Skip to content
ANCHOR

Resources API

The Resources API manages inventory records and resource-specific operations. In Anchor, resources are not just rows in an inventory table; they are the operational targets that connect accounts, scopes, policies, verification, rotation, sessions, logs, and review signals.

Typical Operations

Section titled “Typical Operations”
  • List resources for inventory, review, or automation workflows.
  • Create or update resources with owner, scope, environment, and metadata context.
  • Attach resources to scopes and policy boundaries.
  • Inspect status, verification posture, and operational metadata.
  • Trigger allowed actions through policy-aware workflows.
  • Read effective policy and resolved behavior for a resource.
  • Review dependencies before changing or removing a target.
  • Manage secret metadata, reveal workflows, machine retrieval credentials, and resource log preferences.
  • Run bulk preflight and bulk actions for verification, rotation, reconciliation, or cleanup.
Inventory Inventory

Resource record carries owner, scope, endpoint, status, and metadata.

Policy Policy

Expected controls define verification, rotation, access, and review behavior.

Workflow Workflow

Verification, rotation, or reconciliation runs as operational work.

Evidence Evidence

Outcome is recorded with resource, account, policy, and result context.

Operating Model

Section titled “Operating Model”

Resource automation should preserve both machine-readable identifiers and human-readable names. Operators and reviewers need to understand what the resource is, who owns it, which account is involved, which policy applies, and what evidence was produced.

Policy-Aware Actions

Section titled “Policy-Aware Actions”

Verification, rotation, and reconciliation are not generic remote commands. They are privileged workflows that should carry actor, resource, account, policy, job, result, and log context.

Anchor’s resource model supports that chain:

  • Verification confirms whether the observed target or credential state still matches Anchor’s expectation.
  • Rotation updates managed credential material according to policy and records the lifecycle event.
  • Reconciliation brings drifted target state back into alignment through a controlled recovery path.
  • Bulk preflight lets operators see what will run, what will be blocked, and why before high-volume work begins.

Human Reveal and Machine Retrieval

Section titled “Human Reveal and Machine Retrieval”

Human reveal and machine retrieval should not blur together. Human reveal is an operator workflow that can require reason and policy permission. Machine retrieval uses a dedicated retrieval credential and produces its own evidence trail.

That distinction makes audit review sharper: a reviewer can tell whether a person revealed privileged material or an approved automation path retrieved it.

Retrieval pathReview signal
Human revealA person requested privileged material with reason, target, and policy context.
Machine retrievalAn approved automation credential retrieved material through a dedicated path.
Verification or rotationA job produced result, step, log, and evidence context for the resource.