Secure Credentials Management
Protecting sensitive information like SSL certificates, API keys, and passwords is a critical security and compliance requirement. API7 Gateway provides robust tools for managing these credentials securely, both within the gateway and through integration with external secret management systems.
Capabilities
- Secure SSL Management: Centralized storage and automated renewal for SSL certificates.
- Credential Encryption at Rest: Sensitive values are encrypted before being stored in the gateway's configuration database.
- Secret Manager Integration: Integrate with HashiCorp Vault, AWS Secrets Manager, and Azure Key Vault for centralized secret control.
- Environment Variable Support: Inject secrets as environment variables during deployment.
SSL Certificate Management
API7 Gateway allows you to store and manage SSL certificates through the Control Plane. You can associate certificates with specific domains (SNIs) to enable HTTPS on your routes.
- Admin API
- ADC
curl -k "https://localhost:7443/apisix/admin/ssls/example-com-ssl?gateway_group_id={group_id}" -X PUT \
-H "X-API-KEY: $YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"snis": ["example.com"],
"cert": "$CERTIFICATE_CONTENT",
"key": "$PRIVATE_KEY_CONTENT"
}'
Replace {group_id} with the gateway group ID from the Gateway Groups page in the Dashboard (use default for the gateway group created by the quickstart). Replace $CERTIFICATE_CONTENT and $PRIVATE_KEY_CONTENT with the PEM-encoded certificate and private key (newlines escaped as \n).
ssls:
- snis:
- example.com
certificates:
- certificate: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
key: |
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
adc sync -f adc.yaml
External Secret Managers
For enterprise-grade secret management, we recommend using an external secret manager. API7 Gateway can fetch sensitive values directly from these systems at runtime.
HashiCorp Vault Integration
- Enable the
secretfeature in the Data Plane'sconfig.yaml. - Configure the Vault endpoint and authentication details.
- Reference secrets in your plugin configuration using the
$secret://URI scheme.
# In your plugin configuration
plugins:
key-auth:
key: "$secret://vault/api-key-path/my-key"
Credential Encryption at Rest
The API7 Control Plane automatically encrypts sensitive fields (like plugin password or key) before storing them in the configuration database (PostgreSQL). This ensures that even if the database is compromised, the actual credentials remain protected.
Next Steps
- Enable mTLS for secure communication between the Control Plane and Data Plane.
- Configure IP Restrictions to limit access to management interfaces.