Reference Secrets in AWS Secrets Manager
AWS Secrets Manager is a fully managed service that you can integrate with API7 Enterprise to securely store, manage, and retrieve sensitive information such as API keys, passwords, and other types of credentials. It allows automatic rotation of secrets, reducing the risk of credentials being exposed over time.
This tutorial demonstrates how to integrate API7 Enterprise with AWS Secrets Manager, enabling you to securely store and reference consumer credentials and plugin configurations.
Below is an interactive demo providing a hands-on introduction to storing and retrieving key-auth secrets in AWS Secrets Manager with API7 Enterprise.
Prerequisites
- Install API7 Enterprise.
- Have at least one gateway instance in your gateway group.
- Have an AWS account to access IAM and Secrets Manager modules.
Obtain IAM Access Key ID and Secret Access Key
Obtain the IAM user access key and secret access key, which will be configured in API7 Enterprise in the next step to access AWS Secrets Manager.
Please ensure that the appropriate permissions are correctly assigned to users to avoid validation failures due to insufficient permissions.
Add Secret Provider in Gateway Group
- Dashboard
- ADC
- Ingress Controller
- Select Secret Providers of your gateway group from the side navigation bar, then click Add Secret Provider.
- From the dialog box, do the following:
- In the Secret Provider ID field, enter
my-secrets-manager. - In the Secret Manager field, choose
AWS Secrets Manager. - In the Region field, choose the region of your AWS Secrets Manager service. For example,
us-east-1. - Fill in the Access Key ID and Secret Access Key fields with access key and secret access key obtained in the last step.
- Click Add.
Not applicable.
Not applicable.
Reference Secrets to Create Consumer Credential
The following sensitive field in consumer credentials can be stored in an external secret manager (HashiCorp Vault, AWS Secrets Manager, etc.) and referenced in API7 Enterprise:
keyin Key Authentication credentialpasswordin Basic Authentication credentialsecret,public keyin JWT Authentication credentialsecret_keyin HMAC Authentication credential
Add a Consumer
- Dashboard
- ADC
- Ingress Controller
- Select Consumers of your gateway group from the side navigation bar.
- Click Add Consumer.
- From the dialog box, do the following:
- In the Name field, enter
Alice. - Click Add.
To use ADC to create a consumer, create the following configuration:
consumers:
- username: Alice
Not supported yet.
Create a Secret in AWS Secrets Manager
In this section, you will be creating a secret to store consumer credentials for user alice. You can also refer to Create an AWS Secrets Manager secret.
- Navigate to AWS Secrets Manager in the console and store a new secret. Choose Other type of secret as the secret type and enter the key name
alice-key-authand the valuealice-keyin the key-value pairs. - In the next step, configure the secret name to be
alice-credentialsand optionally add a description. - Click Next to review the rest of the information and finish the secret creation. You should see the secret listed in AWS Secrets Manager.
- Repeat to create more key/value pairs for other consumer credentials:
- For basic authentication credential:
password: alice-password. - For JWT authentication credential:
secret: alice-secret. - For HMAC authentication credential:
secret-key: alice-secret-key.
Add Key Authentication Credential
- Dashboard
- ADC
- Ingress Controller
- Select Consumers of your gateway group from the side navigation bar.
- Select your target consumer, for example,
Alice. - Under the Credentials tab, click Add Key Authentication Credential.
- From the dialog box, do the following:
- In the Name field, enter
primary-key. - In the Key field, choose Reference from Secret Provider, then enter
$secret://aws/my-secrets-manager/alice-credentias/alice-key-auth. - Click Add.
All secret references start with $secret://. aws is Secret Manager Name of the secret provider, my-secrets-manager is Secret Provider ID on the API7 Enterprise dashboard. alice-credentials is Secret Name and alice-key-auth is Key Name you created on AWS Secrets Manager console.
To use ADC to create a consumer with key-auth, update your configuration:
consumers:
- username: Alice
credentials:
- name: primary-key
type: key-auth
config:
key: $secret://aws/my-secrets-manager/alice-credentias/alice-key-auth
Not supported yet.
Add Basic Authentication Credential
- Dashboard
- ADC
- Ingress Controller
- Select Consumers of your gateway group from the side navigation bar.
- Select your target consumer, for example,
Alice. - Under the Credentials tab, click Basic Authenticationtab, then click Add Basic Authentication Credential.
- From the dialog box, do the following:
- In the Name field, enter
primary-basic. - In the Username field, enter
alice. - In the Password field, choose Reference from Secret Provider, then enter
$secret://aws/my-secrets-manager/alice-credentias/password. - Click Add.
All secret references start with $secret://. aws is Secret Manager and my-secrets-manager is the Secret Provider ID.
