Credential Injector

The credential injector HTTP filter serves the purpose of injecting credentials into outgoing HTTP requests.

The filter configuration is used to retrieve the credentials, or they can be fetched from a remote source such as an OAuth2 authorization server. The credentials obtained are then injected into the Authorization header of the proxied HTTP requests, utilizing either the Basic or Bearer scheme.

Notice: This filter is intended to be used for workload authentication, which means that the identity associated with the inserted credential is considered as the identity of the workload behind the Envoy proxy (in this case, Envoy is typically deployed as a sidecar alongside that workload).

Note

This filter does not handle end user authentication.

The purpose of the filter is solely to authenticate the workload itself.

Configuration

  • This filter should be configured with the type URL type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector.

  • v3 API reference

Currently the filter supports generic only. Other credential types can be supported as extensions.

Here is an example configuration with Generic credential, which injects an HTTP Basic Auth credential into the proxied requests.

          http_filters:
          - name: envoy.filters.http.credential_injector
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector
              allow_request_without_credential: true
              overwrite: true
              credential:
                name: envoy.http.injected_credentials.generic
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic
                  credential:
                    name: credential
                    sds_config:
                      path_config_source:

credential.yaml for Basic Auth:

resources:
- "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
  name: credential
  generic_secret:
    secret:
      inline_string: "Basic base64EncodedUsernamePassword"

It can also be configured to inject a Bearer token into the proxied requests.

credential.yaml for Bearer Token:

resources:
- "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
  name: credential
  generic_secret:
    secret:
      inline_string: "Bearer myToken"

Statistics

The HTTP credential injector filter outputs statistics in the http.<stat_prefix>.credential_injector. namespace.

Name

Type

Description

injected

Counter

Total number of requests with injected credentials

failed

Counter

Total number of requests that failed to inject credentials

already_exists

Counter

Total number of requests that already had credentials and overwrite is false