-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: use files to manage secrets #11426
Comments
Using local files to save secrets will bring security risks. How to solve this problem? |
Can you elaborate which security risks you are worried about? If APISIX runs as a lower privileged user, it already can not access privileged files, like We have to make sure users, which do not have access to a file, can't abuse APISIX and then, for example, set the file contents as a response header, and thus stealing the file content. As a precaution, we could force APISIX to only load files owned by the same user the APISIX process is running as. This might be significantly limiting, as |
Let me explain my understanding. First, the administrators of secrets, API gateway, and server may be three people. If secrets are managed in vault, the administrators of API gateway and server cannot access secrets and have no permission to modify them. However, if secrets are managed through local files, the boundary of permission management becomes blurred. The administrator of secrets is everyone who has file read and write permissions. Second, we may be running hundreds or thousands of APISIX data planes, which means we need to protect thousands of servers from hacker attacks. If one of the servers has a system vulnerability that is exploited, the secrets will be leaked. Software like Vault can solve the above two security issues, which is one of its values. |
Sorry for my late response, I must have missed the email.
This is not entirely correct, though. The server admin is able to dump the secrets themselves, or the vault credentials, from the environment or from memory.
If the server is compromised, adversaries might have the same permissions as the server admin. And in the end, the server admin is able to access everything. I agree with you, that we want to prevent unauthorized access.
Vault is awesome! But often a too much of a burden to manage. Another key principle of security is simplicity, however. Many other reverse proxies store their certificates on disk as well: |
Description
As a user, I want to use files to manage secrets, so that I can load SSL certificates from disk.
As far as I can tell, currently, only vault kv, and the environment are supported secret stores.
For large secrets, which may change on occasion, like SSL certificates and keys, I'd like to see
file://
secrets.Basic Proposal
Simply use the content of the (absolute?) path provided, instead of, for example,
env
.JSON
Additionally, it makes sense to use the established syntax for
env
secrets to access subkeys, if the file contains JSON.file:///secret.json/apiKey
Possible Roadblocks
Permissions. Ideally, we want to ensure, that whoever is able to configure a key, must ensure they have the permissions to access the file.
Please let me know if there is interest for this to come to APISIX, and if this seems like something an external contributor (me) could reasonably implement.
The text was updated successfully, but these errors were encountered: