API Keys
Overview
API keys, or Application Programming Interface keys, are alphanumeric codes used to authenticate and control access to web-based services or APIs (Application Programming Interfaces). These keys serve as unique identifiers for developers or applications seeking permission to interact with Anchore Enterprise. API keys are commonly employed in software development to manage and secure the flow of data between different applications, allowing authorized access while preventing unauthorized usage. They play a crucial role in ensuring the integrity, security, and controlled usage of APIs, acting as a form of digital credentials for developers to connect their applications to external services.
Generating API Keys
A system user can generate an API key for self use. Some users have specific RBAC roles (ie account-user-admin) that allow management of API keys for other system users.
For more details on generating and managing API keys, please refer to this section: Generating API keys
Generating API keys as an SAML (SSO) user
API keys for SAML (SSO) users are disabled by default. To enable API keys for SAML users, please update your helm chart values file with the following:
anchoreConfig:
user_authentication:
allow_api_keys_for_saml_users: true
API keys are an additional authentication mechanism for SAML (SSO) users that bypasses the authentication control of the IDP. When access has been revoked at the IDP, it does not automatically disable the user or revoke all API keys for the user.
Note
API keys are an additional authentication mechanism for SAML (SSO) users that bypasses the authentication control of the IDP. When access has been revoked at the IDP, it does not automatically disable the user or revoke all API keys for the user. Therefore, when access has been revoked for a user, the system administrator is responsible to manually delete the Anchore User or revoke any API key which was created for the user.Using API Keys
API keys are authenticated using basic auth. In order to use API keys you need to use a special username _api_key and the password is the value that was output when you created the API key.
e.g.
curl -u '_api_key:<API key value>' http://localhost:8228/v2/images
With AnchoreCTL:
ANCHORECTL_USERNAME="_api_key"
ANCHORECTL_PASSWORD="<API key value>"
Optional Configuration for API Keys
The following configuration options can be used to alter system behaviour for key provisioning, management and cleanup.
Maximum Duration for API Keys
Maximum API key validity time be configured at the system level using the user_authentication.max_api_key_age_days configuration option. The default value is 365 days.
Maximum Number of API Keys
The maximum number of API keys per user can also be configured at the system level using the user_authentication.max_api_keys_per_user configuration option. The default is 100 and this number includes Active, Expired and Revoked keys.
SAML User API Key Provisioning
If you wish to enable SAML users to provision API Keys, you should set the user_authentication.allow_api_keys_for_saml_users configuration option to true
Caveats for API keys
API Keys generally inherit the permissions and roles of the user they were generated for, but there are certain operations you cannot perform using API keys regardless of which user they were generated for:
- You cannot Add/Edit/Remove Users and Credentials.
- You cannot Add/Edit/Revoke API Keys.