ปCreating and using Roles
          • ๐Ÿ”ขData input via Forms, using Roles to partition user activities.
          • ๐Ÿช™Token Operations
          • ๐Ÿ”ŽMRV Document Operations
          • โ›“๏ธTrustChain reports
          • โž—MRV aggregation and splitting for minting tokens
        • ๐Ÿ’ปDemo on Integrating external policies using UI
        • Policy Labels
          • Policy Labels UI
          • โš™๏ธAPIs related to Policy Labels
            • Creating new Label definition
            • Retrieve the list of Label definitions
            • Retrieve a label definition configuration by ID
            • Update Label configuration by ID
            • Delete Label definition by ID
            • Publish Label definition by ID
            • Publish Label definition by ID asynchronously
            • Retrieve the list of components for Label configuration (schemas, policies, etc)
            • Import Label configuration from a file
            • Export Label configuration to a file
            • Preview of the imported file
            • Search for Labels and Statistics for importing into Label configuration
            • Retrieve the list of created tokens (VPs) for which a Label document can be created
            • Retrieve token (VP) and all its dependencies by document ID
            • Create a new Label document for token (VP)
            • Retrieve a list of created Label documents
            • Retrieve Label document by ID
            • Retrieve linked Label documents by ID
        • Formula Linked Definitions
          • Formula Linked Definitions using UI
          • โš™๏ธAPIs related to Formula Linked
            • Creating a new formula
            • Returns a list of formulas
            • Returns a formula by its ID
            • Update the formula by its ID
            • Delete the formula by its ID
            • Retrieve the list of all schemas and policies linked to a Formula
            • Create a new formula (import) from a file
            • Export selected formulas into a file
            • Loads (import) a file and return its preview
            • Publish a formula
            • Retrieve all data from documents that needed for displaying the formula
      • ๐Ÿ”‘Bring your own DIDs
        • ๐Ÿ’ปBring your own (BYO) DIDs UI
        • โš™๏ธAPIs
          • Validate DID Format
          • Validate DID Keys
      • ๐Ÿ“Import/Export in Excel
        • ๐Ÿ’ปImport and Export Excel file User Guide
        • โš™๏ธImport/Export Schemas/Policies APIs
          • Import Schemas in Excel file format into a policy
          • Asynchronously Imports Schemas in Excel file format into a policy
          • Previews Schema from Excel file
          • Returns Schema in Excel file format
          • Returns list of Schemas
          • Exporting Policy to Excel
          • Import Schemas in Excel file format into a Policy
          • Asynchronously Imports Schemas in Excel file format into a policy
          • Policy Preview from Excel file
      • ๐Ÿ“Project Comparison
        • ๐Ÿ’ปProject Comparison using UI
        • โš™๏ธProject Comparison APIs
          • Comparing Project Data Documents
          • Comparing VP Documents - V1
          • Retrieves all Properties
          • Search Projects by filters
      • ๐Ÿ”‘Selective Disclosure
        • ๐Ÿ“”User Guide
        • ๐Ÿ”Selective Disclosure Demo
      • ๐Ÿ“ˆUsage Statistics
        • ๐Ÿ’ปStatistics
        • โš™๏ธAPIs related to Statistics
          • Returns the status of the current report
          • Update current report
          • Returns all reports
          • Returns report data by report uuid
          • Export report data in a csv file format
          • Export report data in a xlsx file format
          • Returns all dashboards
          • Returns dashboard by uuid
          • Returns Metrics
      • ๐Ÿ“’Artifacts
        • ๐Ÿ’ปImporting/Deleting Artifacts using UI
        • โš™๏ธArtifacts APIs
          • Returns all Artifacts
          • (deprecated) Returns all Artifacts
          • Upload Artifacts
          • (deprecated) Upload Artifacts
          • Delete Artifact
          • (deprecated) Delete Artifact
      • ๐Ÿ’ปAsynchronous Tasks Status
      • Show list of Hedera Transactions
        • Showing List of Hedera Transactions using
        • APIs
