Credential injector

The credential injector HTTP filter serves the purpose of injecting credentials into outgoing HTTP requests.

Notice: This filter is intended to be used for workload authentication, which means that the identity associated with the inserted credential is considered as the identity of the workload behind the Envoy proxy (in this case, Envoy is typically deployed as a sidecar alongside that workload).

Note

This filter does not handle end user authentication.

The purpose of the filter is solely to authenticate the workload itself.

Configuration

  • This filter should be configured with the type URL type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector.

  • v3 API reference

The filter is configured with one of the following supported credential_injector extensions. Extensions are responsible for fetching the credentials from the source. The credentials obtained are then injected into the Authorization header of the proxied HTTP requests, utilizing either the Basic or Bearer scheme.

Generic credential injector

  • This extension should be configured with the type URL type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic.

  • generic

Here is an example configuration with Generic credential, which injects an HTTP Basic Auth credential into the proxied requests.

credential-injector-filter.yaml
29          - name: envoy.filters.http.credential_injector
30            typed_config:
31              "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector
32              allow_request_without_credential: true
33              overwrite: true
34              credential:
35                name: envoy.http.injected_credentials.generic
36                typed_config:
37                  "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic
38                  credential:
39                    name: credential

Credential which is being used to inject a Basic Auth credential into the proxied requests:

credential-injector-filter.yaml
57  - name: credential
58    generic_secret:
59      secret:
60        inline_string: "Basic base64EncodedUsernamePassword"

It can also be configured to inject a Bearer token into the proxied requests.

Credential for Bearer token:

credential-injector-filter.yaml
61  - name: credential-bearer
62    generic_secret:
63      secret:
64        inline_string: "Bearer myToken"

OAuth2 credential injector (client credential grant)

  • This extension should be configured with the type URL type.googleapis.com/envoy.extensions.http.injected_credentials.oauth2.v3.OAuth2.

  • oauth2 client credentials grant

Here is an example configuration with OAuth2 client credential injector, which injects an OAuth2 token into the proxied requests.

credential-injector-filter.yaml
25          - name: envoy.filters.http.credential_injector
26            typed_config:
27              "@type": type.googleapis.com/envoy.extensions.filters.http.credential_injector.v3.CredentialInjector
28              credential:
29                name: envoy.http.injected_credentials.oauth2
30                typed_config:
31                  "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.oauth2.v3.OAuth2
32                  token_endpoint:
33                    cluster: okta.ad
34                    timeout: 3s
35                    uri: "https://dev-1178504991.okta.com/oauth2/default/v1/token"
36                  client_credentials:
37                    client_id: some-client-id
38                    client_secret:
39                      name: client-secret

Statistics

The HTTP credential injector filter outputs statistics in the http.<stat_prefix>.credential_injector. namespace.

Name

Type

Description

injected

Counter

Total number of requests with injected credentials

failed

Counter

Total number of requests that failed to inject credentials

already_exists

Counter

Total number of requests that already had credentials and overwrite is false

OAuth2 client credential injector extension specific statistics are also emitted in the http.<stat_prefix>.credential_injector.oauth2. namespace.

Name

Type

Description

token_requested

Counter

Total number of token requests sent to the OAuth2 server

token_fetched

Counter

Total number of successful token fetches from the OAuth2 server

token_fetch_failed_on_client_secret

Counter

Total number of times token request not sent due to missing client secret

token_fetch_failed_on_cluster_not_found

Counter

Total number of times token request not sent due to missing OAuth2 server cluster

token_fetch_failed_on_bad_response_code

Counter

Total number of times OAuth2 server responded with non-200 response code

token_fetch_failed_on_bad_token

Counter

Total number of times OAuth2 server responded with bad token

token_fetch_failed_on_stream_reset

Counter

Total number of times http stream with OAuth2 server got reset