Documentation
DocumentationDeveloperAcademyCommunitySupportLogin
Start typing to search…

Configuration Examples

This document provides comprehensive examples of all available REST configuration types for Moveworks Bond agents, with clear marking of required vs optional fields.

Table of Contents

Core Configuration

  1. Basic Agent Configuration Structure
  2. Moveworks Config
  3. Secrets Management

LDAP Configuration

  1. LDAP Config Structure
  2. Single Domain LDAP
  3. LDAP Forest (Multiple Domains)
  4. LDAP Field Reference

REST Configuration

  1. REST Config Structure
  2. Header Decorators
  3. Body Decorators
  4. URL Decorators
  5. REST Field Reference

Complete Examples

  1. Complete Agent Configuration Examples

Reference

  1. Common Patterns
  2. Troubleshooting

Basic Agent Configuration Structure

Every Bond agent configuration has three main sections:

bond_version: 2.10.3                    # [REQUIRED] Bond agent version

moveworks_config:                       # [REQUIRED] Connection to Moveworks platform
  access_key: your-org-name
  auth_url: https://agents.moveworks.com/api/v1/auth
  config_url: https://agents.moveworks.com/api/v1/config
  moveworks_access_secret:
    value: your-secret-here

ldap_config:                            # [OPTIONAL] Single domain LDAP
  host: ldap.company.com
  port: 636
  # ... (see LDAP section below)

ldap_forest_config:                     # [OPTIONAL] Multiple domains
  domain1.company.com:
    host: dc1.company.com
    # ... (see LDAP Forest section below)

rest_configs:                           # [OPTIONAL] REST API clients
  SERVICE_NAME:
    service: SERVICE_NAME
    # ... (see REST section below)

secrets_provider_config:                # [OPTIONAL] Azure Key Vault or AWS Secrets Manager
  azure:
    default_vault: my-vault-name

Moveworks Config

The Moveworks config connects the Bond agent to the Moveworks platform.

Minimal Example

moveworks_config:
  access_key: your-org-name
  auth_url: https://agents.moveworks.com/api/v1/auth
  config_url: https://agents.moveworks.com/api/v1/config
  moveworks_access_secret:
    value: your-access-secret

Complete Example with All Options

moveworks_config:
  access_key: your-org-name                                     # [REQUIRED] Organization identifier
  auth_url: https://agents.moveworks.com/api/v1/auth           # [REQUIRED] Auth endpoint
  config_url: https://agents.moveworks.com/api/v1/config       # [REQUIRED] Config endpoint

  moveworks_access_secret:                                      # [REQUIRED] Access secret
    value: your-access-secret                                   # Use 'value' initially

  path_to_cert: /path/to/cert.pem                              # [OPTIONAL] TLS certificate path
  tls_skip_verify: false                                        # [OPTIONAL] Skip TLS verification

  proxy_url: http://proxy.company.com:8080                      # [OPTIONAL] Proxy URL
  proxy_url_enc: http://user:[email protected]:8080       # [OPTIONAL] Proxy with auth

  dynamic_config:                                               # [OPTIONAL] Runtime configuration
    api_url: https://api.moveworks.com
    log_url: https://logs.moveworks.com
    metrics_url: https://metrics.moveworks.com
    auth_refresh_period_secs: 3600
    pipeline_buf_size: 1000
    metrics_push_interval_secs: 60
    max_grpc_msg_size: 4194304

Secrets Management

Bond supports three methods for managing sensitive values:

Method 1: Plain Text Value (Initial Configuration)

Use this when initially configuring. Bond automatically encrypts it.

client_secret:
  value: my-secret-password-123

After Bond processes it, you'll see:

client_secret:
  encrypted_value: lxNi3OdSLuoixKbzxylpQ0dnIRNPuQ==

Method 2: Pre-Encrypted Value

If you already have an encrypted value:

client_secret:
  encrypted_value: lxNi3OdSLuoixKbzxylpQ0dnIRNPuQ==

Method 3: Azure Key Vault

client_secret:
  azure_entry:
    secret_name: my-oauth-client-secret    # [REQUIRED] Secret name in vault
    vault: my-key-vault                    # [OPTIONAL] Vault name (uses default_vault if omitted)
    refresh_time_sec: 60                   # [OPTIONAL] Refresh interval

Requires secrets_provider_config:

secrets_provider_config:
  azure:
    default_vault: my-default-vault

Method 4: AWS Secrets Manager

client_secret:
  aws_entry:
    secret_name: my-oauth-client-secret    # [REQUIRED] Secret name
    region: us-west-2                      # [OPTIONAL] AWS region (uses default if omitted)
    refresh_time_sec: 60                   # [OPTIONAL] Refresh interval