          • Returning all transactions for Policy
          • Returning all transactions for Schema
          • Returning all transactions for Token
          • Returning all transactions for Contract
      • ๐Ÿ””Notifications
        • ๐Ÿ’ปUser Guide
        • โš™๏ธAPIs related to Notification
          • Get All Notifications
          • Get new Notifications
          • Get Progresses
          • Read All Notifications
          • Delete Notifications
      • ๐Ÿ“Discontinuing Policy Workflow
        • ๐Ÿ’ปUser Guide
        • โš™๏ธAPIs related to Discontinuing Policy workflow
          • Discontinue Policy
          • MigratePolicy Data
          • Migrate Policy Data Asynchronous
          • Get Policy Documents
      • ๐Ÿ“Live Project Data Migration
        • โ†”๏ธLive Project Data Migration UI
        • โš™๏ธAPIs related to Live Project Data Migration
          • Getting Policy Data
          • Uploading Policy Data
          • Getting Policy Tag Block Map
          • Getting Policy Virtual Keys
          • Uploading Policy Virtual Keys
      • ๐Ÿ”ฅFireBlocks Raw Signing
        • Fireblocks signing in Guardian UI
        • Getting Keys from FireBlocks UI
      • ๐Ÿ™Roles & Permissions
        • ๐Ÿ’ปRoles and Permissions User Guide
        • โš™๏ธAPIs related to Roles & Permissions
          • Returns list of all permissions
          • Returns list of all roles
          • Creates a New Role
          • Updates Role Configuration
          • Deletes Role
          • Setting Default Role
          • Returns list of all users for whom the current user can change the role
          • Retrieves information about the user (roles, permissions assigned policies)
          • Updates User Roles (only SR)
          • Returns list of all Policies
          • Assigns Policies to a User - Only SR
          • Updates user roles (for ordinary uses)
          • Assigns policies to a user (for ordinary users)
      • Decentralized Guardian
        • Remote Policy UI
        • APIs
          • Returns the list of requests for adding remote policies
          • Previews the policy from IPFS without loading it into the local DB.
          • Policy Import from IPFS
          • Approves policy Asynchronously
          • Rejects policy Asynchronously
          • Approves Policy
          • Rejects policy
          • Return a list of all policies
          • Approves a request for an action from a remote Guardian
          • Rejects a request for an action from a remote Guardian
          • Return a count of policy requests
      • Change Password
        • Password Security Hardening and Change Password using UI
        • โš™๏ธAPI related to Change Password
          • Change Password
      • ๐Ÿ“TrustChain
        • โš™๏ธTrustChain APIs
          • Requesting
          • Building and returning
      • ๐Ÿœ๏ธExternal Events
        • ๐Ÿ› ๏ธMonitoring Tools
          • โ›๏ธApplication-events module
        • โš™๏ธSend Data using the External Data APIs
          • Sends Data from an External Source
      • ๐Ÿ“ฑMobile Support for Data Interface
        • ๐Ÿ“ฑMobile operation for the Standard Registry
      • ๐Ÿ› ๏ธStandard Registry Operations
        • โš™๏ธSettings APIs
          • Displaying Current Settings
          • Adding Settings
        • โš™๏ธLogs APIs
          • Returning Logs
          • Returning Log Attributes
        • โš™๏ธTask Statuses APIs
          • Returning Task Statuses
      • ๐Ÿ“นDemo Experience
    • ๐ŸคตUsers
      • ๐Ÿ› ๏ธUser Operations
        • โš™๏ธAccount APIs
          • Authentication Process
          • User listing except Standard Registry and Auditor
          • User Balance
          • User Session
          • User Login
          • Registering new account
          • Returns all Standard Registries
          • Returns Access Token
        • Profile APIs
          • User Account Balance
          • User Account Information
          • Setting User Credentials
          • Setting User Credentials Asynchronously
      • ๐Ÿ“ฑMobile Support for Data Interface
        • ๐Ÿ“ฑMobile Operation for the user
      • ๐Ÿ› ๏ธUser Profile Setup
      • ๐Ÿค–AI Search
        • ๐Ÿ’ปAI Search using UI
        • โš™๏ธAI Search APIs
          • Returns response
          • Rebuilds vector based on policy data
      • ๐Ÿ”ŽGuided Search of Methodologies