To use ADC to create a consumer with basic-auth, update your configuration:
consumers:
- username: Alice
credentials:
- name: primary-basic
type: basic-auth
config:
password: $secret://aws/my-secrets-manager/alice-credentias/password
username: Alice
Not supported yet.
Add JWT Authentication Credential
- Dashboard
- ADC
- Ingress Controller
- Select Consumers of your gateway group from the side navigation bar.
- Select your target consumer, for example,
Alice. - Under the Credentials tab, click JWTtab, then click Add JWT Credential.
- From the dialog box, do the following:
- In the Name field, enter
primary-jwt. - In the Key field, enter
alice-key. - In the Algorithm field, choose
HS256. - In the Secret field, choose Reference from Secret Provider, then enter
$secret://aws/my-secrets-manager/alice-credentias/secret. - Click Add.
All secret references start with $secret://. aws is Secret Manager of the secret provider, my-secrets-manager is Secret Provider ID.
To use ADC to create a consumer with jwt-auth, update your configuration:
consumers:
- username: Alice
credentials:
- name: primary-jwt
type: jwt-auth
config:
algorithm: HS256
key: alice-key
secret: $secret://aws/my-secrets-manager/alice-credentias/secret
Not supported yet.
Add HMAC Authentication Credential
- Dashboard
- ADC
- Ingress Controller
- Select Consumers of your gateway group from the side navigation bar.
- Select your target consumer, for example,
Alice. - Under the Credentials tab, click HMAC Authenticationtab, then click Add HMAC Authentication Credential.
- From the dialog box, do the following:
- In the Name field, enter
primary-hmac. - In the Key ID field, enter
alice-keyid. - In the Secret Key field, choose Reference from Secret Provider, then enter
$secret://aws/my-secrets-manager/alice-credentias/secret-key. - Click Add.
All secret references start with $secret://. aws is Secret Manager of the secret provider, my-secrets-manager is Secret Provider ID.
To use ADC to create a consumer with hmac-auth, update your configuration:
consumers:
- username: Alice
credentials:
- name: primary-hmac
type: hmac-auth
config:
key_id: alice-keyid
secret_key: $secret://aws/my-secrets-manager/alice-credentias/secret-key
Not supported yet.
Validate
See Enable Key Authentication for APIs for instructions, and enable the Key Auth Plugin on the service level.
Send a request to the route with the valid credential:
curl -i "http://127.0.0.1:9080/ip" -H 'apikey: alice-key'
You should receive an HTTP/1.1 200 OK response.
alice-key is the value of your key/value pair created on AWS Secrets Manager rather than the key name.
- For basic authentication credentials, validate with:
password: alice-password. - For JWT authentication credentials, validate with:
secret: alice-secret. - For HMAC authentication credentials, validate with:
secret-key: alice-secret-key.
Reference Secrets to Enable Plugin
The following sensitive field in plugin configurations can be stored in an external secret manager(HashiCorp Vault, AWS Secrets Manager, etc.) and referenced in API7 Gateway:
| Plugin | Field |
|---|---|
| Limit Count | redis_username, redis_password |
| Authz-Casdoor | client_id, client_secret |
| Wolf RBAC | appid |
| LDAP Authentication | user_dn |
This section demonstrates configuring limit-count plugin as an example.
Create a Secret
Create a secret using the key/value pair username:api7 and password:redis-api7, under the secret name redis in your AWS Secrets Manager.
Configure limit-count Plugin
For where and how to enable the limit-count plugin, refer to Apply Rate Limiting to APIs.
- Dashboard
- ADC
- Ingress Controller
Add the following configuration to the JSON Editor:
{
"count": 3,
"time_window": 60,
"key_type": "var",
"rejected_code": 429,
"rejected_msg": "Too many requests",
"key": "remote_addr",
"policy": "redis",
"redis_host": "127.0.0.1",
"redis_port": 6379,
"redis_username": "$secret://aws/my-secrets-manager/redis/username",
"redis_password": "$secret://aws/my-secrets-manager/redis/password",
"redis_database": 1,
"redis_timeout": 1001,
"allow_degradation": false,
"show_limit_quota_header": true
}
All secret references start with $secret://. aws is Secret Manager of the secret provider, my-secrets-manager is Secret Provider ID.
The following is only the plugin configuration and not a complete configuration file to synchronize. Refer to Apply Rate Limiting to APIs for where and how to enable the Limit Count plugin using ADC.
limit-count:
count: 3
time_window: 60
key_type: var
rejected_code: 429
rejected_msg: Too many requests
key: remote_addr
policy: redis
redis_host: 127.0.0.1
redis_port: 6379
redis_username: $secret://aws/my-secrets-manager/redis/username
redis_password: $secret://aws/my-secrets-manager/redis/password
redis_database: 1
redis_timeout: 1001
allow_degradation: false
show_limit_quota_header: true
Coming Soon.
Additional Resources
- Key Concepts
- API Consumption