API server specification
This document describes usage of kopernik.us API server. For Web application documentation, see kopernik.us - Web Application Documentation.
See Terms of Use before using the service.
Overview
The kopernik.us REST API provides a unified interface for managing cloud resources across multiple providers: Akamai, AWS, DigitalOcean.
OpenAPI specification is available at Github.
Quick start
Base URL: https://api.kopernik.us/v0
To access resources, you need to obtain an authentication token.
Create Personal Access Token at your cloud provider’s admin page, and exchange the token for a kopernik.us authentication token. Make sure the token allows read access to account information: API server needs to obtain account ID to provide consistent resource identifiers. See required permissions for details.
Personal access token how-to: Akamai, AWS, DigitalOcean
Request:
POST /auth/authorize/{providerUid}
Content-Type: application/json
{
"accessToken": "your-provider-token",
"role": "admin"
}
Response:
{
"metadata": {
"uid": "unique-request-id",
"timestamp": 1697500000
},
"signedAuth": "eyJhbGc..."
}
Include the signedAuth token in the Authorization header for all subsequent requests:
Authorization: Bearer eyJhbGc...
Accessing Resources
Once authenticated, you can perform operations on cloud resources.
List Resources
Retrieve a paginated list of resources for a specific provider:
GET /resource/{resourceType}/{providerUid}
Authorization: Bearer eyJhbGc...
Example:
GET /resource/machine/digitalocean
Authorization: Bearer eyJhbGc...
Response:
{
"metadata": {
"uid": "unique-request-id",
"timestamp": 1697500000
},
"resources": [
{
"type": "machine",
"providerUid": "digitalocean",
"regionUid": "nyc1",
"accountUid": "123456",
"uid": "12345678",
"grid": "grid:digitalocean:machine:nyc1:123456:12345678",
"name": "web-server-01",
"status": "active"
}
]
}
Get Individual Resource
Retrieve a specific resource by its unique identifier:
GET /resource/{resourceType}/{providerUid}/{resourceUid}
Authorization: Bearer eyJhbGc...
Example:
GET /resource/machine/digitalocean/12345678
Authorization: Bearer eyJhbGc...
Response:
{
"metadata": {
"uid": "unique-request-id",
"timestamp": 1697500000
},
"resource": {
"type": "machine",
"providerUid": "digitalocean",
"regionUid": "nyc1",
"accountUid": "123456",
"uid": "12345678",
"grid": "grid:digitalocean:machine:nyc1:123456:12345678",
"name": "web-server-01",
"status": "active"
}
}
Create Resource
Create a new resource:
POST /resource/machine/{providerUid}
Authorization: Bearer eyJhbGc...
Content-Type: application/json
{
"regionUid": "nyc1",
"imageUid": "ubuntu-22-04-x64",
"machineTypeUid": "s-1vcpu-1gb",
"name": "my-server"
}
Delete Resource
Delete a specific resource:
DELETE /resource/{resourceType}/{providerUid}/{resourceUid}
Authorization: Bearer eyJhbGc...
Security considerations
The server may log to disk request arguments and certain response fields, which may contain sensitive data, directly or indirectly. Example of such data includes: resource names, labels, tags, etc. Do not use sensitive data in your resource properties if this is a concern for you.
The API server never stores your API keys, including those encoded in authentication objects, on disk or database. It also has no access to private keys when dealing with SSH key resources.
Provider support
The table below lists supported providers and capabilities.
| Provider | Akamai | AWS | DigitalOcean |
|---|---|---|---|
| Provider uid for API use | akamai |
aws |
digitalocean |
| Access mechanism | Personal Access Token, OAuth (*) | IAM user’s secret key | Personal Access Token, OAuth (*) |
Use in /auth/authorize endpoint |
Personal access token | AccessKeyId/SecretAccessKey |
Personal access token |
(*) OAuth can be used via Web application interface.
Resource type map
List of kopernik.us resources and their provider-side entities.
| Resource type | Akamai | AWS | DigitalOcean |
|---|---|---|---|
account |
Account | IAM User | Account |
blockstorage |
Volume | EBS | Volume |
firewall |
Firewall | ec2: security group | Firewall |
image |
Image | ec2: image | Image |
kubernetes |
Linode Kubernetes Engine | eks: cluster | Kubernetes |
machine |
Linode | ec2: instance | Droplet |
machinetype |
Linode type | ec2: instance type | Droplet size |
region |
Region | Region | Region |
sshkey |
SSH key | ec2: key pair | SSH key |
vpc |
Vpc | ec2: vpc | Vpc |
Authorization roles
The endpoint to register a Personal Access Token accepts a role argument,
which can be set to either "admin" or "readonly".
