--- title: Configuration Examples excerpt: >- This document provides comprehensive examples of all available REST configuration types for Moveworks Bond agents, with clear marking of required vs optional fields. deprecated: false hidden: false metadata: robots: index --- ## Table of Contents ### Core Configuration 1. [Basic Agent Configuration Structure](#basic-agent-configuration-structure) 2. [Moveworks Config](#moveworks-config) 3. [Secrets Management](#secrets-management) ### LDAP Configuration 4. [LDAP Config Structure](#ldap-config-structure) 5. [Single Domain LDAP](#single-domain-ldap) 6. [LDAP Forest (Multiple Domains)](#ldap-forest-multiple-domains) 7. [LDAP Field Reference](#ldap-field-reference) ### REST Configuration 8. [REST Config Structure](#rest-config-structure) 9. [Header Decorators](#header-decorators) 10. [Body Decorators](#body-decorators) 11. [URL Decorators](#url-decorators) 12. [REST Field Reference](#rest-field-reference) ### Complete Examples 13. [Complete Agent Configuration Examples](#complete-agent-configuration-examples) ### Reference 14. [Common Patterns](#common-patterns) 15. [Troubleshooting](#troubleshooting) --- ## Basic Agent Configuration Structure Every Bond agent configuration has three main sections: ```yaml bond_version: 2.10.3 # [REQUIRED] Bond agent version moveworks_config: # [REQUIRED] Connection to Moveworks platform access_key: your-org-name auth_url: https://agents.moveworks.com/api/v1/auth config_url: https://agents.moveworks.com/api/v1/config moveworks_access_secret: value: your-secret-here ldap_config: # [OPTIONAL] Single domain LDAP host: ldap.company.com port: 636 # ... (see LDAP section below) ldap_forest_config: # [OPTIONAL] Multiple domains domain1.company.com: host: dc1.company.com # ... (see LDAP Forest section below) rest_configs: # [OPTIONAL] REST API clients SERVICE_NAME: service: SERVICE_NAME # ... (see REST section below) secrets_provider_config: # [OPTIONAL] Azure Key Vault or AWS Secrets Manager azure: default_vault: my-vault-name ``` --- ## Moveworks Config The Moveworks config connects the Bond agent to the Moveworks platform. ### Minimal Example ```yaml moveworks_config: access_key: your-org-name auth_url: https://agents.moveworks.com/api/v1/auth config_url: https://agents.moveworks.com/api/v1/config moveworks_access_secret: value: your-access-secret ``` ### Complete Example with All Options ```yaml moveworks_config: access_key: your-org-name # [REQUIRED] Organization identifier auth_url: https://agents.moveworks.com/api/v1/auth # [REQUIRED] Auth endpoint config_url: https://agents.moveworks.com/api/v1/config # [REQUIRED] Config endpoint moveworks_access_secret: # [REQUIRED] Access secret value: your-access-secret # Use 'value' initially path_to_cert: /path/to/cert.pem # [OPTIONAL] TLS certificate path tls_skip_verify: false # [OPTIONAL] Skip TLS verification proxy_url: http://proxy.company.com:8080 # [OPTIONAL] Proxy URL proxy_url_enc: http://user:pass@proxy.company.com:8080 # [OPTIONAL] Proxy with auth dynamic_config: # [OPTIONAL] Runtime configuration api_url: https://api.moveworks.com log_url: https://logs.moveworks.com metrics_url: https://metrics.moveworks.com auth_refresh_period_secs: 3600 pipeline_buf_size: 1000 metrics_push_interval_secs: 60 max_grpc_msg_size: 4194304 ``` --- ## Secrets Management Bond supports three methods for managing sensitive values: ### Method 1: Plain Text Value (Initial Configuration) **Use this when initially configuring.** Bond automatically encrypts it. ```yaml client_secret: value: my-secret-password-123 ``` After Bond processes it, you'll see: ```yaml client_secret: encrypted_value: lxNi3OdSLuoixKbzxylpQ0dnIRNPuQ== ``` ### Method 2: Pre-Encrypted Value If you already have an encrypted value: ```yaml client_secret: encrypted_value: lxNi3OdSLuoixKbzxylpQ0dnIRNPuQ== ``` ### Method 3: Azure Key Vault ```yaml client_secret: azure_entry: secret_name: my-oauth-client-secret # [REQUIRED] Secret name in vault vault: my-key-vault # [OPTIONAL] Vault name (uses default_vault if omitted) refresh_time_sec: 60 # [OPTIONAL] Refresh interval ``` **Requires