Setting environment variables and how to access them

Not applicable

Hi guys.

I am trying to figure out the best way of controlling different configurations.

For instance I have a JWT Validation Policy that for obvious resens have different configurations depending if I am in production or preproduction. For now I have created multiple policies but I was wondering if there werent a better way?

I looked into

https://docs.apigee.com/api-platform/cache/creating-and-editing-environment-keyvalue-maps and I created a container and a new variable but when I trace my request I dont see this variable anywhere and certanily not inside the environment scope.

7101-screen-shot-2018-07-11-at-101218.png

I tried using the variable in the policy under Issuer.

7102-screen-shot-2018-07-11-at-101403.png

What am I doing wrong?

7103-screen-shot-2018-07-11-at-102802.png

Solved Solved
0 10 4,055
1 ACCEPTED SOLUTION

amitkumar2091
Participant III

Are you reading the KVM values using a Key Value Map Operations policy in your proxy?

KVM's can be environment specific. But values stored in the KVM do not propagate to context/flow automatically.

You have to use Key Value Map Operations policy to read from the KVM into context variables:

<KeyValueMapOperations  name="KVM-JWTAttributes" mapIdentifier="Identity">
    <DisplayName>KVM-JWTAttributes</DisplayName>
    <Properties/>
    <ExclusiveCache>false</ExclusiveCache>
    <ExpiryTimeInSecs>360</ExpiryTimeInSecs>
    <Get assignTo="var_auth0_jwt_issuer" index="1">
        <Key>
            <Parameter>auth0_jwt_issuer</Parameter>
        </Key>
    </Get>
    <Scope>environment</Scope>
</KeyValueMapOperations>

This will set value of auth0_jwt_issuer key of kvm Identity to context/flow variable var_auth0_jwt_issuer

Please use this document and configure the policy according to your need.

You can use it at reference in generate JWT policy for Issuer.

<Issuer ref='var_auth0_jwt_issuer'/>

Now for every enviroment you can have a KVM with same name and key but with a different value and it can be evaluated at runtime.

For sensitive information please use encrypted KVM.

Hope this will help !

View solution in original post

10 REPLIES 10

amitkumar2091
Participant III

Are you reading the KVM values using a Key Value Map Operations policy in your proxy?

KVM's can be environment specific. But values stored in the KVM do not propagate to context/flow automatically.

You have to use Key Value Map Operations policy to read from the KVM into context variables:

<KeyValueMapOperations  name="KVM-JWTAttributes" mapIdentifier="Identity">
    <DisplayName>KVM-JWTAttributes</DisplayName>
    <Properties/>
    <ExclusiveCache>false</ExclusiveCache>
    <ExpiryTimeInSecs>360</ExpiryTimeInSecs>
    <Get assignTo="var_auth0_jwt_issuer" index="1">
        <Key>
            <Parameter>auth0_jwt_issuer</Parameter>
        </Key>
    </Get>
    <Scope>environment</Scope>
</KeyValueMapOperations>

This will set value of auth0_jwt_issuer key of kvm Identity to context/flow variable var_auth0_jwt_issuer

Please use this document and configure the policy according to your need.

You can use it at reference in generate JWT policy for Issuer.

<Issuer ref='var_auth0_jwt_issuer'/>

Now for every enviroment you can have a KVM with same name and key but with a different value and it can be evaluated at runtime.

For sensitive information please use encrypted KVM.

Hope this will help !

Hi @Amit Kumar

Thanks for your response. This did indeed enable the values and I can now use them - though I am experiencing a strange thing.

One of my values is "cut short". This is from the trace view.

7107-screen-shot-2018-07-11-at-165447.png

The value typed into KVM is far bigger than that and contains a JSON object.

From the documentation it states;

The value of the key. Enter any combination of numbers, letters, or special characters.

Note that the total size of a KVM cannot be larger than 15 MB.

So what is going on? Any idea?

