In this document, you will learn the basic concept of secrets in APISIX and why you may need them.
Explore additional resources at the end of the document for more information on related topics.
In APISIX, a secret object is used to set up integration with an external secret manager, so that APISIX can establish connections and fetch secrets from the secret manager dynamically at runtime.
The following diagram illustrates the concept of a secret object using an example, where key authentication is enabled for a user, John Doe, and user credentials are stored in an HashiCorp Vault server:
As demonstrated, when APISIX is used in conjunction with an external secret manager, the field for secret is defined as a variable starting with a fixed prefix
$secret://, appended with the name of the secret manager, APISIX secret object ID, username, and other details.
Specifically, if Vault is used as the secret manager, the APISIX secret object should specify:
uri: location where Vault server is hosted
prefix: path prefix corresponding to a secret engine that Vault should route traffic to
token: token for APISIX to authenticate to Vault and establish connection
These configurations ensure that John Doe can send requests to APISIX and access the back-end service with the correct key. Requests from unauthenticated users are rejected by APISIX.
For more details on the secret configurations, please refer to the Admin API.