        • ๐Ÿ’ปSearch using UI
        • โš™๏ธSearch APIs
          • Retrieves list of all categories
          • List of policies that are best suited for given parameters
      • โœ–๏ธMulti Policy
        • ๐Ÿ’ปConfiguring Multi Policy using UI
      • Bottom Up Data Traceability
        • Bottom Up Data Traceability using UI
        • โš™๏ธRelated APIs
          • Create new Statistics Definition
          • Get the list of Statistics Definitions
          • Retrieve details of the Statistics Definition by ID
          • Update configuration of the Statistics Definition by ID
          • Delete the Statistics Definition by ID
          • Publish Statistics Definition by ID
          • Retrieve the list of linked schemas and policy
          • Retrieve the list of all documents conforming the rules of the Statistics Definition.
          • Create a new Statistics Assessment based on the Statistics Definition
          • Retrieve the list of existing Statistics Assessment
          • Retrieve the Statistics Assessment by ID
          • Retrieve all VC documents related to the Statistics Assessment
    • ๐Ÿช™Tokens
      • ๐Ÿ’ปCreating Token using UI
      • ๐Ÿ“’Token Template
        • Creating Token Template using UI
        • Creating Token through UI using Token Template
      • ๐Ÿ“–Token Authenticity
        • โ„น๏ธEstablishing Token Authenticity
      • Dynamic Token Creation in Policies
        • Dynamic Token Creation in Guardian Policies using UI
      • ๐Ÿ› ๏ธToken Operations
        • โš™๏ธToken APIs
          • Token Listing
          • Creation of Token
          • User Info for selected token
          • Associates the user with token
          • Disassociates the user with token
          • Grants KYC for the user
          • Revoke KYC of the user
          • Freeze Tokens of a user
          • UnFreeze Tokens of a user
          • Returns Token Serials
        • โš™๏ธAPIs for Asynchronous Execution
          • Token Creation
          • Associating User with the Hedera Token
          • Disassociating User with the Hedera Token
          • Setting KYC for the User
          • Unsetting KYC for the User
      • ๐Ÿ“”Token Retirement Contract
        • ๐Ÿ’ปCreating Contract using UI
        • โ›“๏ธTrustChain representation of token retirement
        • โš™๏ธRetirement APIs
          • Returning all contracts
          • Creating new Contract
          • Importing new Contract
          • Get Contract Permissions
          • Removing Contract
          • Returns a list of all Wipe requests
          • Enabling Wipe Requests
          • Disabling Wipe Requests
          • Approving Wipe Requests
          • Rejecting Wipe Requests
          • Clearing Wipe Requests
          • Adding Wipe Admin
          • Removing Wipe Admin
          • Adding Wipe Manager
          • Removing Wipe Manager
          • Adding Wipe Wiper
          • Removing Wipe Wiper
          • Syncing Retire Pools
          • Returning list of all Retire Requests
          • Returning list of all Retire Pools
          • Deleting Retire Requests
          • Deleting Retire Pools
          • Setting Retire Pools
          • Unsetting Retire Pool
          • Unsetting Retire Request
          • Retiring Tokens
          • Approving Retire Request
          • Cancelling Retire Request
          • Adding Retire Admin
          • Removing Retire Admin
          • Returning all Retired VCs
          • Adding Wipe for specific token
          • Remove Wipe request for specific token
          • Deleting Wipe request for Hedera Account
          • Get Retirement VCs from Indexer
    • ๐Ÿ‘พAutomation Testing
      • ๐Ÿ’ปPerforming API Automation Testing
      • ๐Ÿ’ปPerforming UI Automation Testing
    • ๐Ÿ“•Logging Configuration using Pino Library
    • ๐Ÿ“”Guidance for Open Source Policy Submissions
    • ๐Ÿ“Demo Guide
      • ๐Ÿ”‹Renewable Energy Credits
        • ๐Ÿ“–Introduction to International Renewable Energy Credit Standard (iREC)
        • โš™๏ธiREC API Demo Guide
        • โš™๏ธDemo Using APIs and UI
        • ๐Ÿ’ปiREC 5 Demo UI Guide
        • โš™๏ธiREC 5 json
        • ๐Ÿ’ปiREC 7 User Journey UI Demo Guide
        • ๐Ÿ’ปiREC 7 Demo UI Guide
      • โ˜˜๏ธCarbon Offsets
        • ๐Ÿ“–Introduction to Verra Redd+
        • ๐Ÿ’ปVerra Redd VM0007 Demo UI Guide
