Skip to main content

Version: 3.2.16.5

Reference Secrets in AWS Secrets Manager

AWS Secrets Manager is a fully managed service that you can integrate with API7 Enterprise to securely store, manage, and retrieve sensitive information such as API keys, passwords, and other types of credentials. It allows automatic rotation of secrets, reducing the risk of credentials being exposed over time.

This tutorial demonstrates how to integrate API7 Enterprise with AWS Secrets Manager, enabling you to securely store and reference consumer credentials and plugin configurations.

Below is an interactive demo providing a hands-on introduction to storing and retrieving key-auth secrets in AWS Secrets Manager with API7 Enterprise.

Prerequisites

  1. Install API7 Enterprise.
  2. Have at least one gateway instance in your gateway group.
  3. Have an AWS account to access IAM and Secrets Manager modules.

Obtain IAM Access Key ID and Secret Access Key

Obtain the IAM user access key and secret access key, which will be configured in API7 Enterprise in the next step to access AWS Secrets Manager.

note

Please ensure that the appropriate permissions are correctly assigned to users to avoid validation failures due to insufficient permissions.

Add Secret Provider in Gateway Group

  1. Select Secret Providers of your gateway group from the side navigation bar, then click Add Secret Provider.
  2. From the dialog box, do the following:
  • In the Secret Provider ID field, enter my-secrets-manager.
  • In the Secret Manager field, choose AWS Secrets Manager.
  • In the Region field, choose the region of your AWS Secrets Manager service. For example, us-east-1.
  • Fill in the Access Key ID and Secret Access Key fields with access key and secret access key obtained in the last step.
  • Click Add.

Reference Secrets to Create Consumer Credential

The following sensitive field in consumer credentials can be stored in an external secret manager (HashiCorp Vault, AWS Secrets Manager, etc.) and referenced in API7 Enterprise:

  • key in Key Authentication credential
  • password in Basic Authentication credential
  • secret, public key in JWT Authentication credential
  • secret_key in HMAC Authentication credential

Add a Consumer

  1. Select Consumers of your gateway group from the side navigation bar.
  2. Click Add Consumer.
  3. From the dialog box, do the following:
  • In the Name field, enter Alice.
  • Click Add.

Create a Secret in AWS Secrets Manager

In this section, you will be creating a secret to store consumer credentials for user alice. You can also refer to Create an AWS Secrets Manager secret.

  1. Navigate to AWS Secrets Manager in the console and store a new secret. Choose Other type of secret as the secret type and enter the key name alice-key-auth and the value alice-key in the key-value pairs.
  2. In the next step, configure the secret name to be alice-credentials and optionally add a description.
  3. Click Next to review the rest of the information and finish the secret creation. You should see the secret listed in AWS Secrets Manager.
  4. Repeat to create more key/value pairs for other consumer credentials:
  • For basic authentication credential: password: alice-password.
  • For JWT authentication credential: secret: alice-secret.
  • For HMAC authentication credential: secret-key: alice-secret-key.

Add Key Authentication Credential

  1. Select Consumers of your gateway group from the side navigation bar.
  2. Select your target consumer, for example, Alice.
  3. Under the Credentials tab, click Add Key Authentication Credential.
  4. From the dialog box, do the following:
  • In the Name field, enter primary-key.
  • In the Key field, choose Reference from Secret Provider, then enter $secret://aws/my-secrets-manager/alice-credentias/alice-key-auth.
  • Click Add.
note

All secret references start with $secret://. aws is Secret Manager Name of the secret provider, my-secrets-manager is Secret Provider ID on the API7 Enterprise dashboard. alice-credentials is Secret Name and alice-key-auth is Key Name you created on AWS Secrets Manager console.

Add Basic Authentication Credential

  1. Select Consumers of your gateway group from the side navigation bar.
  2. Select your target consumer, for example, Alice.
  3. Under the Credentials tab, click Basic Authenticationtab, then click Add Basic Authentication Credential.
  4. From the dialog box, do the following:
  • In the Name field, enter primary-basic.
  • In the Username field, enter alice.
  • In the Password field, choose Reference from Secret Provider, then enter $secret://aws/my-secrets-manager/alice-credentias/password.
  • Click Add.
note

All secret references start with $secret://. aws is Secret Manager and my-secrets-manager is the Secret Provider ID.

Add JWT Authentication Credential

  1. Select Consumers of your gateway group from the side navigation bar.
  2. Select your target consumer, for example, Alice.
  3. Under the Credentials tab, click JWTtab, then click Add JWT Credential.
  4. From the dialog box, do the following:
  • In the Name field, enter primary-jwt.
  • In the Key field, enter alice-key.
  • In the Algorithm field, choose HS256.
  • In the Secret field, choose Reference from Secret Provider, then enter $secret://aws/my-secrets-manager/alice-credentias/secret.
  • Click Add.
note

All secret references start with $secret://. aws is Secret Manager of the secret provider, my-secrets-manager is Secret Provider ID.

Add HMAC Authentication Credential

  1. Select Consumers of your gateway group from the side navigation bar.
  2. Select your target consumer, for example, Alice.
  3. Under the Credentials tab, click HMAC Authenticationtab, then click Add HMAC Authentication Credential.
  4. From the dialog box, do the following:
  • In the Name field, enter primary-hmac.
  • In the Key ID field, enter alice-keyid.
  • In the Secret Key field, choose Reference from Secret Provider, then enter $secret://aws/my-secrets-manager/alice-credentias/secret-key.
  • Click Add.
note

All secret references start with $secret://. aws is Secret Manager of the secret provider, my-secrets-manager is Secret Provider ID.

Validate

See Enable Key Authentication for APIs for instructions, and enable the Key Auth Plugin on the service level.

Send a request to the route with the valid credential:

curl -i "http://127.0.0.1:9080/ip" -H 'apikey: alice-key'

You should receive an HTTP/1.1 200 OK response.

note

alice-key is the value of your key/value pair created on AWS Secrets Manager rather than the key name.

  • For basic authentication credentials, validate with: password: alice-password.
  • For JWT authentication credentials, validate with: secret: alice-secret.
  • For HMAC authentication credentials, validate with: secret-key: alice-secret-key.

Reference Secrets to Enable Plugin

The following sensitive field in plugin configurations can be stored in an external secret manager(HashiCorp Vault, AWS Secrets Manager, etc.) and referenced in API7 Gateway:

PluginField
Limit Countredis_username, redis_password
Authz-Casdoorclient_id, client_secret
Wolf RBACappid
LDAP Authenticationuser_dn

This section demonstrates configuring limit-count plugin as an example.

Create a Secret

Create a secret using the key/value pair username:api7 and password:redis-api7, under the secret name redis in your AWS Secrets Manager.

Configure limit-count Plugin

For where and how to enable the limit-count plugin, refer to Apply Rate Limiting to APIs.

Add the following configuration to the JSON Editor:

{
"count": 3,
"time_window": 60,
"key_type": "var",
"rejected_code": 429,
"rejected_msg": "Too many requests",
"key": "remote_addr",
"policy": "redis",
"redis_host": "127.0.0.1",
"redis_port": 6379,
"redis_username": "$secret://aws/my-secrets-manager/redis/username",
"redis_password": "$secret://aws/my-secrets-manager/redis/password",
"redis_database": 1,
"redis_timeout": 1001,
"allow_degradation": false,
"show_limit_quota_header": true
}
note

All secret references start with $secret://. aws is Secret Manager of the secret provider, my-secrets-manager is Secret Provider ID.

Additional Resources


API7.ai Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.

Product

API7 Cloud

SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN Ltd. 2019 – 2024. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation