Skip to main content
Version: 3.7.x

Reference Secrets in AWS Secrets Manager

AWS Secrets Manager is a fully managed service that you can integrate with API7 Enterprise to securely store, manage, and retrieve sensitive information such as API keys, passwords, and other types of credentials. It allows automatic rotation of secrets, reducing the risk of credentials being exposed over time.

This tutorial demonstrates how to integrate API7 Enterprise with AWS Secrets Manager, enabling you to securely store and reference consumer credentials and plugin configurations.

Below is an interactive demo providing a hands-on introduction to storing and retrieving key-auth secrets in AWS Secrets Manager with API7 Enterprise.

Prerequisites

  1. Install API7 Enterprise.
  2. Have at least one gateway instance in your gateway group.
  3. Have an AWS account to access IAM and Secrets Manager modules.

Obtain IAM Access Key ID and Secret Access Key

Obtain the IAM user access key and secret access key, which will be configured in API7 Enterprise in the next step to access AWS Secrets Manager.

note

Please ensure that the appropriate permissions are correctly assigned to users to avoid validation failures due to insufficient permissions.

Add Secret Provider in Gateway Group

  1. Select Secret Providers of your gateway group from the side navigation bar, then click Add Secret Provider.
  2. From the dialog box, do the following:
  • In the Secret Provider ID field, enter my-secrets-manager.
  • In the Secret Manager field, choose AWS Secrets Manager.
  • In the Region field, choose the region of your AWS Secrets Manager service. For example, us-east-1.
  • Fill in the Access Key ID and Secret Access Key fields with access key and secret access key obtained in the last step.
  • Click Add.
  1. Copy the Secret Variable for future reference. All secret references are generated from it, for example, $secret://aws/my-aws-manager/$secret_name/$key.

Reference Secrets for SSL Certificate

The sensitive fields certificate and private key within an SSL certificate object can be securely stored in an external secret manager (such as HashiCorp Vault or AWS Secret Manager) and referenced within API7 Gateway.

Create a Secret in AWS Secrets Manager

In this section, you will be creating a secret to store consumer credentials for user alice. You can also refer to Create an AWS Secrets Manager secret.

  1. Navigate to AWS Secrets Manager in the console and store a new secret. Choose Other type of secret as the secret type and enter the key name crt and the base64 value in the key-value pairs.
  2. In the next step, configure the secret name to be ssl and optionally add a description.
  3. Click Next to review the rest of the information and finish the secret creation. You should see the secret listed in AWS Secrets Manager.
  4. Repeat to create another key/value pair: private-key: {private key base64}.

Add SSL Certificate

  1. Select Certificates of your gateway group from the side navigation bar, enter the SSL Certificates tab.
  2. Click Add SSL Certificate.
  3. From the dialog box, do the following:
  • In the Name field, enter Test SSL Certificate.
  • In the Certificate field, enter $secret://aws/my-secrets-manager/ssl/crt.
  • In the Private Key field, enter $secret://aws/my-secrets-manager/ssl/private-key.
  • Click Add.
note

All secret references is generated from the Secret Variable of the secret provider: $secret://aws/my-secrets-manager/$secret_name/$key.

  1. For full use and validation of SSL certificate, see Configure mTLS between Client and API7 Gateway.

Reference Secrets to Create Consumer Credential

The following sensitive field in consumer credentials can be stored in an external secret manager (HashiCorp Vault, AWS Secrets Manager, etc.) and referenced in API7 Enterprise:

  • key in Key Authentication credential
  • password in Basic Authentication credential
  • secret, public key in JWT Authentication credential
  • secret_key in HMAC Authentication credential

Add a Consumer

  1. Select Consumers of your gateway group from the side navigation bar.
  2. Click Add Consumer.
  3. From the dialog box, do the following:
  • In the Name field, enter Alice.
  • Click Add.

Create a Secret in AWS Secrets Manager

In this section, you will be creating a secret to store consumer credentials for user alice. You can also refer to Create an AWS Secrets Manager secret.

  1. Navigate to AWS Secrets Manager in the console and store a new secret. Choose Other type of secret as the secret type and enter the key name alice-key-auth and the value alice-key in the key-value pairs.
  2. In the next step, configure the secret name to be alice-credentials and optionally add a description.
  3. Click Next to review the rest of the information and finish the secret creation. You should see the secret listed in AWS Secrets Manager.
  4. Repeat to create more key/value pairs for other consumer credentials:
  • For basic authentication credential: password: alice-password.
  • For JWT authentication credential: secret: alice-secret.
  • For HMAC authentication credential: secret-key: alice-secret-key.

