Environmentalizing credentials

2 minute read

Overview

Environmentalizing the configuration variables allows you to tailor the API Builder configuration to the environment it is being deployed to at deployment time. Additionally, environmentalizing the credentials also ensures their security. Credentials, by their very nature, contain sensitive information that you do not want to expose by committing them to your source control management (SCM). Credentials may also contain time-sensitive information, such as OAuth 2.0 access tokens.

Configuring credentials

The credential configuration uses the same approach for environmentalization as the rest of the API Builder configuration; any value can be read from an environment variable on startup by replacing it with process.env.VAR_NAME.

If API Builder is running in a containerized environment, these environment variables are passed into the container on startup. For information on containerizing an API Builder application, see Dockerize an API Builder Service.

API Key

For API Key credentials, you should environmentalize the key variable. For example, the key is read from the environment variable WEATHER_KEY on startup:

// default.js

...,
authorization: {
    credentials: {
        "My Weather": {
            type: "apiKey",
            key: process.env.WEATHER_KEY
        }
    }
},
...

HTTP Basic

For HTTP Basic credentials, you should environmentalize the username and password variables. For example, the username and password are read from the environment variables SERVICE_USER and SERVICE_PASS respectively on startup:

// default.js

authorization: {
    credentials: {
        "API Builder service": {
            type: "basic",
            username: process.env.SERVICE_USER,
            password: process.env.SERVICE_PASS
        }
    }

OAuth 2.0

OAuth 2.0 credentials contain both sensitive information and time-sensitive information. In most cases, you should environmentalize the client_id, client_secret, refresh_token, and access_token.

// default.js

authorization: {
    credentials: {
        gmail: {
            type: 'oauth2',
            flow: 'accessCode',
            authentication_url: 'https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&prompt=consent',
            token_url: 'https://accounts.google.com/o/oauth2/token',
            client_id: process.env.GMAIL_CLIENT_ID,
            client_secret: process.env.GMAIL_CLIENT_SECRET,
            scope: 'https://mail.google.com/',
            access_token: process.env.GMAIL_ACCESS_TOKEN || null,
            refresh_token: process.env.GMAIL_REFRESH_TOKEN || null
        }
    }
}

The || null on the access_token and refresh_token is not required, but if it is omitted, you must have set the environment variables. With the || null included, API Builder will start, and while developing, you can perform the initial token grant in the Admin Console UI.

Last modified October 5, 2021: Fix all sections of the docs to be compliant. (#24) (b0bcdbc)