API client

akamai_iam_api_client

🚧
Beta
This is a beta version of this resource. Use of this version is as is and as available while still in testing and development.

📘
To use this resource, your API client must have the option to create credentials for another API client enabled.
You can import the resource only if it has assigned credentials.

Create and update an API client. To delete the resource, you can do one of these:

Run terraform destroy. This also automatically deactivates the API client's credential.
Deactivate an active credential with this resource by changing the credential's status to INACTIVE before removing the resource.

resource "akamai_iam_api_client" "my-api-client" {
  authorized_users = ["jsmith@email.com"]
  client_type      = "CLIENT"
  client_name      = "my-api-client"
  credential = {
    description = "My API Client Credential"
    expires_on  = "2027-04-13T14:48:07Z"
  }
  group_access = {
    clone_authorized_user_groups = true
  }
  api_access = {
    all_accessible_apis = true
  }
  purge_options = {
    can_purge_by_cp_code   = true
    can_purge_by_cache_tag = true
    cp_code_access = {
      all_current_and_new_cp_codes = false
    }
  }
}

resource "akamai_iam_api_client" "my-api-client" {
  authorized_users    = ["jsmith@email.com"]
  client_type         = "CLIENT"
  client_name         = "my-api-client"
  notification_emails = ["jsmith@example.com"]
  client_description  = "My API Client"
  lock                = false
  credential = {
    description = "My API Client Credential"
    expires_on  = "2027-04-13T14:48:07Z"
    status      = "ACTIVE"
  }
  group_access = {
    clone_authorized_user_groups = false
    groups = [
      {
        group_id = 12345
        role_id  = 67890
        sub_groups = [
          {
            group_id = 98765
            role_id  = 43210
          }
        ]
      }
    ]
  }
  ip_acl = {
    enable = true
    cidr   = ["123.4.5.6/78"]
  }
  api_access = {
    all_accessible_apis = false
    apis = [
      {
        api_id       = 164
        access_level = "READ-ONLY"
      },
      {
        api_id       = 5640
        access_level = "READ-WRITE"
      }
    ]
  }
  purge_options = {
    can_purge_by_cp_code   = true
    can_purge_by_cache_tag = true
    cp_code_access = {
      all_current_and_new_cp_codes = false
      cp_codes                     = [12345]
    }
  }
}

Arguments

Pass the minimum required arguments to create or manage your API client.

Argument	Required	Description
`api_access`	✔	The APIs the API client can access. Includes: `all_accessible_apis`. Required. When set to `true`, the API client can access a full set of available APIs. `apis`. The set of APIs the API client can access. Use it when `all_accessible_apis` is set to `false`. Each API record includes: `api_id`. Required. The API's ID. To get this value, run the Allowed APIs data source. `access_level`. Required. The API client's access level defined on an API basis. Possible values: `READ-ONLY` `READ-WRITE` `CREDENTIAL-READ-ONLY` `CREDENTIAL-READ-WRITE` Note: You can set `CREDENTIAL-READ-ONLY` and `CREDENTIAL-READ-WRITE` only for the API Keys and Traffic Management API.
`client_name`	✔	A descriptive, human-readable name for the API client.
`client_type`	✔	The type of the API client's ownership and credential management. Possible values: `CLIENT`. Indicates the creator owns and manages the credentials. `USER_CLIENT`. Indicates another user owns the client and manages the credentials.
`group_access`	✔	The API client's group access. Includes: `clone_authorized_user_groups`. Required. When set to `true`, this copies the API client's group access from the authorized user. `groups`. Groups the API client can access. Each group record includes: `group_id`. Required. A group's ID. `role_id`. Required. A role's ID. `sub_groups`. Children of the parent group. Each sub-group record includes: `group_id`. Required. A group's ID. `role_id`. Required. A role's ID. `sub_groups`. Children of the parent group. Its nesting level is 50. Note: Use the `groups` argument when `clone_authorized_user_groups` is set to `false`.
`authorized_users`	✔	The API client's valid users. To get the `username`, run the Authorized users data source.
`credential`	✔	The API client's credential. Includes: `description`. A human-readable description for the credential. `expires_on`. The ISO 8601 timestamp indicating when the credential expires. The expiration date can't be more than two years out. `status`. The credential's status, either `ACTIVE` or `INACTIVE`. Defaults to `ACTIVE` if not set.
`allow_account_switch`		When set to `true`, the API client can manage more than one account. Note: It can't be `false` or unspecified for the `client_type` argument with the `USER_CLIENT` value.
`can_auto_create_credential`		When set to `true`, the API client can create credentials for a new API client. Defaults to `false` if not set. Note: Auto-creating credentials is available only if the API client is created for the same user as the actor API client.
`client_description`		A human-readable description of the API client.
`ip_acl`		The API client's IP list restriction. Includes: `enable`. Required. When set to `true`, the API client can access the IP access control list (ACL). `cidr`. Required only when the `enable` argument is set to `true`. IP addresses or CIDR blocks the API client can access.
`notification_emails`		Email addresses of users who get notified when credentials expire.
`purge_options`		Configures the API client's access to the Fast Purge API. Includes: `can_purge_by_cache_tag`. Required. When set to `true`, the API client can purge content by cache tag. `can_purge_by_cp_code`. Required. When set to `true`, the API client can purge content by CP code. `cp_code_access`. Required. CP codes the API client can purge. Includes: `all_current_and_new_cp_codes`. Required. When set to `true`, the API client can purge content by all current and new CP codes. `cp_codes`. CP codes the API client can purge. To get these values, run the List allowed CP codes operation from the Identity and Access Management API. Notes: Provide `purge_options` if the `apis` argument includes an `api_name` of `CCU APIs` or the `all_accessible_apis` argument is set to `true`. If the `all_current_and_new_cp_codes` argument is set to `true` or `clone_authorized_user_groups` is `false`, you can't use `cp_codes`. If you provide `cp_codes` and `groups`, Terraform verifies if these CP codes are available to `authorized_users`. If they aren't, you get an error.
`lock`		When set to `true`, this locks the API client. Defaults to `false` if not set.

