Manage API Tokens

Cisco Panoptica can securely manage tokens that you use to access your API sites. It stores them securely in a Vault, and securely injects them into your workloads (as environment variables) when they are deployed in clusters.


Panoptica management of API tokens has these advantages:

  • Tokens are stored in a secure Vault deployed in your cluster, which is more secure than Kubernetes secrets, or hard-coded tokens.
  • Tokens are only injected into the workload when they are deployed, minimizing exposure.
  • You can create and apply Panoptica Deployment Policy rules to control which workloads can access specific APIs using the stored tokens.

Configure Clusters for Tokens

When you create a cluster, set the Step 1 option API token injection to Yes.

View Tokens

The TOKENS tab in the APIs page shows a list of tokens managed by Panoptica.


Add a Token

You can add new tokens to the Vault. Once added, they can be managed by Panoptica.

  1. In the TOKENS tab of the APIs page, click New Token
  1. Enter a name for the token, as it will appear in the list in the TOKENS tab.
  2. Enter the path to the secret in the Vault (see below for details how to obtain this).
  3. Select the APIs that use the token. These are APIs that are listed in the API Inventory.
  4. Set an Expiration Date for the token; after this date, the token can not be used (optional).
  5. Select HTTP Attributes for the token, from the list. This determines where the token appears in the HTTP API transaction, either as a request parameter or a query parameter.
  6. Enter the HTTP path for the API endpoint.
  7. Click TOKEN INJECTION. This opens a new Deployment Policy rule for Token Injection. Complete the first three steps (Rule Properties, Workloads and Environment selection) as for all Deployment Policy Rules.
  8. Click FINISH to create the rule. The tokens in the rule will be injected into the workloads selected by the rule, as environment variables.

Add a secret to the vault

  1. Run this command to obtain the token for the Vault that was added to the cluster.
kubectl get secret bank-vaults -n securecn-vault -o jsonpath='{.data.vault-root}' | base64 --decode
  1. Set up port forwarding to the Vault UI service to access it locally:
kubectl port-forward svc/vault -n securecn-vault 8200
  1. Open the Vault UI in a browser:
  1. Sign in to the Vault, using the token from step 1, above.
  2. Navigate to Secrets in the main menu.
  1. Select secret/ from the list of Secrets Engines.
  2. Click Create secret.
  1. Create a key and value pair for the secret, with token to be stored.
  2. The path to use in the New Token dialog on Panoptica above should be composed as follows:
    o The engine
    o The constant /data/
    o The value of Path for this secret
    o The character '#' followed by the key of the pair that you specified in the "Secret data" section

In the example depicted in the screenshot above, all this translates to secret/data/test#testkey

  1. Click Save.