        • ๐Ÿ’ปVerra Redd_3 User Journey Demo UI Guide
        • ๐ŸŽVM0017 Adoption of Sustainable Agricultural Land Management, v1.0
        • ๐ŸŽVM0042 Methodology for Improved Agricultural Land Management
        • ๐ŸŒฒVerra VM0047 - Afforestation, Reforestation, and Revegetation (ARR) v0.1
        • ๐ŸŒฒGold Standard Afforestation and Reforestation (AR) v2.0
        • ๐ŸƒDovu Methodologies
        • ๐Ÿ€Dovu MMCM
        • โ™จ๏ธImproved Cookstove
        • โ™จ๏ธGoldStandard - Metered Energy Cooking
        • ๐Ÿ€Carbon Reduction Measurement - GHG Corporate Standard Policy Guid
        • ๐ŸขVM0044 Methodology for Biochar Utilization in Soil and Non-Soil Applications
        • ๐ŸญCDM AMS-III.AR : Substituting fossil fuel based lighting with LED/CFL lighting systems
        • ๐ŸจCDM AMS II.G: Energy Efficiency Measures in Thermal Applications of Non-Renewable Biomass
        • ๐ŸญCDM AMS III.D: Methane Recovery in Animal Manure Management Systems
        • ๐ŸญCDM AMS III.BB: Electrification of communities through grid extension
        • ๐ŸญCDM AR-ACM0003: Methodology for Afforestation and Reforestation of Lands Except Wetlands
        • ๐ŸญCDM ACM0001: Flaring or Use of Landfill Gas
        • ๐ŸญCDM ACM0002: Grid-Connected Electricity Generation from Renewable Sources
        • ๐ŸญCDM ACM0006: Electricity and Heat Generation from Biomass
        • ๐ŸขCDM ACM0007: Conversion from Single Cycle to Combined Cycle Power Generation
        • ๐ŸญCDM AMS-I.A.: Electricity Generation by the User
        • ๐ŸญCDM AMS-I.C.: Thermal Energy Production with or Without Electricity
        • ๐ŸจCDM AMS-I.F.: Renewable Electricity Generation for Captive Use and Mini-Grid
        • ๐ŸญCDM AMS-II.J.: Demand-Side Activities for Efficient Lighting Technologies
        • ๐ŸจCDM AMS-III.AV.: Low Greenhouse Gas Emitting Safe Drinking Water Production Systems
        • ๐ŸญCDM AMS-III.F.: Avoidance of Methane Emissions Through Composting
        • ๐ŸขCDM AMS-III.H.: Methane Recovery in Wastewater Treatment
        • ๐ŸญCDM ACM0018: Electricity Generation from Biomass in Power-Only Plants
        • โฌ‡๏ธVerra PWRM0001 :Plastic Waste Collection Methodology
        • ๐ŸญVM0041 Methodology for the Reduction of Enteric Methane Emissions from Ruminants through the Use of
        • ๐Ÿฅ‡Carbon Sequestration through Accelerated Carbonation of Concrete Aggregate
        • ๐ŸญAMS-I.D: Grid Connected Renewable Electricity Generation โ€“ v.18.0
        • ๐ŸญPWRM0002 : Plastic Waste Recycling Methodology
        • ๐ŸšMethane Emission Reduction by Adjusted Water Management Practice in Rice Cultivation
        • โ›ฝVerra VMR0006: Energy Efficiency and Fuel Switch Measures in Thermal Applications
        • ๐ŸŒฉ๏ธAMS-I.E Switch from Non-Renewable Biomass for Thermal Applications by the User
        • GCCM001 v.4 Methodology for Renewable Energy Generation Projects Supplying Electricity to Grid
        • Landfill Gas Destruction and Beneficial Use Projects, Version 2.0
        • Climate Action Reserveโ€™s U.S. Landfill Protocol Version 6.0
        • VM0042 Improved Agricultural Land Management, v2.1
      • ๐ŸญCarbon Emissions
        • ๐ŸกRemote Work GHG Policy
          • ๐Ÿ“–Introduction to Remote Work GHG
          • ๐Ÿ’ปGHG Policy User Journey UI Demo Guide
          • ๐Ÿ’ปRemote GHG Policy Demo Guide
        • ๐ŸขCarbon Emissions Measurement - GHG Corporate Standard Policy Guide
        • ๐Ÿญatma GHG Scope II Carbon Emission Policy
        • ๐ŸญAtma Scope 3 GHG Policy
        • ๐ŸญGHGP Corporate Standard
        • ๐ŸญGHGP Corporate Standard V2
        • Climate Action Reserveโ€™s U.S. Landfill Protocol Version 6.0
        • Landfill Gas Destruction and Beneficial Use Projects, Version 2.0
    • โ“FAQs
    • ๐Ÿ‘ฌCommunity Standards
      • Guardian Policy Standards (GPS)
      • Guardian System Standards (GSS)
      • Proposal for Defining Standards
  • Feedback
    • Feedback in Pipelines
  • ๐Ÿ“ˆGuardian in Production
    • ๐Ÿ“„API Architecture Customization
    • ๐Ÿ“‰Monitoring tools
    • Performance Improvement
    • Cloud Infrastructure
    • Independent Packaged Deployment
Powered by GitBook
On this page
  • Software Architecture
  • Hashicorp Vault
  • AWS Secrets Manager
  • Azure Key Vault
  • Google Cloud Platform (GCP) Secrets Manager