Requires secrets_provider_config:

secrets_provider_config:
  aws:
    default_region: us-west-2

Fields that should be encrypted:

  • moveworks_access_secret - Agent access secret
  • ldap_service_password - LDAP service password
  • client_secret - OAuth2 client secret
  • client_refresh_token - OAuth2 refresh token
  • password - Basic auth password
  • url (in rest_call_config) - Token endpoint URLs (recommended)
  • Any sensitive header or query parameter values

LDAP Configuration

Bond supports two LDAP configuration modes:

  • ldap_config - Single domain LDAP
  • ldap_forest_config - Multiple domains/forests

LDAP Config Structure

ldap_config:                              # Single domain configuration
  host: ldap.company.com                  # [REQUIRED] LDAP host
  port: 636                               # [REQUIRED] LDAP port
  service_user: DOMAIN\svc_moveworks      # [REQUIRED] Service account
  ldap_service_password:                  # [REQUIRED] Service account password
    value: password-here

  # Optional fields
  domain: company.com                     # [OPTIONAL] Domain name
  use_ssl: true                           # [OPTIONAL] Use SSL/TLS
  use_start_tls: false                    # [OPTIONAL] Use StartTLS
  path_to_cert: /path/to/cert.pem         # [OPTIONAL] Certificate path
  tls_skip_verify: false                  # [OPTIONAL] Skip TLS verification

  dynamic_config:                         # [OPTIONAL] Runtime configuration
    pool_size: 10
    timeout_ms: 30000

Single Domain LDAP

Minimal Example (LDAPS on Port 636)

ldap_config:
  host: ldap.company.com
  port: 636
  service_user: COMPANY\svc_moveworks
  ldap_service_password:
    value: your-ldap-password
  use_ssl: true

Complete Example with All Options

ldap_config:
  # Connection Settings
  host: ldap.company.com                  # [REQUIRED] LDAP server hostname
  port: 636                               # [REQUIRED] LDAP port (636 for LDAPS, 389 for LDAP/StartTLS)
  domain: company.com                     # [OPTIONAL] Domain name

  # Authentication
  service_user: COMPANY\svc_moveworks     # [REQUIRED] Service account username
  ldap_service_password:                  # [REQUIRED] Service account password
    value: your-ldap-password             # Use 'value' initially

  # TLS/SSL Settings
  use_ssl: true                           # [OPTIONAL] Use LDAPS (default: false)
  use_start_tls: false                    # [OPTIONAL] Use StartTLS (default: false)
  path_to_cert: /home/moveworks/agent/certs/ldap-cert.pem  # [OPTIONAL] CA certificate path
  tls_skip_verify: false                  # [OPTIONAL] Skip TLS verification (not recommended)

  # Performance Settings
  dynamic_config:                         # [OPTIONAL] Runtime configuration
    pool_size: 10                         # Connection pool size
    timeout_ms: 30000                     # Timeout in milliseconds (30 seconds)

LDAPS (Port 636)

Standard LDAP over SSL:

ldap_config:
  host: ldap.company.com
  port: 636
  service_user: COMPANY\svc_moveworks
  ldap_service_password:
    value: your-password
  use_ssl: true
  path_to_cert: /home/moveworks/agent/certs/cert.pem

LDAP with StartTLS (Port 389)

LDAP with opportunistic TLS upgrade:

ldap_config:
  host: ldap.company.com
  port: 389
  service_user: COMPANY\svc_moveworks
  ldap_service_password:
    value: your-password
  use_start_tls: true
  path_to_cert: /home/moveworks/agent/certs/cert.pem

LDAP with Azure Key Vault

ldap_config:
  host: ldap.company.com
  port: 636
  service_user: COMPANY\svc_moveworks
  ldap_service_password:
    azure_entry:
      secret_name: ldap-service-password
      vault: my-vault
      refresh_time_sec: 60
  use_ssl: true

LDAP Forest (Multiple Domains)

Use ldap_forest_config when you have multiple LDAP domains or forests.

