This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Storing credentials,sensitive config - KVM v/s Vault

on ‎04-13-2015 04:05 PM

Not applicable
8 25 5,967

Update: 2021 March 30

This article is out of date. It refers to two elements of the Apigee platform that have changed since this post was written.

  • The Key-Value Map, a persistent store
  • The Apigee Vault, another persistent store

In 2015, this post was accurate and helpful. In 2020, it is no longer accurate.

  • the Apigee Vault is no longer supported. It was part of the nodejs target, which has been deprecated, and is out of support since 2018 (I can't remember when exactly).
  • The KVM now supports encryption.

As regards KVM Encryption, in Apigee Edge, you can configure your KVM to be encrypted. In Apigee X, all KVM are encrypted.

So, in summary: use KVM to store sensitive data. In Apigee Edge you can encrypt it. In Apigee X, it is always encrypted, with your key.

I've left the original post and comments for posterity's sake.

ORIGINAL POST

I have had this conversation with some of my peers on which approach to take while storing the credentials and other sensitive configuration which can be accessed by the runtime api in a secure and a performant way. The words "secure" and "performant" are important since we would want to have them both.

Two top choices would clearly be KVM and Apigee-Vault(Secure store service). Lets discuss about each and try come up with a more viable solution based on the use case.

The KVM way -

KVM's have been used in many,many implementations for storing environment related configurations like backend url's, usernames, passwords etc.

Pros -

1) Out of the box policy to GET,PUT or DELETE a KVM resource(KVM operations)

2) Performant, it was(may be is) known to have cached the KVM resources for some time, which can be super performant if almost every api call is performing the KVM operation.

3) You can have one place to store all your configurations, making it super easy for operations to maintain it.

4) Can be scoped all the way from org,env,proxy all the way through policy.

Cons -

1) Content is NOT encrypted by itself while storing data and is stored as plain text(However I think is should be a simple step to encrypt the data before storing it)

2) If not used correctly, say if it is used to store tremendously large data, then it could have an implication on the runtime traffic.

The Vault way -

Pros -

1)Data is encrypted and not stored as plain text!!

Cons -

1) No out of the box policy to retrieve the data - Needs a method apigee.getVault() which can be accessed through node.js

2) Configs stored in different places - You might not want all your configuration to be store in the Vault and would end up storing some either in config.json or KVM, which could be difficult to maintain.

3) Not necessarily a con but unlike KVM Vaults can only be scoped to an org or an environment level.

Topic Labels
Comments
Not applicable
‎04-13-2015 10:38 PM

While Vault is more difficult to use, it's almost certainly the best way to store sensitive data such as credentials. Two facts make me believe this: 1) Vault is encrypted, but other potential methods are not, and 2) Practically speaking, information stored in Vault can only be *retrieved* by a runtime proxy making it more difficult for unauthorized personnel to gain access, where KVM can be accessed at runtime *and* via the management API. Non-sensitive data can be stored in many other places (KVM and custom attributes on the API Product, Developer or Developer Application come to mind most often), but credentials really should be encrypted when stored and access should be controlled as closely as possible.

Even though Vaults are scoped to org or environment level, you can have many entries at each level. This gives you a roughly equivalent level of flexibility to that provided by proxy-scoped KVM entries.

Not applicable
‎04-15-2015 09:50 AM

@Chris von See Very valid point. However, my concern is this - Since the only method of retrieving the vault variables is through a node.js implementation and currently node.js can only be implemented as a target and not a callout, this might impact my analytics.

Say if I have to grab the credentials for almost every api call hitting a target, How will I get the correct analytics with what you are suggesting? @David Allen

Not applicable
‎04-16-2015 07:08 AM

@Vinit Mehta You're correct in saying that target latency metrics won't be accurate because the actual target call may not be made from the endpoint defined in the TargetEndpoint. Other analytics - call counts, overall resource request latency, error codes, etc. are still valid.

Calling your target endpoint from Node.js might be one way to address the point you raise.

Not applicable
‎04-16-2015 08:40 AM

@Chris von See Just to clarify - when you say other analytics are still valid that is assuming you are calling the actual target as well from node.js, correct?

ceber
Staff
‎04-16-2015 08:51 AM

Vault is definitely the way to go. There's an enhancement request to enable access to vault storage from the regular proxy flow. IMO that's required, so hopefully the primary con will go away.

