Tyk + Vault Integration

Marcos-Oleiro · April 5, 2021, 12:28pm

Hi,

I want to integrate Tyk with Vault because I need to get secrets that will be injected as a header in the request, I managed to do it with middleware but I saw that there is a way to do it without it (Key Value secrets storage for configuration in Tyk). But that part “For body transforms and URL rewrites, the prefixes are $ secret_vault., $ Secret_consul. And $ secret_conf.” it wasn’t very clear to me.

Example:
The configuration for the vault in the .config file looks like this:

"kv": {
  "vault": {
    "address": "http://host.docker.internal:8200",
    "max_retries": 3,
    "timeout": 30,
    "token": "root",
    "kv_version": 2
  }
}

If I want to get the secrets via request I use the following address:

http://127.0.0.1:8200/v1/myengine/data/user1

engine name: myengine
path: user1

I’m trying to log the secret into the middleware like this:
log ($secret_vault.myengine.user1)
but I’m having the error:
time = “Apr 05 12:18:53” level = error msg = “Failed to run JS middleware” api_id = keyless api_name = “Tyk Test Keyless API” error = “ReferenceError: ‘$ secret_vault’ is not defined” mw = DynamicMiddleware org_id = default origin = 172.29.0.1 path = “/ keyless / get”

Can someone tell me how i can do this?

Marcos Oleiro

Valmir · April 5, 2021, 6:00pm

Hi @Marcos-Oleiro, thank you for the question. Our team is currently looking at this as well and will get back to you as soon as we can!

–
Valmir

Marcos-Oleiro · April 5, 2021, 6:42pm

I wanna add that im having same error whent i try to log a secret from .conf file, like this:

 //.conf file
 "secrets": {
     "gateway": "secret"
  },

On middleware i’m tryong to access this secret with var a = $secret_conf.gateway.

Error:
time=“Apr 05 18:35:20” level=error msg=“Failed to run JS middleware” api_id=keyless api_name=“Tyk Test Keyless API” error=“ReferenceError: ‘$secret_conf’ is not defined” mw=DynamicMiddleware org_id=default origin=172.29.0.1 path="/keyless/"

Marcos-Oleiro · April 9, 2021, 1:37pm

So, nothing new about it?

leon · April 9, 2021, 1:52pm

Hi! There is no direct access to secrets from inside the plugin.
The closest thing you can do is to inject secret into HTTP header (using global headers middleware), and then read and remove it via middleware.

Marcos-Oleiro · April 9, 2021, 5:52pm

Hello @leon, you say like this?

leon · April 9, 2021, 5:57pm

If you want it globally, more like this:

"version_data": {
  "versions": {
    "Default": {
      "name": "Default"
      "global_headers": {
        "Foo": "$secret_conf.gateway"
      }
  }
}

Marcos-Oleiro · April 9, 2021, 5:59pm

Does it works with vault too? like “$secret_vault…”

leon · April 9, 2021, 6:03pm

Yes! But only nuance here is that header transformation middleware runs between PRE and POST stage tyk/api_loader.go at master · TykTechnologies/tyk · GitHub
E.g. your plugin should be “post” type.

PS. Virtual endpoint will work too.

Marcos-Oleiro · April 9, 2021, 6:09pm

Got it! If i can do this with transformation/global header i dont even gonna need middleware. Actually i’ve tried to get the values from Vault but didn’t worked out for me. I should use $secret_vault.myengine.user1.senha, where ‘myengine’ is engine’s name, ‘user1’ is the path and ‘senha’ is the key?