Skip to main content

Security Macros

Early Access

This feature is currently in Early Access. Log into the ngrok dashboard to request access.

Security Macros allow you to access sensitive information directly in your Traffic Policies. Your ngrok account has a Vault that can store Secrets. Any secrets that you add to your vault will be available across your account on all traffic policies. Updates to these secrets will be reflected across all traffic policies automatically.

How secrets are secured

  • Secrets are protected at rest using industry standard AES-256 encryption
  • ngrok's REST API does not return secrets as part of any of its response payloads
  • REST API traffic is encrypted in-transit using HTTP/S and TLS 1.2+

Get started

This section will walk you through creating a vault and secret. This example uses the ngrok CLI's api command, but you can also use the REST API directly. .

Loading…

You should get a response similar to the following:

Loading…

Then, create your secret, using the id from the response as the --vault-id:

Loading…

Then, you could use the secret in a Traffic Policy like this:

Loading…

Using secrets in you Kubernetes deployment

Vaults and secrets can be used in traffic policies in conjunction with Kubernetes Operator. Vaults and Secrets must be created using the ngrok API (either through REST or via the CLI).

You can use your secrets with your Kubernetes deployment via Traffic Policy. See the Kubernetes Operator quickstart to learn more.

Macros

secret(string, string) -> string

Takes the vault name as the first argument and the secret name as the second argument. Returns the secret value.

Example

Loading…

Supported Traffic Policy Actions

  • set-vars
    • CEL is supported in the following fields:
      • vars
  • verify-webhook
    • CEL is supported in the following fields:
      • secret
  • basic-auth
    • CEL is supported in the following fields:
      • credentials
  • jwt-validation
    • CEL is supported in the following fields:
      • issuer.allow_list[*].value
      • http.tokens[*].name
      • http.tokens[*].prefix
      • jws.keys[*].sources[*].additional_jkus

Pricing and limits

PlanVault LimitSecret Limit (across all vaults)Notes
Free55All values are fixed. If you need more vaults/secrets, move to Personal or Paygo.
Pro525All values are fixed. If you need more vaults/secrets, move to Paygo.
Business5 (default limit)500 (default limit)Contact us if you need more vaults/secrets than default limits.

If you want to increase these limits, contact us.