{"keys":[{"alg":"RS256","kty":"RSA","use":"sig","x5c":["MIIDCTCCAfGgAwIBAgIJIeO61UShkGaiMA0GCSqGSIb3DQEBCwUAMCIxIDAeBgNVBAMTF2RyLXByZXByb2QuZXUuYXV0aDAuY29tMB4XDTE4MDEwNDEyNTQzNloXDTMxMDkxMzEyNTQzNlowIjEgMB4GA1UEAxMXZHItcHJlcHJvZC5ldS5hdXRoMC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3SkCTiRDdFLZxhkF5Yy+Yyyc2tEIm+NnrsSXS48afuo0LAxhG2n/6fVbJhBgRCf4XwGt2y+UEvb4+1YtykqaTgaZ8tjOgKmcjHCmwFwOtR8frhKpn3Acm2E1BjO4SDZGuqmsilfh93w7UiD/t/fmLzfEJKjB6MCIpuWhaDtuwGwfoNDoHuQOnAq8GMHAsNyk2VJ5AMxl9h17T3rI4vUCk/sWHdwi6jiTIOPL7Sl2fnGzWQN10fINnBi/yaHV07LnBPPnmbU/4z0oUgYdaBbAd0BLdpTlp3N7d9527PCnjEyneW4Mu/+GJ+381BwGPoujBd8rlZRU4aJF8cFFtoMWjAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFD5izSC1Oo5W/zqUqCs5SdFTdcMKMA4GA1UdDwEB/wQEAwIChDANBgkqhkiG9w0BAQsFAAOCAQEAOaMuRlH3dp+qymElDMy+xCBGEij3HbrJxfi44uQZJWCF/7sw7N4+et7EQMIckjhSSnzNX7waGnvbMFSdulZRleaVfEg/S528BvMZxl3iz/2stTb/r/5veL/DWYLDjM/rg94hNk5FC+9q0iTktft5f5LMIra08X7810sdfTOhbrYV8XKZFPOcAmo3NMLwZvu2GL1x08YBwsXU4/cbWNFKia4JwHoufKGc/BqXeXOrxkIll0xku6UXdxceLnMAmeSSt+xF92jECswjwphNYPEbVGsAEkfVw+kkazIbH+JSYKX3k1JG3+VPr2XGqmhnhnlb4geXhvZipQBpfG8KLGLqhA=="],"n":"t0pAk4kQ3RS2cYZBeWMvmMsnNrRCJvjZ67El0uPGn7qNCwMYRtp_-n1WyYQYEQn-F8BrdsvlBL2-PtWLcpKmk4GmfLYzoCpnIxwpsBcDrUfH64SqZ9wHJthNQYzuEg2RrqprIpX4fd8O1Ig_7f35i83xCSowejAiKbloWg7bsBsH6DQ6B7kDpwKvBjBwLDcpNlSeQDMZfYde096yOL1ApP7Fh3cIuo4kyDjy-0pdn5xs1kDddHyDZwYv8mh1dOy5wTz55m1P-M9KFIGHWgWwHdAS3aU5adze3feduzwp4xMp3luDLv_hift_NQcBj6LowXfK5WUVOGiRfHBRbaDFow","e":"AQAB","kid":"NzMwNUYxRjlBRkQwMTI4ODg4MURFQkJCQkNGMTBEQkM2RjlGRDQzNA","x5t":"NzMwNUYxRjlBRkQwMTI4ODg4MURFQkJCQkNGMTBEQkM2RjlGRDQzNA"}]}<br>

Your image did not appear in the post.

the code-paste of the JSON... looks valid and complete. Looks like a JWKS payload.

Yes that was strange. Is it visible now?

I tried escaping the JSON that didnt help. It breaks at the same point when it first encounters a comma ","

7108-screen-shot-2018-07-12-at-102855.png

Ah it work's now! Seems like the comma is used as a seperator so when using index="1" in the

KeyValueMapOperations Policy it would only take the first array key. Removing the index="1" is not resulting in me having the full string! Perfect!

For reference:

https://community.apigee.com/questions/28095/max-length-of-a-kvm-variable-value.html

Hi

I was wondering. if i-m using apigee local development environment. In wich file the the key-value maps are stored? and what is the format of that object? i'm looking for documentation about it, but i've no success.

Regards!

Hi - I suggest you post a new, toplevel question, rather than posing a new question in a comment on a thread that is 5 years old.  You'll get better visibility and more clear engagement that way. 

good luck!

You cannot use this syntax in the JWT policies to specify the Issuer:

<Issuer>{variable_name_here}</Issuer>

The thing that allows a string that includes variable names wrapped by curly braces, to be transformed into a string that contains the values of those named variables... is called the Message Template. The Message Template is used in various places inside Apigee Edge configuration.

It can be a little frustrating and confusing in Apigee Edge - sometimes the Message Template is the thing, and sometimes it's a single reference to a variable, done via an attribute, like this:

<Issuer ref='variable_name_here'/> 

In JWT policies, almost all of the toplevel elements are specifiable with ref= . This syntax ^^ for Issuer is correct and valid. The same kind of syntax applies to Subject, Id, and other claims.

There is a way to specify a message template when adding custom claims or headers. This is explained in the documentation for the JWT policies, and is also summarized on the doc page for Message Template.

To repeat, Issuer is one that accepts a ref=.

Hi @Dino-at-Google

Thanks for clarifying - that makes sense 🙂