Apigee Authorizers configuration reference
Learn how you can configure your Apigee Edge or Apigee X authorizers to adjust their settings to your needs.
About Apigee Authorizers configuration
For both the Apigee Edge Authorizer and the Apigee X Authorizer, it is possible to adjust their
configuration. Below you can see an example
of how the reference.yaml
file looks like for both authorizers:
# acp
acp:
reload_interval: 1m0s # reload interval
reload_timeout: 30s # reload configuration timeout
issuer_url: https://localhost:8443/sample/system # issuer url
client_id: bqesdrc4m4co2s81mpu0 # client id
client_secret: LH6mAb6PNljvjYMIF-A5RP2bElA5a5bnQah8sG0fsLA # client secret
tenant_id: "" # tenant id
server_id: "" # server id
# http client
http_client:
timeout: 10s # http client timeout
retry_wait_min: 0s # minimum time to wait between retries
retry_wait_max: 0s # maximum time to wait between retries
retry_max: 0 # maximum number of retries
root_ca: "" # root ca that this client should trust (defaults to system root ca)
insecure_skip_verify: false # disable cert verification
disable_follow_redirects: false # disable follow redirects
disable_retry: true # disable retry
# metrics
metrics:
enabled: false # enable metrics endpoint
port: 9000 # metrics endpoint port
# analytics
analytics:
enabled: true # when enabled, events are sent to audit log
# sampling
sampling:
probability: 1 # Probability of an event to be published (0.0-1.0)
batch_inverval: 1s # Max duration to wait for a batch to publish
batch_limit: 100 # Max number of events in a batch
limit: 5 # Max number of batches per second to be published
timeout: 5s # Timeout for a single batch to send
workers: 8 # Number of sending workers
# cache
cache:
ttl: 10s # ttl
max_size: 100 # max size
# logging config
logging:
level: info # log level severity
# token echange config
token_exchange:
enabled: false # enable token exchange
# cache
cache:
ttl: 1m0s # ttl
max_size: 1000 # max size
# inject config (supported only for istio authorizer)
inject:
mode: "" # Defines what token should be sent to the target service when token is exchanged
# headers config
headers:
exchanged_token: "" # Defines the name of the header that contains an exchanged token.
original_token: "" # Defines the name of the header that contains an original token.
strip_bearer: false # Allows to strip the bearer prefix in headers
# enforcement config
enforcement:
allow_unknown: false # allow requests with no matching rule
# http server
http_server:
port: 8442 # http port
dangerous_disable_tls: false # diables TLS
# certificate configuration
certificate:
password: "" # key passphrase
cert_path: "" # path to the certificate PEM file
key_path: "" # path to the key PEM file
cert: "" # base64 encoded cert PEM
key: "" # base64 encoded key PEM
generated_key_type: ecdsa # type for generated key if cert and key are not provided (rsa or ecda)
client_auth_type: 0 # client auth type
# apigee
apigee:
product_name: ApigeeX # oneof ApigeeX or ApigeeEdge
shared_flow_path: data # path to a directory with an apigee shared flow definition
# service discovery configuration
discovery:
enabled: true # when true, API discovery is enabled
# filters are used for limiting the number of discovered APIs
filters:
product_name_regexp: "" # filter discovered APIs by Apigee product name (whitelist)
environment_name_regexp: "" # filter discovered APIs by Apigee environment name (whitelist)
# apigee edge configuration, leave empty in case of ApigeeX
apigee_edge:
username: "" # username (email address format)
password: "" # password
organization_id: "" # organization name
base_url: https://api.enterprise.apigee.com # URL of Apigee API
token_url: https://login.apigee.com/oauth/token # URL of Apigee Authorization API
use_token: true # when true, the client exchanges credentials for the token, when false it uses basic auth
debug: false # dumps http traffic to Apigee API, useful for debugging connection issues
You can generate a reference configuration for your authorizer using
the docker-compose run apigee-authorizer reference
command.
You can use the reference configuration as a basis for your customization. You can omit settings for which the default configuration is satisfactory, specifying only the required values, which are the client ID, client secret, and issuer URL parameters like it is shown in the example below:
environment:
- ACP_RELOAD_INTERVAL=5s
- APIGEE_APIGEE_PRODUCT=ApigeeEdge
- APIGEE_APIGEE_EDGE_USERNAME=username
- APIGEE_APIGEE_EDGE_PASSWORD=password
- APIGEE_APIGEE_EDGE_ORGANIZATION_ID=org-id
Tip
Note that nested YAML settings can be accessed by joining uppercased names with underscores, as shown in the example above, where the
APIGEE_APIGEE_EDGE_PASSWORD=password
parameter is set.
Running authorizers
With a configuration file
-
Add a
volumes
parameter to yourdocker-compose.yml
file:volumes: - /Path/To/Your/Authorizer/apigee-{your_authorizer_version}-authorizer:/apigee
The
{your_authorizer_version}
variable can be set to eitherx
oredge
.volumes
attaches the defined catalog (/Path/To/Your/Authorizer/apigee-{your_authorizer_version}-authorizer:/apigee
) to your authorizer’s docker image and maps it to a catalog that, from now on, exists on your docker image (apigee
). This is the place where your configuration is stored on your authorizer’s docker deployment. -
Use the
--config
option to specify the YAML file with your configuration. For example, assuming that you have created aapigee_edge_config.yaml
file in your current directory, yourdocker run
command would look like the following:docker-compose run apigee-authorizer --config=/apigee/apigee_edge_config.yaml
Client authentication for Apigee Edge Authorizer
By default, the Apigee Edge Authorizer uses OAuth2 access tokens to authenticate itself to your Apigee Edge instance. It is defined using the
use_token: true
setting in the Apigee Edge Authorizer’s configuration. If you wish to use Basic Authentication, set it tofalse
.You can do this by, for example, by providing the
APIGEE_APIGEE_EDGE_USE_TOKEN=false
environment variable in thedocker-compose.yml
file responsible for your authorizer’s docker deployment.
With environment variables in the docker-compose run command
To run the authorizer without providing the whole configuration file, you can provide the
environment variables in your docker-compose run
command. See example below:
docker-compose run apigee-authorizer -e APIGEE_ACP_CLIENT_ID={your_client_id} APIGEE_ACP_CLIENT_SECRET={your_client_secret}