The Identity and Access Management API allows you to manage users through a RESTful interface.
Request and response format
The API supports
JSON only. You must include
application/json as your
Content-Type in the HTTP header, as shown below.
Host name and base path
The host name to use will vary depending on where your program is running.
If your program runs outside of the DC/OS cluster, you should use the cluster URL. This can be obtained by launching the DC/OS web interface and copying the domain name from the browser. Alternatively, you can log in to the DC/OS CLI and type
dcos config show core.dcos_urlto get the cluster URL. In a production environment, this should be the path to the load balancer which sits in front of your masters.
If your program runs inside of the cluster, use
/acs/api/v1 to the host name, as shown below.
All IAM endpoints require an authentication token—except the
auth endpoints. The
auth endpoints do not require authentication tokens because their purpose is to return authentication tokens upon successful login.
DC/OS Open Source supports three types of users that can be managed via the
/users API endpoint.
The User account management documentation covers invocation of available operations in detail.
Authentication token verification
The IAM can provide 3rd-party entites with public key information via the
/auth/jwks API endpoint for verifying DC/OS Authentication tokens out-of-band.
See Out-of-band token verification on how to implement authentication token verification on behalf of the IAM.
While the API returns informative error messages, you may also find it useful to check the logs of the service. Refer to Service and Task Logging for instructions.