Best Place to Store API Credentials

Where is the best place to store credentials (username / password) for accessing a private API on a CCR2004-1G-12S+2XS?

Specifically, I have written a script to hit an HTTP(S) API with some basic information. The function of this API isn’t relevant and is effectively immutable and, functionally, the script works just fine. Unfortunately, for development, I currently have the credentials hardcoded into the script as local variables which is pretty heinous from a security point of view. What facility of RouterOS would best be used to store these on-device without human interaction to use them?

Poking around the documentation, I see support for Certificates, but this doesn’t seem to extend to trivial user / pass combinations.

Untimately, anything that will let me securely execute something along the lines of

:local resp ([/tool/fetch user=$USER password=$PASS url=https://example.com/api output=user as-value]->"data")

should work just fine.

Thanks!

I use /ppp/secrets - the password for a “secret” is marked as “sensitive” in the policy, so it doesn’t get shown or exported without show-sensitive. In theory, someone be able to login to serial console (if one is enabled) using the API key. But if goal is obfuscate some API key, it work since it’s NOT in a global.

See:
http://forum.mikrotik.com/t/securely-storing-apikey-tokens-for-tool-fetch-approaches-secret/156066/1

But not ideal, some “real” secret variable store be useful.

Wow, that’ll do nicely for my purposes. Also, +1 for making a generalized secret store as mentioned in your other post; that would also have solved this case as well.

Thanks for putting in the legwork and posting it up for everyone!