Structure

ldap_forest_config:
  domain1.company.com:              # Domain identifier (map key)
    domain: domain1.company.com
    host: dc1.company.com
    port: 636
    service_user: service_account
    ldap_service_password:
      value: password1
    # ... (same options as ldap_config)

  domain2.company.com:              # Second domain
    domain: domain2.company.com
    host: dc2.company.com
    port: 636
    service_user: service_account2
    ldap_service_password:
      value: password2

Minimal Example

ldap_forest_config:
  east.company.com:
    domain: east.company.com
    host: ldap-east.company.com
    port: 636
    service_user: EAST\svc_moveworks
    ldap_service_password:
      value: password-east
    use_ssl: true

  west.company.com:
    domain: west.company.com
    host: ldap-west.company.com
    port: 636
    service_user: WEST\svc_moveworks
    ldap_service_password:
      value: password-west
    use_ssl: true

Complete Example with All Options

ldap_forest_config:
  primary.company.com:
    # Connection Settings
    domain: primary.company.com
    host: dc-primary.company.com
    port: 636

    # Authentication
    service_user: PRIMARY\svc_moveworks
    ldap_service_password:
      value: password-primary

    # TLS/SSL Settings
    use_ssl: true
    use_start_tls: false
    path_to_cert: /home/moveworks/agent/certs/primary-cert.pem
    tls_skip_verify: false

    # Performance Settings
    dynamic_config:
      pool_size: 10
      timeout_ms: 30000

  subsidiary.partner.com:
    domain: subsidiary.partner.com
    host: dc-subsidiary.partner.com
    port: 389
    service_user: SUBSIDIARY\svc_moveworks
    ldap_service_password:
      azure_entry:
        secret_name: ldap-subsidiary-password
        vault: my-vault
    use_start_tls: true
    path_to_cert: /home/moveworks/agent/certs/subsidiary-cert.pem

LDAP Field Reference

FieldRequiredDefaultDescription
host✅ Yes-LDAP server hostname or IP
port✅ Yes-LDAP port (636 for LDAPS, 389 for LDAP/StartTLS)
service_user✅ Yes-Service account username (format: DOMAIN\username)
ldap_service_password✅ Yes-Service account password (encrypted)
domain❌ No-Domain name
use_ssl❌ NofalseUse LDAPS (SSL/TLS from start)
use_start_tls❌ NofalseUse StartTLS (upgrade connection to TLS)
path_to_cert❌ No-Path to CA certificate for TLS verification
tls_skip_verify❌ NofalseSkip TLS certificate verification (not recommended)
dynamic_config.pool_size❌ No-Connection pool size
dynamic_config.timeout_ms❌ No-Connection timeout in milliseconds

Important Notes:

  • Use either use_ssl (port 636) OR use_start_tls (port 389), not both
  • path_to_cert is required when using SSL/TLS unless tls_skip_verify is true
  • ldap_forest_config uses the same fields, but as a map with domain identifiers as keys

REST Configuration

Bond supports REST API clients with various authentication methods.

REST Config Structure

rest_configs:
  CLIENT_NAME:                          # Client identifier (map key)
    service: SERVICE_NAME               # [REQUIRED] Service identifier

    # Decorators
    header_decorators: []               # [OPTIONAL] List of header decorators
    body_decorators: []                 # [OPTIONAL] List of body decorators
    url_decorators: []                  # [OPTIONAL] List of URL decorators

    # Configuration Options
    max_response_size: 10485760         # [OPTIONAL] Max response size in bytes (10MB)
    ca_cert_path: /path/to/cert.pem     # [OPTIONAL] CA certificate for TLS
    tls_skip_verify: false              # [OPTIONAL] Skip TLS verification
    do_not_use_rest_proxy: false        # [OPTIONAL] Bypass proxy for this client
    use_ntlmv2: false                   # [OPTIONAL] Use NTLMv2 authentication

    # Dynamic Configuration
    dynamic_config:                     # [OPTIONAL] Runtime configuration
      buf_size: 1000
      timeout_ms: 30000

Key Points:

  • The client name is the map key (e.g., JIRA:, SNOW:)
  • There is NO base_url field - the Moveworks platform passes full URLs per-request
  • The service field is REQUIRED
  • Decorators are applied to all requests made through this client

Header Decorators

Header decorators add authentication headers and static headers to all requests.

1. Plain Headers (Static Headers)

Add static key-value pairs to request headers.