secrets_provider_config:** ```yaml secrets_provider_config: azure: default_vault: my-default-vault ``` ### Method 4: AWS Secrets Manager ```yaml client_secret: aws_entry: secret_name: my-oauth-client-secret # [REQUIRED] Secret name region: us-west-2 # [OPTIONAL] AWS region (uses default if omitted) refresh_time_sec: 60 # [OPTIONAL] Refresh interval ``` **Requires secrets_provider_config:** ```yaml secrets_provider_config: aws: default_region: us-west-2 ``` **Fields that should be encrypted:** - `moveworks_access_secret` - Agent access secret - `ldap_service_password` - LDAP service password - `client_secret` - OAuth2 client secret - `client_refresh_token` - OAuth2 refresh token - `password` - Basic auth password - `url` (in `rest_call_config`) - Token endpoint URLs (recommended) - Any sensitive header or query parameter values --- # LDAP Configuration Bond supports two LDAP configuration modes: - **`ldap_config`** - Single domain LDAP - **`ldap_forest_config`** - Multiple domains/forests --- ## LDAP Config Structure ```yaml ldap_config: # Single domain configuration host: ldap.company.com # [REQUIRED] LDAP host port: 636 # [REQUIRED] LDAP port service_user: DOMAIN\svc_moveworks # [REQUIRED] Service account ldap_service_password: # [REQUIRED] Service account password value: password-here # Optional fields domain: company.com # [OPTIONAL] Domain name use_ssl: true # [OPTIONAL] Use SSL/TLS use_start_tls: false # [OPTIONAL] Use StartTLS path_to_cert: /path/to/cert.pem # [OPTIONAL] Certificate path tls_skip_verify: false # [OPTIONAL] Skip TLS verification dynamic_config: # [OPTIONAL] Runtime configuration pool_size: 10 timeout_ms: 30000 ``` --- ## Single Domain LDAP ### Minimal Example (LDAPS on Port 636) ```yaml ldap_config: host: ldap.company.com port: 636 service_user: COMPANY\svc_moveworks ldap_service_password: value: your-ldap-password use_ssl: true ``` ### Complete Example with All Options ```yaml ldap_config: # Connection Settings host: ldap.company.com # [REQUIRED] LDAP server hostname port: 636 # [REQUIRED] LDAP port (636 for LDAPS, 389 for LDAP/StartTLS) domain: company.com # [OPTIONAL] Domain name # Authentication service_user: COMPANY\svc_moveworks # [REQUIRED] Service account username ldap_service_password: # [REQUIRED] Service account password value: your-ldap-password # Use 'value' initially # TLS/SSL Settings use_ssl: true # [OPTIONAL] Use LDAPS (default: false) use_start_tls: false # [OPTIONAL] Use StartTLS (default: false) path_to_cert: /home/moveworks/agent/certs/ldap-cert.pem # [OPTIONAL] CA certificate path tls_skip_verify: false # [OPTIONAL] Skip TLS verification (not recommended) # Performance Settings dynamic_config: # [OPTIONAL] Runtime configuration pool_size: 10 # Connection pool size timeout_ms: 30000 # Timeout in milliseconds (30 seconds) ``` ### LDAPS (Port 636) Standard LDAP over SSL: ```yaml ldap_config: host: ldap.company.com port: 636 service_user: COMPANY\svc_moveworks ldap_service_password: value: your-password use_ssl: true path_to_cert: /home/moveworks/agent/certs/cert.pem ``` ### LDAP with StartTLS (Port 389) LDAP with opportunistic TLS upgrade: ```yaml ldap_config: host: ldap.company.com port: 389 service_user: COMPANY\svc_moveworks ldap_service_password: value: your-password use_start_tls: true path_to_cert: /home/moveworks/agent/certs/cert.pem ``` ### LDAP with Azure Key Vault ```yaml ldap_config: host: ldap.company.com port: 636 service_user: COMPANY\svc_moveworks ldap_service_password: azure_entry: secret_name: ldap-service-password vault: my-vault refresh_time_sec: 60 use_ssl: true ``` --- ## LDAP Forest (Multiple Domains) Use `ldap_forest_config` when you have multiple LDAP domains or forests. ### Structure ```yaml ldap_forest_config: domain1.company.com: # Domain identifier (map key) domain: domain1.company.com host: dc1.company.com port: 636 service_user: service_account ldap_service_password: value: password1 # ... (same options as ldap_config) domain2.company.com: # Second domain domain: domain2.company.com host: dc2.company.com port: 636 service_user: service_account2 ldap_service_password: value: password2 ``` ### Minimal Example ```yaml ldap_forest_config: east.company.com: domain: east.company.com host: ldap-east.company.com port: 636 service_user: EAST\svc_moveworks ldap_service_password: value: password-east use_ssl: true west.company.com: domain: west.company.com host: ldap-west.company.com port: 636 service_user: WEST\svc_moveworks ldap_service_password: value: password-west use_ssl: true ``` ### Complete Example with All Options ```yaml ldap_forest_config: primary.company.com: # Connection Settings domain: primary.company.com host: dc-primary.company.com port: 636 # Authentication service_user: PRIMARY\svc_moveworks ldap_service_password: value: password-primary # TLS/SSL Settings use_ssl: true use_start_tls: false path_to_cert: /home/moveworks/agent/certs/primary-cert.pem tls_skip_verify: false # Performance Settings dynamic_config: pool_size: 10 timeout_ms: 30000 subsidiary.partner.com: domain: subsidiary.partner.com host: dc-subsidiary.partner.com port: 389 service_user: SUBSIDIARY\svc_moveworks ldap_service_password: azure_entry: secret_name: ldap-subsidiary-password vault: my-vault use_start_tls: true path_to_cert: /home/moveworks/agent/certs/subsidiary-cert.pem ``` --- ## LDAP Field Reference | Field | Required | Default | Description | |-------|----------|---------|-------------| | `host` | ✅ Yes | - | LDAP server hostname or IP | | `port` | ✅ Yes | - | LDAP port (636 for LDAPS, 389 for LDAP/StartTLS) | | `service_user` | ✅ Yes | - | Service account username (format: DOMAIN\username) | | `ldap_service_password` | ✅ Yes | - | Service account password (encrypted) | | `domain` | ❌ No | - | Domain name | | `use_ssl` | ❌ No | `false` | Use LDAPS (SSL/TLS from start) | | `use_start_tls` | ❌ No | `false` | Use StartTLS (upgrade connection to TLS) | | `path_to_cert` | ❌ No | - | Path to CA certificate for TLS verification | | `tls_skip_verify` | ❌ No | `false` | Skip TLS certificate verification (not recommended) | | `dynamic_config.pool_size` | ❌ No | - | Connection pool size | | `dynamic_config.timeout_ms` | ❌ No | - | Connection timeout in milliseconds | **Important Notes:** - Use either `use_ssl` (port 636) OR `use_start_tls` (port 389), not both - `path_to_cert` is required when using SSL/TLS unless `tls_skip_verify` is true - `ldap_forest_config` uses the same fields, but as a map with domain identifiers as keys --- # REST Configuration Bond supports REST API clients with various authentication methods. --- ## REST Config Structure ```yaml rest_configs: CLIENT_NAME: # Client identifier (map key) service: SERVICE_NAME # [REQUIRED] Service identifier # Decorators header_decorators: [] # [OPTIONAL] List of header decorators body_decorators: [] # [OPTIONAL] List of body decorators url_decorators: [] # [OPTIONAL] List of URL decorators # Configuration Options max_response_size: 10485760 # [OPTIONAL] Max response size in bytes (10MB) ca_cert_path: /path/to/cert.pem # [OPTIONAL] CA certificate for TLS tls_skip_verify: false # [OPTIONAL] Skip TLS verification do_not_use_rest_proxy: false # [OPTIONAL] Bypass proxy for this client use_ntlmv2: false # [OPTIONAL] Use NTLMv2 authentication # Dynamic Configuration dynamic_config: # [OPTIONAL] Runtime configuration buf_size: 1000 timeout_ms: 30000 ``` **Key Points:** - The client name is the map key (e.g., `JIRA:`, `SNOW:`) - There is NO `base_url` field - the Moveworks platform passes full URLs per-request - The `service` field is REQUIRED - Decorators are applied to all requests made through this client --- ## Header Decorators Header decorators add authentication headers and static headers to all requests. ### 1. Plain Headers (Static Headers) Add static key-value pairs to request headers. #### Minimal Example ```yaml rest_configs: MY_API: service: MY_API header_decorators: - plain: header_key: X-API-Key header_value: my-static-api-key ``` #### Multiple Static Headers ```yaml rest_configs: MY_API: service: MY_API header_decorators: - plain: header_key: X-API-Key header_value: my-api-key - plain: header_key: X-API-Version header_value: v2 - plain: header_key: X-Client-ID header_value: moveworks-bond ``` **Use