Was this helpful?

Edit on GitHub
  1. Guardian
  2. Getting Started

Guardian Vault

PreviousAPI GuidelineNextEnvironments

Last updated 1 year ago

Was this helpful?

Guardian Vault is intended to provide supports in securely storing sensitive data such as api keys, secrets, wallets and private keys, etc. Instead of keeping keys and secrets in env files or database in plain format, Vault is designed to encrypt data and restrict access according to per service Access Policies and Roles.

Although Cloud infrastructures like Google, Azure and AWS offer secure Secret Manager Service to make the configuration very simple without the burden of deployment process, there are on-premise native technologies such as Hashicorp Vault that provide Cloud Agnostic solutions. Currently, Guardian supports AWS Secrets Manager and Hashicorp Vault as its core secrets manager.

In the current Architecture, each service has permission to read/write/update secrets directly instead of handling operations through a central service like Auth Service. Secrets are considered as resources and categorized into different divisions and according to categories and subcategories Policies are created and consequently based on need-to-know basis principal roles per services with essential policies are generated in order that each service is assigned permissions that it requires to access the secrets. As an example, Auth Service does not need to know anything about the user wallets, but only requires access to auth secret key.

As expected in production all connections between vault and services are secured by TLS communication. Communication with AWS Secrets Manager is handled within a private network.

Software Architecture

Secret Manager module is designed to handle interactions with Secret Manager infrastructures. Adapter classes are prepared in the lowest level to provide interfaces to each Secret Manager Infra, and the high level SecretManager class instantiates the right adapter according to configurations, and Hashicorp vault by default. Configuration to select the infrastructure is handled in the .env file located in the root directory of the guardian by the SECRET_MANAGER variable. In case of AWS, another variable, AWS_REGION must be also set as a common variable that will be populated to all services through a docker-compose file. Additionally, while selecting AWS as secret manager, the Vault docker container is not required to be deployed, for this reason the docker-compose files are separated. On top of the Secret Manager module, Wallet module is located to specifically store private keys using the Secret manager adapter. Wallet Manager stores private keys in wallet/{wallet_id} path in which wallet_id is the hash value of concatenation of token, type and key parameters. As storing secrets and keys to the database is highly insecure, the database vault is removed. On the other hand by providing direct access to secret managers by services, the channel to request read and write to the vault is deleted.

Hashicorp Vault

Several scripts and config files are provided to smoothly start and configure Hashicorp Vault instance. Here are the steps to run Vault instance:

  1. Generate Certificates: Hashicorp Vault in production requires tls communication that consequently valid tls keys and certificates must be provided for vault server and clients. In case of running vault by self-signed certificates, the keygen_cfssl.sh script under hashicorp/scripts/keygen is provided to automatically initially generate CA, Intermediate CA entities and derive server and client entities from Intermediate CA. The script uses CFSSL library to generate PKIs. CFSSL needs a global configurations and entities' profiles to generate certificates. All sample configurations are stored at hashicorp/configs/cfss. All generated tls files are stored in central directory which is hashicorp/certs by default. In order to run the script simply run make vault_keygen in guardian root directory in order that Makefile runs the neccessary commands.