Minimal Example

rest_configs:
  MY_API:
    service: MY_API
    header_decorators:
      - plain:
          header_key: X-API-Key
          header_value: my-static-api-key

Multiple Static Headers

rest_configs:
  MY_API:
    service: MY_API
    header_decorators:
      - plain:
          header_key: X-API-Key
          header_value: my-api-key
      - plain:
          header_key: X-API-Version
          header_value: v2
      - plain:
          header_key: X-Client-ID
          header_value: moveworks-bond

Use Cases:

  • API keys that don't change
  • API version headers
  • Client identification headers

2. File-Based Headers

Load headers from a JSON file at runtime.

rest_configs:
  MY_API:
    service: MY_API
    header_decorators:
      - file:
          file_path: /home/moveworks/agent/headers.json

JSON File Format:

{
  "X-API-Key": "dynamic-api-key",
  "X-Custom-Header": "custom-value",
  "Authorization": "Bearer token123"
}

Use Cases:

  • Credentials stored in secure files
  • Headers that need rotation without config changes
  • Environment-specific headers

3. Basic Authentication

HTTP Basic Authentication (username:password encoded in Base64).

rest_configs:
  JIRA:
    service: JIRA
    header_decorators:
      - basic_auth:
          username: jira-service-account
          password:
            value: your-password-here

Use Cases:

  • Jira Cloud with API tokens
  • APIs using HTTP Basic Authentication
  • Legacy systems

4. OAuth2 Client Credentials

OAuth2 Client Credentials Grant flow (machine-to-machine).

Minimal Example

rest_configs:
  MY_API:
    service: MY_API
    header_decorators:
      - oauth2_client_credentials_auth:
          client_id: my_client_id
          client_secret:
            value: my-client-secret
          scope: read write
          rest_call_config:
            url:
              value: https://oauth.example.com/token

Complete Example with All Options

rest_configs:
  MY_API:
    service: MY_API
    header_decorators:
      - oauth2_client_credentials_auth:
          client_id: my_client_id                       # [REQUIRED]
          client_secret:                                # [REQUIRED]
            value: my-client-secret
          scope: read write admin                       # [REQUIRED by most providers]
          rest_call_config:
            # Token Endpoint
            url:                                        # [REQUIRED]
              value: https://oauth.example.com/token

            # Token Response Parsing
            token_body_key: access_token                # [OPTIONAL] Default: "access_token"
            token_body_pattern: "token:(.*)"            # [OPTIONAL] Regex to extract token

            # Request Configuration
            method: POST                                # [OPTIONAL] Default: POST
            request_body: "custom_body_template"        # [OPTIONAL] Custom request body

            # Header Configuration
            header_key: Authorization                   # [OPTIONAL] Default: "Authorization"
            header_template: Bearer %s                  # [OPTIONAL] Default: "Bearer %s"

            # Token Refresh
            refresh_time_sec: 3600                      # [OPTIONAL] Default: 3600 (1 hour)

            # Additional Headers
            auth_headers:                               # [OPTIONAL]
              Content-Type: application/x-www-form-urlencoded
              X-Custom-Header: value

Use Cases:

  • Microsoft Azure AD
  • Google Cloud Platform service accounts
  • AWS Cognito machine-to-machine
  • Salesforce OAuth2

Key Requirements:

  • client_id - Your OAuth2 client identifier
  • client_secret - Your OAuth2 client secret
  • rest_call_config.url - Token endpoint URL
  • scope - Required by most OAuth2 providers

5. OAuth2 Basic Auth

OAuth2 where client_id:client_secret is sent as a Basic Auth header instead of in the request body.

Minimal Example

rest_configs:
  MY_API:
    service: MY_API
    header_decorators:
      - oauth2_basic_auth:
          client_id: my_client_id
          client_secret:
            value: my-client-secret
          scope: read
          rest_call_config:
            url:
              value: https://oauth.example.com/token

Complete Example

rest_configs:
  MY_API:
    service: MY_API
    header_decorators:
      - oauth2_basic_auth:
          client_id: my_client_id
          client_secret:
            value: my-client-secret
          scope: read write
          rest_call_config:
            url:
              value: https://oauth.example.com/token
            token_body_key: access_token
            method: POST
            header_key: Authorization
            header_template: Bearer %s
            refresh_time_sec: 3600

Difference from oauth2_client_credentials_auth:

  • oauth2_client_credentials_auth: Sends credentials in request body
  • oauth2_basic_auth: Sends credentials as Basic Auth header

Use Cases:

  • Atlassian APIs
  • APIs requiring OAuth2 with Basic Auth header

6. OAuth2 Refresh Token

OAuth2 flows with refresh tokens for long-lived access.

