Configuring & Using the Gateway Cache

Gateway Cache Overview

When caching is enabled, it works for all types of secrets (static, rotated, dynamic).

The most straightforward use cases are the following:

  • The Akeyless Restful API uses the Gateway Cache to improve performance when fetching static secrets.
  • The Proactive Cache feature enables storing all types of secrets in the Gateway Cache for use when communication between the Gateway and the Akeyless Cloud is limited (e.g., during a power cycle or network outage or when the Internet is down).

Every call for the secret-fetching API endpoint (get-secret-value, get-dynamic-secret-value, orget-rotated-secret-value) uses the cache as follows:

  1. Static and Rotated secrets
  • If the secret is in the cache, it is returned in the response.
  • If the secret is not in the cache, it is fetched from the Akeyless Cloud or the local Gateway if the Akeyless Cloud is unavailable. Its value is then saved to the cache.
  1. Dynamic secrets
  • If permissions to use the dynamic secret are in the cache, the secret is generated on the local Gateway and returned in the response.
  • If no such permissions are saved in the cache, they are fetched from the Akeyless Cloud or the local Gateway if the Akeyless Cloud is unavailable, and then the dynamic secret is generated. Permissions are then saved to the cache.

📘

NOTE

A maximum of 50,000 secrets can be stored in the Gateway Cache at the same time.

🚧

IMPORTANT

Usually, after the “Stale Timeout” period expires for a secret, the secret is deleted from the Gateway Cache.

But when the Proactive Caching is enabled and there is no internet connection, the Gateway Cache won’t delete old items until the internet connection is restored.

Configure the Gateway Cache

To enable and configure the Gateway Cache,

  1. Open the Akeyless Gateway Configuration Manager at http://Your-Akeyless-Gateway-URL:8000.
  2. On the menu bar at the left, click Caching.
  3. Select the Enable Cache checkbox.
  4. Set the Stale Timeout parameter value. This is the time (in minutes) during which a secret should be kept in the cache. The secret is deleted from the cache at the end of this period. By default, cached secrets will expire after 60 minutes.
  5. Set the Minimum Fetching Interval parameter value. This parameter instructs the system to update secrets in the cache if they are older than the specified value. By default, each secret kept in the cache for more than 5 minutes will be re-requested from the Akeyless Cloud or the local Gateway.
  6. Click Save Changes.
Enabling and Configuring the Gateway CacheEnabling and Configuring the Gateway Cache

Enabling and Configuring the Gateway Cache

Configure the Proactive Cache

The Proactive Cache fetches from the Akeyless Cloud and stores in the Gateway Cache all secrets for an Authentication Method (based on the access policy set up for this Authentication Method). For backup purposes, all those secrets are also saved in an encrypted storage file (~/tmp/cache.dat).

Consider a situation when the Gateway instance is down and needs to be restarted. The cache has been stored in the memory, but after the container restarts, the memory is empty. So instead of fetching all the secrets once again from the Akeyless Cloud (that could be impossible at the moment), the Gateway loads the backed-up secrets from the storage to the in-memory cache.

To enable and configure the Proactive Cache,

  1. Open the Akeyless Gateway Configuration Manager at http://Your-Akeyless-Gateway-URL:8000.
  2. On the menu bar at the left, click Caching.
  3. Select the Enable Proactive Caching checkbox.
  4. Set the Secure Backup Interval parameter value. This is the time (in minutes) between the two consecutive backups. By default, every minute, a snapshot with the current contents of the Gateway Cache is saved to the storage file.
  5. Click Save Changes.
Enabling and Configuring the Proactive CacheEnabling and Configuring the Proactive Cache

Enabling and Configuring the Proactive Cache

It is also possible to configure caching using environment variables.

When the Gateway is installed on Kubernetes, you can configure Caching using the Akeyless Gateway Helm chart.


Did this page help you?