API7 Enterprise v3.2.16: Integrated Secret Providers

Zhihuang Lin

Zhihuang Lin

October 10, 2024

Products

In API7 Enterprise, you may store a large amount of sensitive information, such as SSL certificates and private keys, usernames and passwords of consumer authentication credentials, and that required by certain plugins to connect to external systems.

The concept of "Secret Providers" is introduced in API7 Enterprise v3.2.16. Now, we can easily add secret provider resources to integrate with third-party secret managers, such as HashiCorp Vault, AWS Secrets Manager, and GCP Secret Manager, and reference the sensitive information stored externally in API7 using variables. The reference format is as follows:

$secret://$manager/$id/$secret_name/$key

How to Use Secret Providers?

Adding a Secret Provider

In the Gateway Group menu, a new "Secret Provider" option is added. Click the button to access the secret provider list page. Then, click the "Add Secret Provider" button in the top right corner of the page.

Add Secret Providers in API7 Enterprise

In the pop-up window, fill in the basic information about the secret provider, select the secret management service type, for example, HashiCorp Vault. Then provide the service access address and authentication token for your HashiCorp Vault configuration.

Viewing a Secret Provider

After creation, we can view the specific configuration details and the secret variable example on the secret provider details page.

Secret Provider Details in API7 Enterprise

The format of the secret variable is: secret://manager/$id/$secret_name/$key, with the following meanings:

  • $secret: A fixed prefix, no replacement needed
  • $manager: The secret management service
  • $id: The ID of the secret provider resource
  • $secret_name: The name of the secret in the secret management service
  • $key: The key corresponding to the secret in the secret management service

For example, with a secret provider ID of my-provider and a secret management service type of HashiCorp Vault, if you want to reference a secret named my-secret with a key password, the corresponding secret variable would be:

$secret://vault/my-hashicorp-vault/my-secret/password

Currently, HashiCorp Vault is supported as a secret management service. AWS Secrets Manager and GCP Secret Manager will soon be available.

Referencing a Secret Variable

Once the secret provider is created, you can reference externally stored sensitive information in various resources in API7 Enterprise through variables. For example, when adding Basic Authentication credentials for a consumer, you can choose to store sensitive information, like passwords, in an external secret management service and reference it in API7 Enterprise, thus enhancing security.

Reference Secret Providers in API7 Enterprise

Similarly, when working with non-form pages, like the plugin editor, we can also directly enter the value of the Secret variable as a string into any field that supports referencing Secrets.

Refer Secret Information When Enabling Plugins

Viewing Reference Relationships

When we reference a variable from my-provider in consumer credentials, we can view this reference relationship in the secret provider reference list. Other referenced resources will also be displayed in this list, making it easier to track the usage of the secret provider.

Secret Provider References

Editing or Deleting a Secret Provider

When editing or deleting a secret provider, the system will check the reference relationships to avoid invalid variables being referenced in resources, which could lead to configuration errors.

Edit or Delete Secret Provider in API7 Enterprise

Summary

By integrating with external secret management services, such as HashiCorp Vault, API7 Enterprise enhances the convenience of referencing externally stored sensitive information across various resources. This integration reduces the risks and costs associated with manual management of such information. Looking ahead, we plan to support more types of secret management services to meet the growing needs of users, ensuring both flexibility and security in the management of sensitive information.

Tags:
API SecurityData SecurityAPI7 Enterprise