Cases:** - API keys that don't change - API version headers - Client identification headers --- ### 2. File-Based Headers Load headers from a JSON file at runtime. ```yaml rest_configs: MY_API: service: MY_API header_decorators: - file: file_path: /home/moveworks/agent/headers.json ``` **JSON File Format:** ```json { "X-API-Key": "dynamic-api-key", "X-Custom-Header": "custom-value", "Authorization": "Bearer token123" } ``` **Use Cases:** - Credentials stored in secure files - Headers that need rotation without config changes - Environment-specific headers --- ### 3. Basic Authentication HTTP Basic Authentication (username:password encoded in Base64). ```yaml rest_configs: JIRA: service: JIRA header_decorators: - basic_auth: username: jira-service-account password: value: your-password-here ``` **Use Cases:** - Jira Cloud with API tokens - APIs using HTTP Basic Authentication - Legacy systems --- ### 4. OAuth2 Client Credentials OAuth2 Client Credentials Grant flow (machine-to-machine). #### Minimal Example ```yaml rest_configs: MY_API: service: MY_API header_decorators: - oauth2_client_credentials_auth: client_id: my_client_id client_secret: value: my-client-secret scope: read write rest_call_config: url: value: https://oauth.example.com/token ``` #### Complete Example with All Options ```yaml rest_configs: MY_API: service: MY_API header_decorators: - oauth2_client_credentials_auth: client_id: my_client_id # [REQUIRED] client_secret: # [REQUIRED] value: my-client-secret scope: read write admin # [REQUIRED by most providers] rest_call_config: # Token Endpoint url: # [REQUIRED] value: https://oauth.example.com/token # Token Response Parsing token_body_key: access_token # [OPTIONAL] Default: "access_token" token_body_pattern: "token:(.*)" # [OPTIONAL] Regex to extract token # Request Configuration method: POST # [OPTIONAL] Default: POST request_body: "custom_body_template" # [OPTIONAL] Custom request body # Header Configuration header_key: Authorization # [OPTIONAL] Default: "Authorization" header_template: Bearer %s # [OPTIONAL] Default: "Bearer %s" # Token Refresh refresh_time_sec: 3600 # [OPTIONAL] Default: 3600 (1 hour) # Additional Headers auth_headers: # [OPTIONAL] Content-Type: application/x-www-form-urlencoded X-Custom-Header: value ``` **Use Cases:** - Microsoft Azure AD - Google Cloud Platform service accounts - AWS Cognito machine-to-machine - Salesforce OAuth2 **Key Requirements:** - `client_id` - Your OAuth2 client identifier - `client_secret` - Your OAuth2 client secret - `rest_call_config.url` - Token endpoint URL - `scope` - Required by most OAuth2 providers --- ### 5. OAuth2 Basic Auth OAuth2 where `client_id:client_secret` is sent as a Basic Auth header instead of in the request body. #### Minimal Example ```yaml rest_configs: MY_API: service: MY_API header_decorators: - oauth2_basic_auth: client_id: my_client_id client_secret: value: my-client-secret scope: read rest_call_config: url: value: https://oauth.example.com/token ``` #### Complete Example ```yaml rest_configs: MY_API: service: MY_API header_decorators: - oauth2_basic_auth: client_id: my_client_id client_secret: value: my-client-secret scope: read write rest_call_config: url: value: https://oauth.example.com/token token_body_key: access_token method: POST header_key: Authorization header_template: Bearer %s refresh_time_sec: 3600 ``` **Difference from oauth2_client_credentials_auth:** - `oauth2_client_credentials_auth`: Sends credentials in request body - `oauth2_basic_auth`: Sends credentials as Basic Auth header **Use Cases:** - Atlassian APIs - APIs requiring OAuth2 with Basic Auth header --- ### 6. OAuth2 Refresh Token OAuth2 flows with refresh tokens for long-lived access. #### Minimal Example ```yaml rest_configs: MY_API: service: MY_API header_decorators: - oauth2_refresh_token_auth: client_id: my_client_id client_secret: value: my-client-secret client_refresh_token: value: my-refresh-token scope: read offline_access rest_call_config: url: value: https://oauth.example.com/token ``` #### Complete Example ```yaml rest_configs: MY_API: service: MY_API header_decorators: - oauth2_refresh_token_auth: client_id: my_client_id client_secret: value: my-client-secret client_refresh_token: value: my-long-lived-refresh-token scope: read write offline_access rest_call_config: url: value: https://oauth.example.com/token token_body_key: access_token method: POST header_key: Authorization header_template: Bearer %s refresh_time_sec: 3600 ``` **Use Cases:** - Long-lived user authentication - OAuth2 flows where users grant permission once - Refresh token rotation --- ### 7. Custom Auth Custom authentication flows for non-standard token endpoints. #### Minimal Example ```yaml rest_configs: BMC_REMEDY: service: BMC_REMEDY header_decorators: - custom_auth: url: value: https://api.example.com/auth ``` #### Complete Example (BMC Remedy Style) ```yaml rest_configs: BMC_REMEDY: service: BMC_REMEDY header_decorators: - custom_auth: url: value: https://remedy.company.com/api/jwt/login method: POST header_key: AR-JWT header_template: "AR-JWT %s" refresh_time_sec: 300 token_body_key: token token_body_pattern: "\"token\":\"([^\"]+)\"" request_body: "username=user&password=pass" auth_headers: Content-Type: application/x-www-form-urlencoded ``` #### Complete Example (Cherwell Style) ```yaml rest_configs: CHERWELL: service: CHERWELL header_decorators: - custom_auth: url: value: https://cherwell.company.com/CherwellAPI/token method: POST header_key: Authorization header_template: Bearer %s refresh_time_sec: 1200 token_body_key: access_token request_body: "grant_type=password&authMode=internal&client_id=KEY&username=USER&password=PASS" auth_headers: Content-Type: application/x-www-form-urlencoded ``` **Use Cases:** - BMC Remedy authentication - Cherwell authentication - Custom enterprise authentication systems - Legacy authentication mechanisms --- ### 8. Multiple Decorators Combined You can combine multiple header decorators in a single REST config. #### OAuth2 + Static Headers ```yaml rest_configs: MY_API: service: MY_API header_decorators: # OAuth2 authentication - oauth2_client_credentials_auth: client_id: my_client_id client_secret: value: my-secret scope: read write rest_call_config: url: value: https://oauth.example.com/token # Static API version - plain: header_key: X-API-Version header_value: v2 # Static client identifier - plain: header_key: X-Client-ID header_value: moveworks-bond ``` #### Basic Auth + Static Headers ```yaml rest_configs: LEGACY_API: service: LEGACY_API header_decorators: - basic_auth: username: api_user password: value: password123 - plain: header_key: Content-Type header_value: application/json ``` --- ## Body Decorators Body decorators merge key-value pairs into the request body. ### 1. Plain Body (Static Values) ```yaml rest_configs: MY_API: service: MY_API body_decorators: - plain: body_key: source body_value: moveworks - plain: body_key: environment body_value: production ``` ### 2. File-Based Body Load body values from a JSON file at runtime. ```yaml rest_configs: MY_API: service: MY_API body_decorators: - file: file_path: /home/moveworks/agent/body-params.json ``` **JSON File Format:** ```json { "source": "moveworks", "environment": "production", "version": "2.0" } ``` --- ## URL Decorators URL decorators add query parameters to request URLs. ### 1. Plain Query Parameter Add static query parameters to all requests. ```yaml rest_configs: MY_API: service: MY_API url_decorators: - plain_query_parameter: query_key: api_version query_value: value: v2 ``` ### 2. Oracle WebCenter Auth Special authentication for Oracle WebCenter. ```yaml rest_configs: ORACLE_WEBCENTER: service: ORACLE_WEBCENTER url_decorators: - oracle_web_centre_auth: username: oracle_user password: value: oracle-password query_parameter: query_key: auth_token query_template: "%s" rest_call_config: url: value: https://oracle.company.com/auth ``` --- ## REST Field Reference ### REST Config Top Level | Field | Required | Default | Description | |-------|----------|---------|-------------| | `service` | ✅ Yes | - | Service identifier (min length 1) | | `header_decorators` | ❌ No | `[]` | List of header decorators | | `body_decorators` | ❌ No | `[]` | List of