Minimal Example

rest_configs:
  MY_API:
    service: MY_API
    header_decorators:
      - oauth2_refresh_token_auth:
          client_id: my_client_id
          client_secret:
            value: my-client-secret
          client_refresh_token:
            value: my-refresh-token
          scope: read offline_access
          rest_call_config:
            url:
              value: https://oauth.example.com/token

Complete Example

rest_configs:
  MY_API:
    service: MY_API
    header_decorators:
      - oauth2_refresh_token_auth:
          client_id: my_client_id
          client_secret:
            value: my-client-secret
          client_refresh_token:
            value: my-long-lived-refresh-token
          scope: read write offline_access
          rest_call_config:
            url:
              value: https://oauth.example.com/token
            token_body_key: access_token
            method: POST
            header_key: Authorization
            header_template: Bearer %s
            refresh_time_sec: 3600

Use Cases:

  • Long-lived user authentication
  • OAuth2 flows where users grant permission once
  • Refresh token rotation

7. Custom Auth

Custom authentication flows for non-standard token endpoints.

Minimal Example

rest_configs:
  BMC_REMEDY:
    service: BMC_REMEDY
    header_decorators:
      - custom_auth:
          url:
            value: https://api.example.com/auth

Complete Example (BMC Remedy Style)

rest_configs:
  BMC_REMEDY:
    service: BMC_REMEDY
    header_decorators:
      - custom_auth:
          url:
            value: https://remedy.company.com/api/jwt/login
          method: POST
          header_key: AR-JWT
          header_template: "AR-JWT %s"
          refresh_time_sec: 300
          token_body_key: token
          token_body_pattern: "\"token\":\"([^\"]+)\""
          request_body: "username=user&password=pass"
          auth_headers:
            Content-Type: application/x-www-form-urlencoded

Complete Example (Cherwell Style)

rest_configs:
  CHERWELL:
    service: CHERWELL
    header_decorators:
      - custom_auth:
          url:
            value: https://cherwell.company.com/CherwellAPI/token
          method: POST
          header_key: Authorization
          header_template: Bearer %s
          refresh_time_sec: 1200
          token_body_key: access_token
          request_body: "grant_type=password&authMode=internal&client_id=KEY&username=USER&password=PASS"
          auth_headers:
            Content-Type: application/x-www-form-urlencoded

Use Cases:

  • BMC Remedy authentication
  • Cherwell authentication
  • Custom enterprise authentication systems
  • Legacy authentication mechanisms

8. Multiple Decorators Combined

You can combine multiple header decorators in a single REST config.

OAuth2 + Static Headers

rest_configs:
  MY_API:
    service: MY_API
    header_decorators:
      # OAuth2 authentication
      - oauth2_client_credentials_auth:
          client_id: my_client_id
          client_secret:
            value: my-secret
          scope: read write
          rest_call_config:
            url:
              value: https://oauth.example.com/token

      # Static API version
      - plain:
          header_key: X-API-Version
          header_value: v2

      # Static client identifier
      - plain:
          header_key: X-Client-ID
          header_value: moveworks-bond

Basic Auth + Static Headers

rest_configs:
  LEGACY_API:
    service: LEGACY_API
    header_decorators:
      - basic_auth:
          username: api_user
          password:
            value: password123

      - plain:
          header_key: Content-Type
          header_value: application/json

Body Decorators

Body decorators merge key-value pairs into the request body.

1. Plain Body (Static Values)

rest_configs:
  MY_API:
    service: MY_API
    body_decorators:
      - plain:
          body_key: source
          body_value: moveworks
      - plain:
          body_key: environment
          body_value: production

2. File-Based Body

Load body values from a JSON file at runtime.

rest_configs:
  MY_API:
    service: MY_API
    body_decorators:
      - file:
          file_path: /home/moveworks/agent/body-params.json

JSON File Format:

{
  "source": "moveworks",
  "environment": "production",
  "version": "2.0"
}

URL Decorators

URL decorators add query parameters to request URLs.

1. Plain Query Parameter

Add static query parameters to all requests.

rest_configs:
  MY_API:
    service: MY_API
    url_decorators:
      - plain_query_parameter:
          query_key: api_version
          query_value:
            value: v2

2. Oracle WebCenter Auth

Special authentication for Oracle WebCenter.

rest_configs:
  ORACLE_WEBCENTER:
    service: ORACLE_WEBCENTER
    url_decorators:
      - oracle_web_centre_auth:
          username: oracle_user
          password:
            value: oracle-password
          query_parameter:
            query_key: auth_token
            query_template: "%s"
            rest_call_config:
              url:
                value: https://oracle.company.com/auth

REST Field Reference

REST Config Top Level

FieldRequiredDefaultDescription
service✅ Yes-Service identifier (min length 1)
header_decorators❌ No[]List of header decorators
body_decorators❌ No[]List of body decorators
url_decorators❌ No[]List of URL decorators
max_response_size❌ No10MBMaximum response size in bytes
ca_cert_path❌ No-CA certificate path for TLS
tls_skip_verify❌ NofalseSkip TLS verification
do_not_use_rest_proxy❌ NofalseBypass proxy for local requests
use_ntlmv2❌ NofalseUse NTLMv2 authentication
dynamic_config.buf_size❌ No-Buffer size
dynamic_config.timeout_ms❌ No-Timeout in milliseconds

Important: There is NO base_url field. The Moveworks platform passes full URLs per-request.