Add Key Authentication Credential

  1. Select Consumers of your gateway group from the side navigation bar.
  2. Select your target consumer, for example, Alice.
  3. Under the Credentials tab, click Add Key Authentication Credential.
  4. From the dialog box, do the following:
  • In the Name field, enter primary-key.
  • In the Key field, enter $secret://aws/my-secrets-manager/alice-credentias/alice-key-auth.
  • Click Add.

Add Basic Authentication Credential

  1. Select Consumers of your gateway group from the side navigation bar.
  2. Select your target consumer, for example, Alice.
  3. Under the Credentials tab, click Basic Authenticationtab, then click Add Basic Authentication Credential.
  4. From the dialog box, do the following:
  • In the Name field, enter primary-basic.
  • In the Username field, enter alice.
  • In the Password field, enter $secret://aws/my-secrets-manager/alice-credentias/password.
  • Click Add.

Add JWT Authentication Credential

  1. Select Consumers of your gateway group from the side navigation bar.
  2. Select your target consumer, for example, Alice.
  3. Under the Credentials tab, click JWTtab, then click Add JWT Credential.
  4. From the dialog box, do the following:
  • In the Name field, enter primary-jwt.
  • In the Key field, enter alice-key.
  • In the Algorithm field, choose HS256.
  • In the Secret field, enter $secret://aws/my-secrets-manager/alice-credentias/secret.
  • Click Add.

Add HMAC Authentication Credential

  1. Select Consumers of your gateway group from the side navigation bar.
  2. Select your target consumer, for example, Alice.
  3. Under the Credentials tab, click HMAC Authenticationtab, then click Add HMAC Authentication Credential.
  4. From the dialog box, do the following:
  • In the Name field, enter primary-hmac.
  • In the Key ID field, enter alice-keyid.
  • In the Secret Key field, enter $secret://aws/my-secrets-manager/alice-credentias/secret-key.
  • Click Add.

Validate

See Enable Key Authentication for APIs for instructions, and enable the Key Auth Plugin on the service level.

Send a request to the route with the valid credential:

curl -i "http://127.0.0.1:9080/ip" -H 'apikey: alice-key'

You should receive an HTTP/1.1 200 OK response.

note

alice-key is the value of your key/value pair created on AWS Secrets Manager rather than the key name.

  • For basic authentication credentials, validate with: password: alice-password.
  • For JWT authentication credentials, validate with: secret: alice-secret.
  • For HMAC authentication credentials, validate with: secret-key: alice-secret-key.

Reference Secrets to Enable Plugin

The following sensitive field in plugin configurations can be stored in an external secret manager(HashiCorp Vault, AWS Secrets Manager, etc.) and referenced in API7 Gateway:

PluginField
Limit Countredis_username, redis_password
Authz-Casdoorclient_id, client_secret
Wolf RBACappid
LDAP Authenticationuser_dn

This section demonstrates configuring limit-count plugin as an example.

Create a Secret

Create a secret using the key/value pair username:api7 and password:redis-api7, under the secret name redis in your AWS Secrets Manager.

Configure limit-count Plugin

For where and how to enable the limit-count plugin, refer to Apply Rate Limiting to APIs.

Add the following configuration to the JSON Editor:

{
  "count": 3,
  "time_window": 60,
  "key_type": "var",
  "rejected_code": 429,
  "rejected_msg": "Too many requests",
  "key": "remote_addr",
  "policy": "redis",
  "redis_host": "127.0.0.1",
  "redis_port": 6379,
  "redis_username": "$secret://aws/my-secrets-manager/redis/username",
  "redis_password": "$secret://aws/my-secrets-manager/redis/password",
  "redis_database": 1,
  "redis_timeout": 1001,
  "allow_degradation": false,
  "show_limit_quota_header": true
}

Additional Resources

API7.ai Logo

The digital world is connected by APIs,
API7.ai exists to make APIs more efficient, reliable, and secure.

Sign up for API7 newsletter

Product

API7 Gateway
API7 AI Gateway
API7 API Portal

Learn

API Gateway Guide
Plugin Hub
API Gateway Comparison
Customers

Resources

API Gateway Docs
Blog
Demo Hub
APISIX vs Kong

Company

About
Contact
Compliance Standards
Partners
Terms & Privacy
SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN PTE. LTD 2019 – 2025. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the Apache Software Foundation