body decorators | | `url_decorators` | ❌ No | `[]` | List of URL decorators | | `max_response_size` | ❌ No | 10MB | Maximum response size in bytes | | `ca_cert_path` | ❌ No | - | CA certificate path for TLS | | `tls_skip_verify` | ❌ No | `false` | Skip TLS verification | | `do_not_use_rest_proxy` | ❌ No | `false` | Bypass proxy for local requests | | `use_ntlmv2` | ❌ No | `false` | Use NTLMv2 authentication | | `dynamic_config.buf_size` | ❌ No | - | Buffer size | | `dynamic_config.timeout_ms` | ❌ No | - | Timeout in milliseconds | **Important:** There is NO `base_url` field. The Moveworks platform passes full URLs per-request. ### OAuth2 RestAuthCallConfig | Field | Required | Default | Description | |-------|----------|---------|-------------| | `url` | ✅ Yes | - | Token endpoint URL (encrypted) | | `method` | ❌ No | `POST` | HTTP method for token request | | `header_key` | ❌ No | `Authorization` | Header name for token | | `header_template` | ❌ No | `Bearer %s` | Template for header value | | `refresh_time_sec` | ❌ No | `3600` | Token refresh interval (seconds) | | `token_body_key` | ❌ No | `access_token` | JSON key to extract token | | `token_body_pattern` | ❌ No | - | Regex pattern to extract token | | `request_body` | ❌ No | - | Custom request body template | | `auth_headers` | ❌ No | `{Content-Type: application/x-www-form-urlencoded}` | Headers for token request | ### OAuth2 Client Credentials / Basic Auth / Refresh Token | Field | Required | Default | Description | |-------|----------|---------|-------------| | `client_id` | ✅ Yes | - | OAuth2 client identifier | | `client_secret` | ✅ Yes | - | OAuth2 client secret (encrypted) | | `client_refresh_token` | ✅ Yes (refresh only) | - | OAuth2 refresh token (encrypted) | | `scope` | ❌ No | - | Space-separated OAuth2 scopes | | `rest_call_config` | ✅ Yes | - | Token endpoint configuration | --- # Complete Agent Configuration Examples ## Example 1: LDAPS Only Basic LDAP over SSL configuration: ```yaml bond_version: 2.10.3 moveworks_config: access_key: moveworks auth_url: https://agents.moveworks.com/api/v1/auth config_url: https://agents.moveworks.com/api/v1/config moveworks_access_secret: value: your-access-secret-here ldap_config: host: ldap.company.com port: 636 service_user: COMPANY\svc_moveworks ldap_service_password: value: your-ldap-password use_ssl: true path_to_cert: /home/moveworks/agent/certs/cert.pem ``` --- ## Example 2: LDAPS + Jira (Basic Auth) LDAP with a single REST client using Basic Authentication: ```yaml bond_version: 2.10.3 moveworks_config: access_key: moveworks auth_url: https://agents.moveworks.com/api/v1/auth config_url: https://agents.moveworks.com/api/v1/config moveworks_access_secret: value: your-access-secret ldap_config: host: ldap.company.com port: 636 service_user: COMPANY\svc_moveworks ldap_service_password: value: your-ldap-password use_ssl: true path_to_cert: /home/moveworks/agent/certs/cert.pem rest_configs: JIRA: service: JIRA header_decorators: - basic_auth: username: jira-service-account password: value: your-jira-password ``` --- ## Example 3: LDAP Forest with Multiple Domains Configuration for LDAP environments with multiple domains: ```yaml bond_version: 2.10.3 moveworks_config: access_key: moveworks auth_url: https://agents.moveworks.com/api/v1/auth config_url: https://agents.moveworks.com/api/v1/config moveworks_access_secret: value: your-access-secret ldap_forest_config: primary.company.com: domain: primary.company.com host: dc-primary.company.com port: 636 service_user: PRIMARY\svc_moveworks ldap_service_password: value: your-password-primary use_ssl: true path_to_cert: /home/moveworks/agent/certs/primary-cert.pem subsidiary.company.com: domain: subsidiary.company.com host: dc-subsidiary.company.com port: 636 service_user: SUBSIDIARY\svc_moveworks ldap_service_password: value: your-password-subsidiary use_ssl: true path_to_cert: /home/moveworks/agent/certs/subsidiary-cert.pem rest_configs: JIRA: service: JIRA header_decorators: - basic_auth: username: jira-user password: value: your-jira-password ``` --- ## Example 4: Azure Key Vault + OAuth2 Using Azure