OAuth2 RestAuthCallConfig

FieldRequiredDefaultDescription
url✅ Yes-Token endpoint URL (encrypted)
method❌ NoPOSTHTTP method for token request
header_key❌ NoAuthorizationHeader name for token
header_template❌ NoBearer %sTemplate for header value
refresh_time_sec❌ No3600Token refresh interval (seconds)
token_body_key❌ Noaccess_tokenJSON key to extract token
token_body_pattern❌ No-Regex pattern to extract token
request_body❌ No-Custom request body template
auth_headers❌ No{Content-Type: application/x-www-form-urlencoded}Headers for token request

OAuth2 Client Credentials / Basic Auth / Refresh Token

FieldRequiredDefaultDescription
client_id✅ Yes-OAuth2 client identifier
client_secret✅ Yes-OAuth2 client secret (encrypted)
client_refresh_token✅ Yes (refresh only)-OAuth2 refresh token (encrypted)
scope❌ No-Space-separated OAuth2 scopes
rest_call_config✅ Yes-Token endpoint configuration

Complete Agent Configuration Examples

Example 1: LDAPS Only

Basic LDAP over SSL configuration:

bond_version: 2.10.3
moveworks_config:
  access_key: moveworks
  auth_url: https://agents.moveworks.com/api/v1/auth
  config_url: https://agents.moveworks.com/api/v1/config
  moveworks_access_secret:
    value: your-access-secret-here

ldap_config:
  host: ldap.company.com
  port: 636
  service_user: COMPANY\svc_moveworks
  ldap_service_password:
    value: your-ldap-password
  use_ssl: true
  path_to_cert: /home/moveworks/agent/certs/cert.pem

Example 2: LDAPS + Jira (Basic Auth)

LDAP with a single REST client using Basic Authentication:

bond_version: 2.10.3
moveworks_config:
  access_key: moveworks
  auth_url: https://agents.moveworks.com/api/v1/auth
  config_url: https://agents.moveworks.com/api/v1/config
  moveworks_access_secret:
    value: your-access-secret

ldap_config:
  host: ldap.company.com
  port: 636
  service_user: COMPANY\svc_moveworks
  ldap_service_password:
    value: your-ldap-password
  use_ssl: true
  path_to_cert: /home/moveworks/agent/certs/cert.pem

rest_configs:
  JIRA:
    service: JIRA
    header_decorators:
      - basic_auth:
          username: jira-service-account
          password:
            value: your-jira-password

Example 3: LDAP Forest with Multiple Domains

Configuration for LDAP environments with multiple domains:

bond_version: 2.10.3
moveworks_config:
  access_key: moveworks
  auth_url: https://agents.moveworks.com/api/v1/auth
  config_url: https://agents.moveworks.com/api/v1/config
  moveworks_access_secret:
    value: your-access-secret

ldap_forest_config:
  primary.company.com:
    domain: primary.company.com
    host: dc-primary.company.com
    port: 636
    service_user: PRIMARY\svc_moveworks
    ldap_service_password:
      value: your-password-primary
    use_ssl: true
    path_to_cert: /home/moveworks/agent/certs/primary-cert.pem

  subsidiary.company.com:
    domain: subsidiary.company.com
    host: dc-subsidiary.company.com
    port: 636
    service_user: SUBSIDIARY\svc_moveworks
    ldap_service_password:
      value: your-password-subsidiary
    use_ssl: true
    path_to_cert: /home/moveworks/agent/certs/subsidiary-cert.pem

rest_configs:
  JIRA:
    service: JIRA
    header_decorators:
      - basic_auth:
          username: jira-user
          password:
            value: your-jira-password

Example 4: Azure Key Vault + OAuth2

Using Azure Key Vault for secrets management with OAuth2:

bond_version: 2.10.3
moveworks_config:
  access_key: moveworks
  auth_url: https://agents.moveworks.com/api/v1/auth
  config_url: https://agents.moveworks.com/api/v1/config
  moveworks_access_secret:
    azure_entry:
      secret_name: moveworks-access-secret
      vault: my-vault

secrets_provider_config:
  azure:
    default_vault: my-vault

ldap_config:
  host: ldap.company.com
  port: 636
  service_user: COMPANY\svc_moveworks
  ldap_service_password:
    azure_entry:
      secret_name: ldap-service-password
      refresh_time_sec: 60
  use_ssl: true
  path_to_cert: /home/moveworks/agent/certs/cert.pem

rest_configs:
  SERVICENOW:
    service: SERVICENOW
    header_decorators:
      - oauth2_client_credentials_auth:
          client_id: snow_client_id
          client_secret:
            azure_entry:
              secret_name: snow-oauth-secret
              refresh_time_sec: 60
          scope: read write
          rest_call_config:
            url:
              azure_entry:
                secret_name: snow-token-url
                refresh_time_sec: 60

Example 5: Multiple REST Clients with Mixed Auth

LDAP with multiple REST clients using different authentication methods:

bond_version: 2.10.3
moveworks_config:
  access_key: moveworks
  auth_url: https://agents.moveworks.com/api/v1/auth
  config_url: https://agents.moveworks.com/api/v1/config
  moveworks_access_secret:
    value: your-access-secret

ldap_config:
  host: ldap.company.com
  port: 636
  service_user: COMPANY\svc_moveworks
  ldap_service_password:
    value: your-ldap-password
  use_ssl: true
  path_to_cert: /home/moveworks/agent/certs/cert.pem

rest_configs:
  JIRA:
    service: JIRA
    header_decorators:
      - basic_auth:
          username: jira-service
          password:
            value: jira-password

  SERVICENOW:
    service: SERVICENOW
    header_decorators:
      - oauth2_client_credentials_auth:
          client_id: snow_client
          client_secret:
            value: snow-secret
          scope: read write
          rest_call_config:
            url:
              value: https://instance.service-now.com/oauth_token.do

  SALESFORCE:
    service: SALESFORCE
    header_decorators:
      - oauth2_client_credentials_auth:
          client_id: sfdc_client
          client_secret:
            value: sfdc-secret
          scope: api
          rest_call_config:
            url:
              value: https://login.salesforce.com/services/oauth2/token
      - plain:
          header_key: X-API-Version
          header_value: "v58.0"

Example 6: All Features Combined

Comprehensive example showing all configuration options:

bond_version: 2.10.3

moveworks_config:
  access_key: moveworks
  auth_url: https://agents.moveworks.com/api/v1/auth
  config_url: https://agents.moveworks.com/api/v1/config
  moveworks_access_secret:
    azure_entry:
      secret_name: moveworks-secret
  path_to_cert: /home/moveworks/agent/certs/moveworks-cert.pem
  proxy_url: http://proxy.company.com:8080

secrets_provider_config:
  azure:
    default_vault: my-vault

ldap_forest_config:
  primary.company.com:
    domain: primary.company.com
    host: dc-primary.company.com
    port: 636
    service_user: PRIMARY\svc_moveworks
    ldap_service_password:
      azure_entry:
        secret_name: ldap-primary-password
    use_ssl: true
    path_to_cert: /home/moveworks/agent/certs/ldap-primary.pem

  subsidiary.partner.com:
    domain: subsidiary.partner.com
    host: dc-subsidiary.partner.com
    port: 389
    service_user: SUBSIDIARY\svc_moveworks
    ldap_service_password:
      azure_entry:
        secret_name: ldap-subsidiary-password
    use_start_tls: true
    path_to_cert: /home/moveworks/agent/certs/ldap-subsidiary.pem

rest_configs:
  SERVICENOW:
    service: SERVICENOW
    max_response_size: 104857600
    header_decorators:
      - oauth2_client_credentials_auth:
          client_id: snow_client
          client_secret:
            azure_entry:
              secret_name: snow-client-secret
          scope: read write
          rest_call_config:
            url:
              azure_entry:
                secret_name: snow-token-url
            token_body_key: access_token
            refresh_time_sec: 3600
      - plain:
          header_key: X-Client-ID
          header_value: moveworks-bond

    body_decorators:
      - plain:
          body_key: source
          body_value: moveworks

    url_decorators:
      - plain_query_parameter:
          query_key: sysparm_display_value
          query_value:
            value: "true"

  JIRA:
    service: JIRA
    header_decorators:
      - basic_auth:
          username: jira-service
          password:
            azure_entry:
              secret_name: jira-password

