Authenticate using API keys
You can authenticate incoming Quorum Key Manager (QKM) requests using API keys.
Specify an API key file with the --auth-api-key-file command line option when starting QKM.
info
Starting Quorum Key Manager with API key authentication
key-manager run --auth-api-key-file=api_key_file.csv --manifest-path=/config/default.yml
API key file
The API key file is a CSV file with four columns:
- sha256({apiKey})
- username and optional tenant
- permissions
- roles
Each CSV line must be a unique API key and all API keys must be in UUID V4 format.
Example API key file
sha256({apiKey1}),tenant1|username1,"*:secret,*:keys","role-admin"
sha256({apiKey2}),username2,"read:*","role-guest"
To extract an API key, QKM uses the standard HTTP basic authentication scheme with a blank username and the API key as the password:
- Syntax
- Example
Authorization: Basic <base64({apiKey})>
Authorization: Basic OjA2ZGExYWZlLTE2ZDMtNDhmZS04ZWMyLWZlYTg2NDhkNzM3YQ==
If a user passes an API key that's in the CSV file, user information from the corresponding line in the CSV file is attached to the request.