Manage Secrets in AWS Secrets Manager
AWS Secrets Manager is a fully managed service that you can integrate with APISIX to securely store, manage, and retrieve sensitive information such as API keys, passwords, and other types of credentials. It allows automatic rotation of secrets, reducing the risk of credentials being exposed over time.
This guide will show you how to use AWS Secrets Manager to manage user credentials for the key-auth plugin and how to retrieve the secret in APISIX.
Prerequisite(s)
- Install Docker.
- Install cURL to send requests to the services for validation.
- Follow the Getting Started tutorial to start a new APISIX instance in Docker.
- Have an AWS account.
Create a Secret in AWS Secrets Manager
In this section, you will be creating a secret to store the key-auth authentication key for user john.
Navigate to AWS Secrets Manager in the console and create a secret. Choose Other type of secret as the secret type and enter the name of the key john-key-auth and the credential john-key in the key-value pairs:
In the next step, configure the name of the secret to be apisix-secrets and optionally add a description:
Review the rest of the information and finish secret creation. You should see the secret listed in AWS Secrets Manager:
Obtain IAM Access Key ID and Secret Access Key
Obtain the IAM user access key and secret access key, which will be configured in APISIX in the next step to access AWS Secrets Manager.
Alternatively, you can also create a temporary security credential and configure the credential in the APISIX secret's session_token. See Admin API for configuration reference.
Configure Secret in APISIX
Configure AWS Secrets Manager to be a secret provider for john and specify the AWS region, access key ID, and secret access key:
curl "http://127.0.0.1:9180/apisix/admin/secrets/aws/john" -X PUT -d '
{
"region": "ap-southeast-2",
"access_key_id": "AKIARK7HKSJVWAIKFOXR",
"secret_access_key": "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"
}'
Create a Consumer and its Credential
Create a consumer john:
curl "http://127.0.0.1:9180/apisix/admin/consumers" -X PUT -d '
{
"username": "john"
}'
Configure the key-auth credential for consumer john to fetch the key from secret provider:
curl "http://127.0.0.1:9180/apisix/admin/consumers/john/credentials" -X PUT -d '
{
"id": "cred-john-key-auth",
"plugins": {
"key-auth": {
"key": "$secret://aws/john/apisix-secrets/john-key-auth"
}
}
}'
Create a Route with Authentication
Create a sample route and enable the key-auth plugin:
curl "http://127.0.0.1:9180/apisix/admin/routes" -X PUT -d '
{
"id": "key-auth-route",
"uri": "/anything",
"plugins": {
"key-auth": {}
},
"upstream" : {
"nodes": {
"httpbin.org": 1
}
}
}'
Verify
Send a request to the route with the valid credential:
curl -i "http://127.0.0.1:9080/anything" -H 'apikey: john-key'
You should receive an HTTP/1.1 200 OK response.
If you are receiving a 401 Unauthorized response with the unable to get local issuer certificate error in the error log, please add the path to the certificate manually to the configuration file:
apisix:
ssl:
ssl_trusted_certificate: /etc/ssl/certs/ca-certificates.crt
Then reload APISIX for configuration changes to take effect:
docker exec apisix-quickstart apisix reload
Send a request to the route with an invalid credential:
curl -i "http://127.0.0.1:9080/anything" -H 'apikey: wrong-key'
You should receive an HTTP/1.1 401 Unauthorized response.
Next Steps
You have now learned how to configure APISIX to fetch secrets from AWS Secrets Manager.
In addition to AWS Secrets Manager, APISIX also supports the integration with HashiCorp Vault and GCP Secret Manager for secret management.