  2. Distribute PKIs: Having generated all keys and certificates, they must be copied to each service directory in order to be consumed for communicating with Vault. For this purpose keystore script is created to manage tls files. by passing distribute option to the script it automatically copies all tls files between services. Alternatively, run make distribute_keys will apply the same command by Makefile.

  3. Generate Vault Configuration: In order to start Vault instance a config is required to configure vault instance. The configurations can be customized by applying changes to variables in .env file in hashicorp/.env file. To generate a customized vault config file, the vault_config_gen.sh script is created in hashicorp/scripts/vault directory.

  4. Generate Consul Configuration: Vault instance is intended to use Hashicorp COnsul as its backend. In order to start Consul instance a config is required to configure consul instance. The configurations can be customized by applying changes to variables in .env file in hashicorp/.env file. To generate a customized consul config file, the consul_config_gen.sh script is created in hashicorp/scripts/consul directory.

Note: In order to generate vault and consul config files, the simplest way is to run make cfgen in the root directory of guardian.

  1. Clone Guardian Environment Variables: Template .env and .env.docker files are provided a each service directory that must be cloned first in order to run the application. for this purpose simply run make guardian_make_env command in the root directory of guardian.

  2. Make Vault Up: In order to start Vault instance backed by Consul in docker containers, the vault and consul services must be started by docker-compose.yaml. For this purpose simply run docker-compose up -d consul vault command.

  3. Initialize Vault: Having started Vault instance, it must be initialized and configured.The vault_init.sh script in hashicorp/scripts/vault directory is developed to execute following steps:

Note: In order to start and configure Vault it can be simply done by running make vault_up command in the root directory of guardian.

  • Initialize Vault: Initializes vault operator and generates root token and unsealing keys. Root token can be used further for administration of vault. Unsealing keys must be used to unseal vault. Vault requires secret-shares and secret-threshold to generate unseal keys. secret-shares is the number of keys generated and secret-threshold is the number of keys must be used to unseal vault. These parameters are configured by VAULT_UNSEAL_SECRET_SHARES and VAULT_UNSEAL_SECRET_THRESHOLD variables inside .env file. root token and unsealing keys are stored in hashicorp/vault/.root file and must be removed after being generated.

  • Unseal Vault: Having initialized the vault instance, it is still sealed and must be sealed by secret-threshold number of unsealing keys. The script automatically unseals the vault instance by running unseal command.

  • Enable KV V2 Secret Engine:

  • Enable AppRole Auth Method: Approle is an auth method for authentication of machines or apps with defined roles. Roles are defined by a set of policies which narrows the accessibility of roles to vault resources. Approle is consisting a set of workflows that provides role_id and secret_id as credentials (very similar to username and password) that must be used in authentication process to generate auth token that is authorized according to the role that is defined for the role_id.

  • Create Policies for All guardian Service: Each service like guardian-service has a specific access and permission to the vault resources. As an example guardian-service has access to wallets and operator key, while auth-service has access to auth secret key only. The access permissions must be defined by policies and attached to the roles that will be created for each service afterwards. A number of policy files are created and stored in the hashicorp/configs/vault/policies. The script will automatically retrieve policy files from the directory and create policies accordingly.

  • Create roles associated with policies for all services: Having created a set of policies, roles with necessary policies must be created. An approle config file that implies each role and its policies is created and stored in hashicorp/configs/vault/approle. The script retrieves the approle.json file and creates roles with specified policies.

  • Get AppRole Credentials for all services: Each service has a role with a set of specific policies, needs approle credentials to acquire auth token to access secrets. The credentials are fetched from vault for each role and immediately written to .env and .env.docker files. The env file paths are configured by approle.json file.

  • Push secrets for all services to Vault: The initial secrets such as IPFS_API_KEY, AUTH_SECRET_KEY, OPERATOR_KEY is stored to vault secret manager. A template secret file is created in hashicorp/configs/secrets that must be coned and customized into secret.json file. The script in the last step will push all secrets into their specified secret path.

AWS Secrets Manager

AWS Secrets Manager provides a secure secret manager service with lots of flexibilities that lower the burden of deploying Hashicorp Vault instance as secret manager. AWS secrets manager does not require any credentials in order to authenticate as they are accessible withing a vps network by an EC2 instance or lambda function in the same region of secrets manager. However, the EC2 instance is required to acquire permissions to access the secret resources. Permissions are defined by roles consisting a set of policies, each define a specific permission to an AWS resource.

