Skip to content

Auth Manager?

AuthManager consist of two entities

  • CryptoManager for encryption and signing
  • SecretManager for secrets

Secret Manager

Its only function is to retrieve secrets.

There is out-of-the-box support for

  • AWS KMS ${WS_SM1:}
  • Azure KeyVault {AZURE_SM1:
  • Cyberark (CYBERARK_SM1:)
  • System properties (SYS:)

External providers

See below a configuration example how secrets can be retrieved from within any entity configuration (DataSource, DataFeed, DataSink) from any external provider AWS KMS, Azure KeyVault or Cyberark.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
{
    "username": "apiropublic",
    "password": "${SYS:APIRO_GITHUB_PW}", 
    //"password": "${WS_SM1:APIRO_GITHUB_PW}",
    //"password": "${AZURE_SM1:APIRO_GITHUB_PW}",
    //"password": "${CYBERARK_SM1:APIRO_GITHUB_PW}",  
    "gitURL": "https://github.com/redapiro/apiro_examples.git",
    "branch": "main",
    "pathPrefix": "/artifacts/source_files/customers_a.xlsx"
}

Local system properties and secrets

  • Local system properties and keys must be encrypted. There should be no raw passwords, keys or secrets copied in a local system file.
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    // This can be copied in the GIT repository, eg. /sysprops/SYSPROP_GITHUB.xml
    <apiroConf>
        <loadOrder>3</loadOrder>
        <envProperties>
            <envProperty>
                <!--<env>APIRO_PRE_DEMO</env> should match -> docker-compose.yaml APIRO_INSTANCEID: APIRO_PRE_DEMO-->
                <name>APIRO_GITHUB_PW</name>
                <value>asdfoiahjsdfoilkjsadh;asdf987798fdaailbdfubhaoksdfh</value>
                <encrypted>true</encrypted>
            </envProperty>
        </envProperties>
    </apiroConf>
    

Encryption Manager

It can sign and encrypt but not get secrets.

You can use the Encryption Manager via the UI. You can go to Tools->Secret Manager and Generate the encrypted secret as shown in the screenshot below. Then you can copy the value into your properties files anbd push it to GIT.

Note: every instance of Apiro uses a different seed so you can not share keys between environments. generate_secret