Access Control

Access Control is the foundation of AgentBase. It covers two closely related concerns: Agent Identity (registering your agent on the platform) and Auth & Secrets (storing and injecting credentials your agent needs to call external services).

• Portal: https://aiplatform.console.vngcloud.vn/access-control

• API Base URL: https://agentbase.api.vngcloud.vn/identity/api/v1

Core Concepts

What Is an Identity?

In AgentBase, an Identity is a named, platform-managed record that uniquely represents your agent within the organization. Think of it as the agent's "account" — the foundation on which everything else is built. An identity must exist before a Runtime can be created for that agent, and before any auth credentials can be retrieved.

An identity has:

• A unique name (scoped to the organization)

• An optional description and metadata

• A list of associated auth configurations (the credentials this identity can retrieve)

Identity naming rules:

• 3–50 characters

• Alphanumeric, underscore _, and hyphen - only (^[a-zA-Z0-9_-]+$)

• Must be unique within the organization

Identity vs. Runtime

An Identity is persistent and environment-agnostic. A Runtime is tied to a specific container image and compute configuration. Multiple runtimes (for example, staging and production) can share the same identity.

Outbound Authentication

When your agent calls external services (OpenAI, Google, Slack, internal APIs), it needs credentials. AgentBase's Auth system lets you store these credentials centrally and have them automatically delivered to your agent at runtime — without hardcoding them.

The auth system supports three credential types:

• Static API Key — A fixed string (such as an API key) associated with an identity. Use when the external service issues a long-lived API key and you want centralized management.

• Delegated API Key — A credential that is scoped and potentially short-lived, useful for multi-tenant scenarios where different agents should get different scoped keys.

• OAuth2 Provider — For services that use OAuth2 (Google, Slack, and others). AgentBase stores the client credentials and refresh token, and handles token refresh automatically.

Security model: Credentials are stored in HashiCorp Vault.

Agent Identity

Portal

Create an Identity

1. Open https://aiplatform.console.vngcloud.vn/access-control

2. Click "Create Identity"

3. Fill in:

   • Name (required): e.g., my-order-agent — lowercase, alphanumeric and hyphens

   • Description (optional): e.g., Handles order inquiries

   • Allowed Return URLs (optional): OAuth2 callback URLs for this identity

4. Click Create

5. The new identity appears in the list with status ACTIVE

List Identities

1. Open https://aiplatform.console.vngcloud.vn/access-control

2. All identities are shown in a paginated list

Get Identity Details

1. Open https://aiplatform.console.vngcloud.vn/access-control

2. Click on the identity name

Update an Identity

1. Open https://aiplatform.console.vngcloud.vn/access-control

2. Click on the identity name → "Edit"

3. Update description or allowed return URLs → Save

Delete an Identity

Warning: Deleting an identity is irreversible. Stop all associated runtimes and remove all auth configurations before deleting.

1. Open https://aiplatform.console.vngcloud.vn/access-control

2. Find the identity → Delete → confirm

RESTful API

Prerequisite: All API examples below use $TOKEN — an IAM bearer token. See Configure Authentication for how to obtain it.

Create an Identity

Example response:

Error: 409 Conflict — name already exists. Choose a different name or use the existing identity.

List Identities

Response shape:

Get Identity Details

Update an Identity

You can update the description and allowed return URLs. The name and ID are immutable.

Delete an Identity

Warning: Deleting an identity is irreversible.

SDK

Create an Identity

Note: IAMCredentials() with no args auto-loads from GREENNODE_CLIENT_ID / GREENNODE_CLIENT_SECRET environment variables or .greennode.json.

List Identities

Get Identity Details

Update an Identity

Delete an Identity

Auth & Secrets

An agent identity must exist before creating auth providers. If you haven't created one yet, see Agent Identity above.

Portal

Static API Key Provider

1. Open https://aiplatform.console.vngcloud.vn/access-control → "Auth Providers"

2. Click "Create Provider" → select "Static API Key"

3. Fill in Name (e.g., openai-key) and API Key value

4. Click Create

Delegated API Key Provider

1. Open https://aiplatform.console.vngcloud.vn/access-control → Auth Providers

2. Click "Create Provider" → select "Delegated API Key"

3. Enter a Name (e.g., user-openai-key) → Create

OAuth2 Provider

1. Open https://aiplatform.console.vngcloud.vn/access-control → Auth Providers

2. Click "Create Provider" → select "OAuth2"

3. Fill in: Name, Client ID, Client Secret, Authorization URL, Token URL

4. Click Create — the response includes a Callback URL to register in your OAuth2 app

RESTful API

Static API Key Provider

Create:

List:

Get:

Update (key rotation):

Delete:

Warning: Deleting a provider immediately revokes access for all running agents using it.

Delegated API Key Provider

Create:

List:

Get:

Delete:

OAuth2 Provider

Create:

Response includes callbackUrl — register this in your OAuth2 app.

List:

Get:

Update:

Delete:

Get OAuth2 Token (M2M):

SDK

Static API Key Provider

Delegated API Key Provider

OAuth2 Provider

Create:

Get OAuth2 Token (M2M):

Retrieve Credentials at Runtime

When your agent is deployed on AgentBase Runtime, the runtime automatically injects GREENNODE_CLIENT_ID, GREENNODE_CLIENT_SECRET, and GREENNODE_AGENT_IDENTITY as environment variables. The SDK uses these automatically.

Inject static API key:

Inject OAuth2 access token:

Response Models

AgentIdentityResponse fields:

Troubleshooting