Scripts are created to automatically execute the required steps to prepare AWS secrets manager to be utilized by guardian services.

Note: Before running the scripts it is necessary to login into AWS service by aws cli. Bsides all AWS commands require account id, that must be configured by AWS_ACCOUNT_ID in .env file.

  1. Create Roles and Policies: aws_iam_init.sh script in aws/scripts directory initiates a role with a specific name configured by GUARDIAN_SECRETS_ROLE_NAME in .env file, creates policies that are stored in aws/configs/policies path and attach the policy to the role.

  2. Push Secrets: The initial secrets such as IPFS_API_KEY, AUTH_SECRET_KEY, OPERATOR_KEY is stored to vault secret manager. A template secret file is created in aws/configs/secrets that must be coned and customized into secret.json file. The push_secrets.sh script in aws/secripts folder will push all secrets into their specified secret path.

Azure Key Vault

Azure Vault provides a centralised service to manage sensitive data safe and secure. It provides three services to manage Secrets, Keys and Certificates:

  • Secrets Manager: Azure Key Vault enables secure storage of secrets such as Passwords, API Keys, etc. Secrets can be easily managed, rotated, and accessed programmatically.

  • Key Manager: Cryptographic keys can be generated and managed within Azure Key Vault. These keys can be used for encryption, decryption, signing, and verification purposes. Azure Key Vault supports a variety of key types and algorithms.

  • Certificate Manager: Azure Key Vault allows you to store and manage SSL/TLS certificates. You can import certificates or generate new ones within the Key Vault. Key Vault can also automate the renewal and deployment of certificates.

Guardian is supporting Azure Vault Secrets Manager to handle securely the secrets, keys and wallets. At the moment Default Azure Credential is used for authenticating to Azure Key Vault that requires following steps to enable any machine to access Secrets:

  1. Create a Key Vault: From the Azure Portal navigate to Key Vaults, choose a Resource Group has been created before from the list, insert a name for the Vault instance, select the region and carefully prepare other configurations and follow to the Next page.

  2. Choose Vault Access Policy as Permission model and Azure Virtual Machines for deployment as Resource Access. Under Access Policies, click on Create and in the prompt window choose all necessary permissions required to grant to a User. For Guardian at least Get and Set of Secrets are required. Next find the registered User to grant access. In the last step choose a registered application if has been created in Azure Active Directory before; otherwise select Next and finalize the process.

  3. Configure Networking, Add Tags and create the Vault.

  4. Now in the directory of auth-service, guardian-service, policy-service and worker-service set AZURE_VAULT_NAME environment variable by the name chosen as Vault previously. \

Google Cloud Platform (GCP) Secrets Manager

Google Cloud Platform (GCP) Secrets Manager is a managed service that helps you securely store and manage secrets, such as API keys, database credentials, and other sensitive information. It provides a central repository for storing secrets, with built-in security features and integration with other GCP services. It enables secure storage of secrets, secrets versioning and rotation, integration with other Google Cloud services like Cloud Run, VMs, App Engine, etc, supports Access Control, so on.

Guardian now supports GCP Secrets Manager to store its secrets. In order to access GCP Secrets Manager it is required to set the identifier of the project created in google cloud platform that the GCP Secrets Manager is supposed to reside, as GCP_PROJECT_ID in the .env file in the configs of auth service.

Here is the steps to create secrets manager in google cloud platform. It is assumed that the project has been created in prior.

  1. From Google Cloud Platform, navigate to underlying project

  2. From the Navigation Menu, select Security and then click on Secret Manager

  3. In the Secret Manager page, click on Create Secret

Configure Secret manager by adding Name, Replication policy, Rotation, Expiration, etc according to security policies and click on Create Secret button

NOTE: According to the tests of read/write operations of secrets to the GCP Secrets manager, each secret R/W operation take around 1 second which is too slow to be used constantly in the Guardian Application. The reason is, Guardian generates lots of wallets and requires to retrieve them from the Vault in order to sign transactions. The late response from GCP leads to make Guardian functioning too slowly. Consequently, it is not recommended to use GCP for constant R/W of secrets.

๐ŸŒ
๐Ÿ”