The API server rejects POST and DELETE requests if the token
was created without "admin" permissions.
Ultimately, access to cloud resources is managed by the cloud provider’s permissions granted to corresponding Personal Access Token or User.
Required provider-specific permissions
Important: always provide least permissive access to your resources.
| Resource type | Operation | Akamai | AWS | DigitalOcean | Notes |
|---|---|---|---|---|---|
| all | CREATE | ec2:CreateTags |
REQUIRED - tags are used to mark resources | ||
account |
GET | Account:Read | iam:GetUser |
Read | REQUIRED - used to construct authentication token |
blockstorage |
GET | Volumes:Read | ec2:DescribeVolumes |
Read | |
| POST | Volumes:Write | ec2:CreateVolume |
Write | ||
| DELETE | Volumes:Write | ec2:DeleteVolume |
Write | ||
firewall |
GET | Firewalls:Read | ec2:DescribeSecurityGroups |
Read | |
| DELETE | Firewalls:Write | ec2:DeleteSecurityGroup |
Write | ||
image |
GET | Images:Read | ec2:DescribeImages |
Read | |
kubernetes |
GET | Kubernetes:Read | eks:ListClusters |
Read | |
machine |
GET | Linodes:Read | ec2:DescribeInstances |
Read | |
| POST | Linodes:Write | ec2:RunInstances |
Write | ||
| DELETE | Linodes:Write | ec2:DescribeInstances |
Write | ||
machinetype |
GET | Not required | ec2:DescribeInstanceTypes |
Read | |
region |
GET | Not required | ec2:DescribeAvailabilityZones |
Not required | |
sshkey |
GET | Account:Read | ec2:DescribeKeyPairs |
Read | |
vpc |
GET | VPCs:Read | ec2:DescribeVpcs,ec2:DescribeSubnets |
Read | |
vpc |
POST | VPCs:Write | ec2:CreateVpc,ec2:CreateSubnet |
Write | |
vpc |
DELETE | VPCs:Write | ec2:DeleteVpc,ec2:DeleteSubnet |
Write |
Notes
For AWS, it is highly recommended to always provide *.Delete<Resource> permission along with *.Create<Resource> so that the API server can
correctly rollback changes if Create operation partially fails.
Supported operations
| Resource type | Get | List | Delete | Create | Update |
|---|---|---|---|---|---|
account |
✅ | ❌ | ❌ | ❌ | ❌ |
blockstorage |
✅ | ✅ | ✅ | ✅ | 🔜 |
firewall |
✅ | ✅ | ✅ | 🔜 | 🔜 |
image |
✅ | ✅ | ❌ | ❌ | ❌ |
kubernetes |
✅ | ✅ | 🔜 | 🔜 | 🔜 |
machine |
✅ | ✅ | ✅ | ✅ | 🔜 |
machinetype |
✅ | ✅ | ❌ | ❌ | ❌ |
region |
✅ | ✅ | ❌ | ❌ | ❌ |
sshkey |
✅ | ✅ | ✅ | 🔜 | 🔜 |
vpc |
✅ | ✅ | ✅ | 🔜 | 🔜 |
For detailed resource schemas and additional API endpoints, refer to the OpenAPI specification.
Response Metadata
All successful responses include a metadata object with:
uid- Unique identifier for the requesttimestamp- Unix timestamp of the response (seconds since epoch)
Error responses include the same metadata plus:
reason- Error description string
Pagination
List endpoints support pagination through optional query parameters:
nextToken- Token for the next page (provided in previous response)maxResults- Maximum number of results per page; actual returned page may have fewer items
When more results are available, the response includes a nextToken field.
Filters
List endpoints support JQ 1.5 expressions via jq query parameter.
The expression is applied to each individual resource object.
If the expression returns a “truthy” result (true, non-zero number, etc), then the object is returned.
Example: filter machine types to return only those containing “g7” in their name (URL is not encoded here):
GET '/resource/machinetype/akamai?jq=.name | contains("g7")'
Authorization: Bearer eyJhbGc...
See the OpenAPI specification to find JSON schema of a concrete resource.