Attributes

If you've not set an output method, the response only provides a success message with your resource's ID.

Setting an output method returns the API client details you provided on create along with these computed attributes.

Attribute	Description
`client_id`	The API client's ID.
`id`	The resource's ID, same as the `client_id`.
`access_token`	The part of the client secret that identifies the API client and lets you access applications and resources.
`actions`	Actions available on the API client. When set to `true`, you can perform a given action on the API client. Includes: `delete`. Enables you to remove the API client. `deactivate_all`. Enables you to deactivate the API client's credentials. `edit`. Enables you to update the API client. `edit_apis`. Enables you to update the `apis` the API client can access, same as `edit_auth`. `edit_auth`. Enables you to update the `apis` the API client can access, same as `edit_apis`. `edit_groups`. Enables you to update the `groups` the API client can access. `edit_ip_acl`. Enables you to update the `ip_acl` the API client can access. `edit_switch_account`. Enables you to update the API client's option to manage many accounts. `lock`. Enables you to lock the API client. `unlock`. Enables you to unlock the API client. `transfer`. Enables you to transfer the API client to a new owner.
`active_credential_count`	The number of credentials active for the API client. When the count is `0`, you can delete the API client without interruption.
`base_url`	The base URL for the service.
`created_by`	The user who created the API client.
`created_date`	The ISO 8601 timestamp indicating when the API client was created.
`credential`	The API client's credential. Includes: `credential_id`. The credential's ID. `client_token`. The part of the credential that identifies the API client. `client_secret`. The part of the credential that identifies the API client's secret. This value isn't available when you import the resource. `created_on`. The ISO 8601 timestamp indicating when the credential was created. `actions`. Actions available on the API client's credential. When set to `true`, you can perform a given action on the credential. `activate`. Enables you to activate the credential. `deactivate`. Enables you to deactivate the credential. `edit_description`. Enables you to modify your credential's description. `edit_expiration`. Enables you to modify the credential's expiration date. `delete`. Enables you to remove the credential.
`api_access`	The APIs the API client can access. Includes: `apis`. The set of APIs the API client can access. Each API record includes: `api_name`. Required. A descriptive, human-readable name for the API. `description`. Required. A human-readable description for the API. `documentation_url`. Required. A link to the API's documentation. `endpoint`. Required. An endpoint from which the API can access resources.
`group_access`	The API client's group access. Includes: `groups`. Groups the API client can access. Each group record includes: `group_name`. A descriptive, human-readable name for the group. `parent_group_id`. The parent group's ID within the group tree. `is_blocked`. When `true`, this blocks the API client's access to the group's child groups. `role_description`. A human-readable description for the role that conveys its use. `role_name`. A descriptive, human-readable name for the role.

Updated 3 days ago

🚧Beta

📘

Arguments

Attributes

🚧
Beta