AuthorizationPolicy Condition Value from Environment Variable

Hello!

I’m looking to an api-key header with a value to be matched within an authorization policy, however, I’d prefer not to put the key value directly in the AuthorizationPolicy manifest, but instead source the value from a secret (or an environment variable sourced from a secret).

I saw a reference to this being possible, but I’m unable to find any examples of how to achieve such a thing…

Any help will be much appreciated!

Example Authroziation Policy:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  labels:
    app: my-app
  name: my-app-policy
spec:
  action: ALLOW
  rules:
    - when:
        key: request.headers[api-key]
        values: ["${MY_API_KEY_VALUE}"] # <-- Pull from a secret location
    - from:
      - source:
          remoteIpBlocks:
            - "1.2.3.4"
            - "5.6.7.8"
  selector:
    matchLabels:
      app: my-app

Hi @liminwang, as you replied in the reference Use environment variable RequestAuthentication/AuthorizationPolicy, could you please update Use environment variable RequestAuthentication/AuthorizationPolicy and share some detailed solutions here?