Secrets
In this document, you will learn the basic concept of secrets in APISIX and why you may need them.
Explore additional resources at the end of the document for more information on related topics.
Overview
In APISIX, a secret object is used to set up integration with an external secret manager, so that APISIX can establish connections and fetch secrets from the secret manager dynamically at runtime.
The following diagram illustrates the concept of a secret object using an example, where key-auth is enabled for a user, John, and user credentials are stored in an HashiCorp Vault server:
As demonstrated, when APISIX is used in conjunction with an external secret manager, the field for secret is defined as a variable starting with a fixed prefix $secret://, appended with the name of the secret manager, APISIX secret object ID, username, and other details.
Specifically, if Vault is used as the secret manager, the APISIX secret object should specify:
uri: location where Vault server is hostedprefix: path prefix corresponding to a secret engine that Vault should route traffic totoken: token for APISIX to authenticate to Vault and establish connection
These configurations ensure that John can send requests to APISIX and access the back-end service with the correct key. Requests from unauthenticated users are rejected by APISIX.
In addition to Vault, APISIX also supports the integration with AWS and GCP secret managers. For more details on the secret configurations, please refer to the Admin API.
Additional Resource(s)
- Getting Started - Key Authentication
- Key Concepts