Key Vault for secrets management with OAuth2: ```yaml bond_version: 2.10.3 moveworks_config: access_key: moveworks auth_url: https://agents.moveworks.com/api/v1/auth config_url: https://agents.moveworks.com/api/v1/config moveworks_access_secret: azure_entry: secret_name: moveworks-access-secret vault: my-vault secrets_provider_config: azure: default_vault: my-vault ldap_config: host: ldap.company.com port: 636 service_user: COMPANY\svc_moveworks ldap_service_password: azure_entry: secret_name: ldap-service-password refresh_time_sec: 60 use_ssl: true path_to_cert: /home/moveworks/agent/certs/cert.pem rest_configs: SERVICENOW: service: SERVICENOW header_decorators: - oauth2_client_credentials_auth: client_id: snow_client_id client_secret: azure_entry: secret_name: snow-oauth-secret refresh_time_sec: 60 scope: read write rest_call_config: url: azure_entry: secret_name: snow-token-url refresh_time_sec: 60 ``` --- ## Example 5: Multiple REST Clients with Mixed Auth LDAP with multiple REST clients using different authentication methods: ```yaml bond_version: 2.10.3 moveworks_config: access_key: moveworks auth_url: https://agents.moveworks.com/api/v1/auth config_url: https://agents.moveworks.com/api/v1/config moveworks_access_secret: value: your-access-secret ldap_config: host: ldap.company.com port: 636 service_user: COMPANY\svc_moveworks ldap_service_password: value: your-ldap-password use_ssl: true path_to_cert: /home/moveworks/agent/certs/cert.pem rest_configs: JIRA: service: JIRA header_decorators: - basic_auth: username: jira-service password: value: jira-password SERVICENOW: service: SERVICENOW header_decorators: - oauth2_client_credentials_auth: client_id: snow_client client_secret: value: snow-secret scope: read write rest_call_config: url: value: https://instance.service-now.com/oauth_token.do SALESFORCE: service: SALESFORCE header_decorators: - oauth2_client_credentials_auth: client_id: sfdc_client client_secret: value: sfdc-secret scope: api rest_call_config: url: value: https://login.salesforce.com/services/oauth2/token - plain: header_key: X-API-Version header_value: "v58.0" ``` --- ## Example 6: All Features Combined Comprehensive example showing all configuration options: ```yaml bond_version: 2.10.3 moveworks_config: access_key: moveworks auth_url: https://agents.moveworks.com/api/v1/auth config_url: https://agents.moveworks.com/api/v1/config moveworks_access_secret: azure_entry: secret_name: moveworks-secret path_to_cert: /home/moveworks/agent/certs/moveworks-cert.pem proxy_url: http://proxy.company.com:8080 secrets_provider_config: azure: default_vault: my-vault ldap_forest_config: primary.company.com: domain: primary.company.com host: dc-primary.company.com port: 636 service_user: PRIMARY\svc_moveworks ldap_service_password: azure_entry: secret_name: ldap-primary-password use_ssl: true path_to_cert: /home/moveworks/agent/certs/ldap-primary.pem subsidiary.partner.com: domain: subsidiary.partner.com host: dc-subsidiary.partner.com port: 389 service_user: SUBSIDIARY\svc_moveworks ldap_service_password: azure_entry: secret_name: ldap-subsidiary-password use_start_tls: true path_to_cert: /home/moveworks/agent/certs/ldap-subsidiary.pem rest_configs: SERVICENOW: service: SERVICENOW max_response_size: 104857600 header_decorators: - oauth2_client_credentials_auth: client_id: snow_client client_secret: azure_entry: secret_name: snow-client-secret scope: read write rest_call_config: url: azure_entry: secret_name: snow-token-url token_body_key: access_token refresh_time_sec: 3600 - plain: header_key: X-Client-ID header_value: moveworks-bond body_decorators: - plain: body_key: source body_value: moveworks url_decorators: - plain_query_parameter: query_key: sysparm_display_value query_value: value: "true" JIRA: service: JIRA header_decorators: - basic_auth: username: jira-service password: azure_entry: secret_name: jira-password BMC_REMEDY: service: BMC_REMEDY header_decorators: - custom_auth: url: value: https://remedy.company.com/api/jwt/login method: POST header_key: AR-JWT header_template: "AR-JWT %s" refresh_time_sec: 300 request_body: "username=remedyuser&password=remedypass" auth_headers: Content-Type: application/x-www-form-urlencoded ``` --- # Common Patterns ## Pattern 1: Simple API Key ```yaml rest_configs: SIMPLE_API: service: SIMPLE_API header_decorators: - plain: header_key: X-API-Key header_value: my-api-key ``` --- ## Pattern 2: OAuth2 with API Version ```yaml rest_configs: MODERN_API: service: MODERN_API header_decorators: - oauth2_client_credentials_auth: client_id: client123 client_secret: value: secret123 scope: read write rest_call_config: url: value: https://oauth.example.com/token - plain: header_key: X-API-Version header_value: v2 ``` --- ## Pattern 3: Basic Auth with Content Type ```yaml rest_configs: LEGACY_API: service: LEGACY_API header_decorators: - basic_auth: username: api_user password: value: password123 - plain: header_key: Content-Type header_value: application/json ``` --- ## Pattern 4: LDAP Forest with StartTLS ```yaml ldap_forest_config: domain1.company.com: domain: domain1.company.com host: dc1.company.com port: 389 service_user: DOMAIN1\svc_moveworks ldap_service_password: value: password1 use_start_tls: true path_to_cert: /home/moveworks/agent/certs/cert.pem ``` --- # Troubleshooting ## LDAP Issues ### Connection Timeout **Symptoms:** Agent can't connect to LDAP server **Check:** 1. Verify `host` and `port` are correct 2. Check firewall rules allow traffic from agent 3. Verify certificate path if using SSL/TLS 4. Test connection: `ldapsearch -H ldaps://host:636 -x` ### Authentication Failed **Symptoms:** "Invalid credentials" or "Bind failed" **Check:** 1. Verify `service_user` format (DOMAIN\username or username@domain.com) 2. Confirm password is correct 3. Check if service account is locked or expired 4. Verify service account has LDAP read permissions ### TLS/SSL Errors **Symptoms:** "Certificate verification failed" **Check:** 1. Verify `path_to_cert` points to correct CA certificate 2. Check certificate hasn't expired 3. Ensure certificate chain is complete 4. Try `tls_skip_verify: true` temporarily (not recommended for production) --- ## REST Issues ### Token Not Being Applied **Check:** 1. Is `token_body_key` correct? (default is "access_token") 2. Does token endpoint return JSON with expected key? 3. Is `header_template` correct? (default is "Bearer %s") 4. Is token endpoint URL accessible from agent? ### Auth Failing **Check:** 1. Are credentials encrypted correctly? 2. Is `client_id` correct? 3. Are `scope` values correct and space-separated? 4. Is token endpoint URL correct? 5. Check agent logs for auth request/response details ### Headers Not Appearing **Check:** 1. Is decorator in `header_decorators` list? 2. Are required fields present? 3. For file-based headers, does file exist with correct permissions? 4. Are static headers properly formatted? ### Missing Required `service` Field **Symptoms:** Configuration validation errors **Fix:** Add `service` field to all REST configs: ```yaml rest_configs: MY_CLIENT: service: MY_SERVICE # Add this header_decorators: [] ``` --- ## Azure Key Vault Issues ### Secret Not Found **Check:** 1. Verify `secret_name` is correct 2. Check `vault` name (or `default_vault` in `secrets_provider_config`) 3. Verify agent has access to Key Vault (managed identity or service principal) 4. Check Azure RBAC permissions ### Secret Not Refreshing **Check:** 1. Verify `refresh_time_sec` is set if needed 2. Check agent logs for refresh errors 3. Verify Key Vault network rules allow agent access --- ## General Debugging ### Enable Debug Logging Add to `moveworks_config.dynamic_config`: ```yaml moveworks_config: dynamic_config: # Add this for debugging (in dynamic_config via API) ``` Or set via Bond dynamic config API. ### Check Agent Logs ```bash # View agent logs tail -f /var/log/moveworks/bond-agent.log # Search for errors grep ERROR /var/log/moveworks/bond-agent.log ``` ### Test Connectivity ```bash # Test LDAP ldapsearch -H ldaps://ldap.company.com:636 -x -D "DOMAIN\user" -W # Test REST endpoint curl -v https://api.example.com/endpoint # Test with Bond proxy curl -v --proxy http://proxy:8080 https://api.example.com/endpoint ```