API Connect

 View Only
Expand all | Collapse all

IBM APIC Connect v10 - Invoke Policy Setting Password field via context variable

  • 1.  IBM APIC Connect v10 - Invoke Policy Setting Password field via context variable

    Posted Fri June 24, 2022 08:49 AM
    The Invoke policy provides 2 fields to create a basic authorization headers if filled in: Username and Password.  Since we cannot type in the credentials and store the OpenAPI specification in Git, we are looking at ways to programmatically set the username and password at runtime from context variables.

    Issue that I am finding is that the username field can be set via a context variable, but not the password field.  Is there some undocumented way to perform this operation or is this a defect in the product?

    Invoke Policy:
    - invoke:
    version: 2.1.0
    title: invoke - Request Bin
    backend-type: detect
    header-control:
    type: blocklist
    values: []
    parameter-control:
    type: allowlist
    values: []
    timeout: 60
    verb: keep
    use-http-10: false
    chunked-uploads: true
    cache-response: protocol
    cache-ttl: 900
    stop-on-error: []
    target-url: 'https://xxxx.pipedream.net'
    username: $(hig.secrets.username)
    password: $(hig.secrets.password)

    Context Variables Set:


    Basic Auth Header Generated:

    bXktYmFzaWMtYXV0aC1pZDokKGhpZy5zZWNyZXRzLnBhc3N3b3JkKQ==

    decoded: my-basic-auth-id:$(hig.secrets.password)

    The username context variable was converted to its policy by the Invoke policy, but not the password field.





    ------------------------------
    Steve Ruscik
    ------------------------------


  • 2.  RE: IBM APIC Connect v10 - Invoke Policy Setting Password field via context variable
    Best Answer

    IBM Champion
    Posted Mon June 27, 2022 02:17 PM
    Edited by Jina K Tue August 30, 2022 11:04 AM
    Hi @Steve Ruscik -
    I am not sure if there is a way to perform this using a context variable within the password field. I will let others chime in.

    There are two other ways this can be done:

    1. Using your CICD pipeline (script), directly inject the username/password value within your YAML under the invoke section. For example, on every change in environment, your pipeline can fetch the value from your vault and update your API YAML before deployment. This way, your credentials are not stored in GIT nor is it accessible to anyone who does not have access to the higher environments. - Recommend approach
    2. Using a Set-Variable/GS directly add an Authorization Header (message.headers.Authorization) before your Invoke policy, and keep the values in your invoke empty. Your backend will still receive the Authorization Header from your message header context.
    ​​


  • 3.  RE: IBM APIC Connect v10 - Invoke Policy Setting Password field via context variable

    Posted Thu July 07, 2022 10:05 AM

    Hi Steve,
    There is an APAR in process for this which will be available in a subsequent fix pack.  Stay tuned :-) 

    Regards,

    Steve Linn



    ------------------------------
    Steve Linn
    Senior Consulting I/T Specialist
    IBM
    ------------------------------

    Original Message