Environmentalizing credentials
2 minute read
Overview
Environmentalizing the configuration variables allows you to tailor the API Builder configuration to the environment it is being deployed to at deployment time. Additionally, environmentalizing the credentials also ensures their security. Credentials, by their very nature, contain sensitive information that you do not want to expose by committing them to your source control management (SCM). Credentials may also contain time-sensitive information, such as OAuth 2.0 access tokens.
Configuring credentials
The credential configuration uses the same approach for environmentalization as the rest of the API Builder configuration; any value can be read from an environment variable on startup by replacing it with process.env.VAR_NAME
.
If API Builder is running in a containerized environment, these environment variables are passed into the container on startup. For information on containerizing an API Builder application, see Dockerize an API Builder Service.
API Key
For API Key credentials, you should environmentalize the key
variable. For example, the key
is read from the environment variable WEATHER_KEY
on startup:
// default.js
...,
authorization: {
credentials: {
"My Weather": {
type: "apiKey",
key: process.env.WEATHER_KEY
}
}
},
...
HTTP Basic
For HTTP Basic credentials, you should environmentalize the username
and password
variables. For example, the username
and password
are read from the environment variables SERVICE_USER
and SERVICE_PASS
respectively on startup:
// default.js
authorization: {
credentials: {
"API Builder service": {
type: "basic",
username: process.env.SERVICE_USER,
password: process.env.SERVICE_PASS
}
}
OAuth 2.0
OAuth 2.0 credentials contain both sensitive information and time-sensitive information. In most cases, you should environmentalize the client_id
, client_secret
, refresh_token
, and access_token
.
// default.js
authorization: {
credentials: {
gmail: {
type: 'oauth2',
flow: 'accessCode',
authentication_url: 'https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&prompt=consent',
token_url: 'https://accounts.google.com/o/oauth2/token',
client_id: process.env.GMAIL_CLIENT_ID,
client_secret: process.env.GMAIL_CLIENT_SECRET,
scope: 'https://mail.google.com/',
access_token: process.env.GMAIL_ACCESS_TOKEN || null,
refresh_token: process.env.GMAIL_REFRESH_TOKEN || null
}
}
}
The || null
on the access_token
and refresh_token
is not required, but if it is omitted, you must have set the environment variables. With the || null
included, API Builder will start, and while developing, you can perform the initial token grant in the Admin Console UI.