Introduction¶
Keymaker service provides a credential management tool for VeriSaaS users. It allows to do the following tasks:
- Check and rotate (create new and delete old ones) their API keys
- Check and modify their allowed IP source list where the service can be consumed from
- Provide more information about the cloud account, in this case the cloud-account-id
API key credentials¶
VeriSaaS API consumers are authenticated using API Key credentials provided by Veridas which should be sent as a header in every request enabling users to consume the services’ functionalities.
Keymaker allows the users of these services to create new API Key credentials and also to revoke API Keys which no longer want to be used. To do that, certain requests have to be made to the Keymaker service, providing the required API key information that the user wants to register or to remove.
Rotating the API Keys on a regular basis is a good security practice. It is recommended to re-create/rotate them at least once per year.
To keep your API keys secure, try to follow these best practices:
- Do not embed API keys directly in the code of your frontend application
- Delete unused API keys
- Rotate your API keys periodically
- Rotate API keys which may be potentially compromised
- Do not store API keys on any source control repository
IP Source Allow List¶
Another security mechanism implemented on VeriSaaS is IP access restriction.
All requests coming from an unregistered source IP will be automatically rejected (403 code) by VeriSaaS, so it is necessary to have an IP source allow list with at least one IP.
Keymaker allows you to manage that list for every service independently.
Some best practices to maintain IP Source allow list are the following:
- Review periodically which IPs are configured
- Delete unused/unnecessary IPs