API7 Enterprise v3.2.16: Integrated Secret Providers
October 10, 2024
In API7 Enterprise, you may store a large amount of sensitive information, such as SSL certificates and private keys, usernames and passwords of consumer authentication credentials, and that required by certain plugins to connect to external systems.
The concept of "Secret Providers" is introduced in API7 Enterprise v3.2.16. Now, we can easily add secret provider resources to integrate with third-party secret managers, such as HashiCorp Vault, AWS Secrets Manager, and GCP Secret Manager, and reference the sensitive information stored externally in API7 using variables. The reference format is as follows:
$secret://$manager/$id/$secret_name/$key
How to Use Secret Providers?
Adding a Secret Provider
In the Gateway Group menu, a new "Secret Provider" option is added. Click the button to access the secret provider list page. Then, click the "Add Secret Provider" button in the top right corner of the page.
In the pop-up window, fill in the basic information about the secret provider, select the secret management service type, for example, HashiCorp Vault. Then provide the service access address and authentication token for your HashiCorp Vault configuration.
Viewing a Secret Provider
After creation, we can view the specific configuration details and the secret variable example on the secret provider details page.
The format of the secret variable is: secret://manager/$id/$secret_name/$key, with the following meanings:
- $secret: A fixed prefix, no replacement needed
- $manager: The secret management service
- $id: The ID of the secret provider resource
- $secret_name: The name of the secret in the secret management service
- $key: The key corresponding to the secret in the secret management service
For example, with a secret provider ID of my-provider and a secret management service type of HashiCorp Vault, if you want to reference a secret named my-secret with a key password, the corresponding secret variable would be:
$secret://vault/my-hashicorp-vault/my-secret/password
Currently, HashiCorp Vault is supported as a secret management service. AWS Secrets Manager and GCP Secret Manager will soon be available.
Referencing a Secret Variable
Once the secret provider is created, you can reference externally stored sensitive information in various resources in API7 Enterprise through variables. For example, when adding Basic Authentication credentials for a consumer, you can choose to store sensitive information, like passwords, in an external secret management service and reference it in API7 Enterprise, thus enhancing security.
Similarly, when working with non-form pages, like the plugin editor, we can also directly enter the value of the Secret variable as a string into any field that supports referencing Secrets.
Viewing Reference Relationships
When we reference a variable from my-provider in consumer credentials, we can view this reference relationship in the secret provider reference list. Other referenced resources will also be displayed in this list, making it easier to track the usage of the secret provider.
Editing or Deleting a Secret Provider
When editing or deleting a secret provider, the system will check the reference relationships to avoid invalid variables being referenced in resources, which could lead to configuration errors.
Summary
By integrating with external secret management services, such as HashiCorp Vault, API7 Enterprise enhances the convenience of referencing externally stored sensitive information across various resources. This integration reduces the risks and costs associated with manual management of such information. Looking ahead, we plan to support more types of secret management services to meet the growing needs of users, ensuring both flexibility and security in the management of sensitive information.