  BMC_REMEDY:
    service: BMC_REMEDY
    header_decorators:
      - custom_auth:
          url:
            value: https://remedy.company.com/api/jwt/login
          method: POST
          header_key: AR-JWT
          header_template: "AR-JWT %s"
          refresh_time_sec: 300
          request_body: "username=remedyuser&password=remedypass"
          auth_headers:
            Content-Type: application/x-www-form-urlencoded

Common Patterns

Pattern 1: Simple API Key

rest_configs:
  SIMPLE_API:
    service: SIMPLE_API
    header_decorators:
      - plain:
          header_key: X-API-Key
          header_value: my-api-key

Pattern 2: OAuth2 with API Version

rest_configs:
  MODERN_API:
    service: MODERN_API
    header_decorators:
      - oauth2_client_credentials_auth:
          client_id: client123
          client_secret:
            value: secret123
          scope: read write
          rest_call_config:
            url:
              value: https://oauth.example.com/token
      - plain:
          header_key: X-API-Version
          header_value: v2

Pattern 3: Basic Auth with Content Type

rest_configs:
  LEGACY_API:
    service: LEGACY_API
    header_decorators:
      - basic_auth:
          username: api_user
          password:
            value: password123
      - plain:
          header_key: Content-Type
          header_value: application/json

Pattern 4: LDAP Forest with StartTLS

ldap_forest_config:
  domain1.company.com:
    domain: domain1.company.com
    host: dc1.company.com
    port: 389
    service_user: DOMAIN1\svc_moveworks
    ldap_service_password:
      value: password1
    use_start_tls: true
    path_to_cert: /home/moveworks/agent/certs/cert.pem

Troubleshooting

LDAP Issues

Connection Timeout

Symptoms: Agent can't connect to LDAP server

Check:

  1. Verify host and port are correct
  2. Check firewall rules allow traffic from agent
  3. Verify certificate path if using SSL/TLS
  4. Test connection: ldapsearch -H ldaps://host:636 -x

Authentication Failed

Symptoms: "Invalid credentials" or "Bind failed"

Check:

  1. Verify service_user format (DOMAIN\username or [email protected])
  2. Confirm password is correct
  3. Check if service account is locked or expired
  4. Verify service account has LDAP read permissions

TLS/SSL Errors

Symptoms: "Certificate verification failed"

Check:

  1. Verify path_to_cert points to correct CA certificate
  2. Check certificate hasn't expired
  3. Ensure certificate chain is complete
  4. Try tls_skip_verify: true temporarily (not recommended for production)

REST Issues

Token Not Being Applied

Check:

  1. Is token_body_key correct? (default is "access_token")
  2. Does token endpoint return JSON with expected key?
  3. Is header_template correct? (default is "Bearer %s")
  4. Is token endpoint URL accessible from agent?

Auth Failing

Check:

  1. Are credentials encrypted correctly?
  2. Is client_id correct?
  3. Are scope values correct and space-separated?
  4. Is token endpoint URL correct?
  5. Check agent logs for auth request/response details

Headers Not Appearing

Check:

  1. Is decorator in header_decorators list?
  2. Are required fields present?
  3. For file-based headers, does file exist with correct permissions?
  4. Are static headers properly formatted?

Missing Required service Field

Symptoms: Configuration validation errors

Fix: Add service field to all REST configs:

rest_configs:
  MY_CLIENT:
    service: MY_SERVICE  # Add this
    header_decorators: []

Azure Key Vault Issues

Secret Not Found

Check:

  1. Verify secret_name is correct
  2. Check vault name (or default_vault in secrets_provider_config)
  3. Verify agent has access to Key Vault (managed identity or service principal)
  4. Check Azure RBAC permissions

Secret Not Refreshing

Check:

  1. Verify refresh_time_sec is set if needed
  2. Check agent logs for refresh errors
  3. Verify Key Vault network rules allow agent access

General Debugging

Enable Debug Logging

Add to moveworks_config.dynamic_config:

moveworks_config:
  dynamic_config:
    # Add this for debugging (in dynamic_config via API)

Or set via Bond dynamic config API.

Check Agent Logs

# View agent logs
tail -f /var/log/moveworks/bond-agent.log

# Search for errors
grep ERROR /var/log/moveworks/bond-agent.log

Test Connectivity

# Test LDAP
ldapsearch -H ldaps://ldap.company.com:636 -x -D "DOMAIN\user" -W

# Test REST endpoint
curl -v https://api.example.com/endpoint

# Test with Bond proxy
curl -v --proxy http://proxy:8080 https://api.example.com/endpoint

Updated about 2 hours ago