Not applicable
‎04-16-2015 09:08 AM

No, what I mean is that even if you call the real "target" via a ServiceCallout policy after the script target is called your overall request latency numbers (but not the target latency numbers) will still be accurate. I thought perhaps calling the target from Node.js after retrieving the creds from Vault might give you more accurate target latency stats as well.

mdunker
Staff
‎04-16-2015 02:45 PM

Nice write up, @Vinit Mehta.

I believe KVMs can be used safely, but it is strongly recommended to lock them down via RBAC and encrypt data that is put in them, decrypting in the proxy. I feel that there is a cost to the use of Vault at this time, potentially forcing users to use node if they aren't using it otherwise.

That being said, as soon as Vault is available via policy, it will surely be the preferred way.

Not applicable
‎04-16-2015 03:10 PM

Nice point @Mike Dunker , one more advantage of using KVM is that it will be cached in Mp and lookup can be fast where as Vault if believe its on Cassandra but not sure if we have cache enabled for that . any idea @Vinit Mehta ?

sarthak
New Member
‎05-28-2015 02:52 PM

@Maruti Chand I do not think Vault has any cache enabled in front of it.

ozanseymen
Staff
‎05-28-2015 03:05 PM

I don't think we can pass any security review if we store plain text passwords in C*. We also need to think about private cloud here as original article didn't make any distinctions.

Another approach is to create a new proxy with a node.js target just to get the data from vault. Original proxy will then cache the data for x hours. Not the best approach but seems good enough until we get policy access to vault... This option obviously requires protection around this vault access api.

Not applicable
‎02-04-2016 10:30 AM

Just curious, is this still an enhancement request or is work already completed/underway to create a Vault-Access sort of policy?

jdsa
New Member
‎02-04-2016 10:41 AM

Yes. Work is underway. Please stay tuned.

Not applicable
‎04-12-2016 12:16 PM

Is there somewhere that we can look for updates on this?

jdsa
New Member
‎04-12-2016 12:54 PM

Nowhere public but we should have something towards the end of April.

Not applicable
‎04-12-2016 01:18 PM

Forgot to ask - will it also be available for on-prem as well in April? or a future release? (we are on-prem)

jdsa
New Member
‎04-12-2016 04:00 PM

All our features roll out to the cloud first and are then automatically available in the next on-prem release. We are in an advanced date of development and are hoping to go live around the April timeframe. Things might change just a bit. If things look good in the cloud, they will definitely be in the following on-prem release.

mchalmers
New Member
‎05-23-2016 02:40 AM

What difference - if any - in auditing / logging capability between these methods? How granular is the logging around access to KVM via Management APIs - e.g. in case of a key change actions? Does audit logging differ by user type?

ozanseymen
Staff
‎05-23-2016 02:48 AM

@mchalmers - we only audit log create/update/delete actions on developers, users, organisations, api products, api proxies and apps - currently. So KVM and vault get/set operations are not audit logged.

Not applicable
‎05-23-2016 01:35 PM

Hi @Joel D'sa

Any update on this feature? Has it been already released in the cloud? What are the plans for on-prem release? Thank you in advance!

williamking
New Member
‎07-22-2016 02:51 PM

@Joel D'sa I'm looking to access vault values from within a policy (as opposed to Node). Is this feature available in cloud deployment? Haven't found it.

jdsa
New Member
‎07-22-2016 03:01 PM

Yeah sorry guys. This is a feature ready to go but we need to reprioritize shipping it in favor of some other features. This should be in production middle of August. I will definitely update this thread if that date changes.

Not applicable
‎08-15-2016 10:24 AM

Hey - it's mid-August now - any word on this feature? We're looking forward to it!

jdsa
New Member
‎08-15-2016 10:39 AM

The feature is complete but it's not quite production ready yet. Would you want to give it a spin in a beta environment? We would love some feedback.

akoo
New Member
‎10-28-2016 09:44 AM

Hello all, I wanted to add an important note: encrypted KVMs are here. Details are in our documentation: http://docs.apigee.com/api-services/reference/key-value-map-operations-policy . You now have an option for encrypted data without having to use Node.js.

Version history
Last update:
‎04-13-2015 04:05 PM
Updated by: