Skip to main content

Version: 3.11.0

Manage Secrets in AWS Secrets Manager

AWS Secrets Manager is a fully managed service that you can integrate with APISIX to securely store, manage, and retrieve sensitive information such as API keys, passwords, and other types of credentials. It allows automatic rotation of secrets, reducing the risk of credentials being exposed over time.

This guide will show you how to use AWS Secrets Manager to manage user credentials for the key-auth plugin and how to retrieve the secret in APISIX.

Prerequisite(s)

Create a Secret in AWS Secrets Manager

In this section, you will be creating a secret to store the key-auth authentication key for user john.

Navigate to AWS Secrets Manager in the console and create a secret. Choose Other type of secret as the secret type and enter the name of the key john-key-auth and the credential john-key in the key-value pairs:

create a secret in AWS step 1

In the next step, configure the name of the secret to be apisix-secrets and optionally add a description:

create a secret in AWS step 2

Review the rest of the information and finish secret creation. You should see the secret listed in AWS Secrets Manager:

finish secret creation in AWS

Obtain IAM Access Key ID and Secret Access Key

Obtain the IAM user access key and secret access key, which will be configured in APISIX in the next step to access AWS Secrets Manager.

Alternatively, you can also create a temporary security credential and configure the credential in the APISIX secret's session_token. See Admin API for configuration reference.

Configure Secret in APISIX

Configure AWS Secrets Manager to be a secret provider for john and specify the AWS region, access key ID, and secret access key:

curl "http://127.0.0.1:9180/apisix/admin/secrets/aws/john" -X PUT -d '
{
"region": "ap-southeast-2",
"access_key_id": "AKIARK7HKSJVWAIKFOXR",
"secret_access_key": "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"
}'

Create a Consumer and its Credential

Create a consumer john:

curl "http://127.0.0.1:9180/apisix/admin/consumers" -X PUT -d '
{
"username": "john"
}'

Configure the key-auth credential for consumer john to fetch the key from secret provider:

curl "http://127.0.0.1:9180/apisix/admin/consumers/john/credentials" -X PUT -d '
{
"id": "cred-john-key-auth",
"plugins": {
"key-auth": {
"key": "$secret://aws/john/apisix-secrets/john-key-auth"
}
}
}'

Create a Route with Authentication

Create a sample route and enable the key-auth plugin:

curl "http://127.0.0.1:9180/apisix/admin/routes" -X PUT -d '
{
"id": "key-auth-route",
"uri": "/anything",
"plugins": {
"key-auth": {}
},
"upstream" : {
"nodes": {
"httpbin.org": 1
}
}
}'

Verify

Send a request to the route with the valid credential:

curl -i "http://127.0.0.1:9080/anything" -H 'apikey: john-key'

You should receive an HTTP/1.1 200 OK response.

tip

If you are receiving a 401 Unauthorized response with the unable to get local issuer certificate error in the error log, please add the path to the certificate manually to the configuration file:

conf/config.yaml
apisix:
ssl:
ssl_trusted_certificate: /etc/ssl/certs/ca-certificates.crt

Then reload APISIX for configuration changes to take effect:

docker exec apisix-quickstart apisix reload

Send a request to the route with an invalid credential:

curl -i "http://127.0.0.1:9080/anything" -H 'apikey: wrong-key'

You should receive an HTTP/1.1 401 Unauthorized response.

Next Steps

You have now learned how to configure APISIX to fetch secrets from AWS Secrets Manager.

In addition to AWS Secrets Manager, APISIX also supports the integration with HashiCorp Vault and GCP Secret Manager for secret management.


API7.ai Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.

Product

API7 Cloud

SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN PTE. LTD 2019 – 2024. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation