Version: 3.9.x

Secure Credentials Management

Protecting sensitive information like SSL certificates, API keys, and passwords is a critical security and compliance requirement. API7 Gateway provides robust tools for managing these credentials securely, both within the gateway and through integration with external secret management systems.

Prerequisites

A token from the Dashboard.

Capabilities

Secure SSL Management: Centralized storage and automated renewal for SSL certificates.
Credential Encryption at Rest: Sensitive values are encrypted before being stored in the gateway's configuration database.
Secret Manager Integration: Integrate with HashiCorp Vault, AWS Secrets Manager, and Azure Key Vault for centralized secret control.
Environment Variable Support: Inject secrets as environment variables during deployment.

SSL Certificate Management

API7 Gateway allows you to store and manage SSL certificates through the Control Plane. You can associate certificates with specific domains (SNIs) to enable HTTPS on your routes.

Admin API
ADC

curl -k "https://localhost:7443/apisix/admin/ssls/example-com-ssl?gateway_group_id={gateway_group_id}" -X PUT \
  -H "X-API-KEY: ${API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{
    "snis": ["example.com"],
    "cert": "$CERTIFICATE_CONTENT",
    "key": "$PRIVATE_KEY_CONTENT"
  }'

Replace {gateway_group_id} with the gateway group ID from the Gateway Groups page in the Dashboard (use default for the gateway group created by the quickstart). Replace $CERTIFICATE_CONTENT and $PRIVATE_KEY_CONTENT with the PEM-encoded certificate and private key (newlines escaped as \n).

adc.yaml
ssls:
  - snis:
      - example.com
    certificates:
      - certificate: |
          -----BEGIN CERTIFICATE-----
          ...
          -----END CERTIFICATE-----
        key: |
          -----BEGIN PRIVATE KEY-----
          ...
          -----END PRIVATE KEY-----

adc sync -f adc.yaml

External Secret Managers

For enterprise-grade secret management, use an external secret manager. API7 Gateway can fetch sensitive values directly from these systems at runtime.

HashiCorp Vault Integration

API7 Gateway can fetch sensitive values from HashiCorp Vault at runtime. The end-to-end flow is:

Create a Vault Secret Provider in your gateway group via the Admin API. See Configure a HashiCorp Vault Secret Provider for the request shape, required fields (uri, prefix, token, optional kv_version and authentication_method), and a walkthrough for standing up a Vault instance and scoping a token.
Reference secrets in your resource or plugin configuration using the $secret://{provider_type}/{provider_id}/{secret_key} URI scheme.

# In your plugin configuration
plugins:
  key-auth:
    key: "$secret://vault/my-vault/api-key-path/my-key"

Credential Encryption at Rest

The API7 Control Plane automatically encrypts sensitive fields (like plugin password or key) before storing them in the configuration database (PostgreSQL). This ensures that even if the database is compromised, the actual credentials remain protected.

Next Steps

Enable mTLS for secure communication between the Control Plane and Data Plane.
Configure IP Restrictions to limit access to management interfaces.

Prerequisites​

Capabilities​

SSL Certificate Management​

External Secret Managers​

HashiCorp Vault Integration​

Credential Encryption at Rest​

Next Steps​