api7 · ronething · Sep 12, 2025 · Aug 21, 2025 · Aug 25, 2025 · Aug 25, 2025
diff --git a/api/adc/plugin_types.go b/api/adc/plugin_types.go
@@ -77,8 +77,11 @@ type JwtAuthConsumerConfig struct {
 // used in Consumer object.
 // +k8s:deepcopy-gen=true
 type HMACAuthConsumerConfig struct {
-	AccessKey           string   `json:"access_key" yaml:"access_key"`
-	SecretKey           string   `json:"secret_key" yaml:"secret_key"`
+	KeyID     string `json:"key_id,omitempty" yaml:"key_id"`
+	SecretKey string `json:"secret_key" yaml:"secret_key"`
+
+	// Deprecated
+	AccessKey           string   `json:"access_key,omitempty" yaml:"access_key"`
 	Algorithm           string   `json:"algorithm,omitempty" yaml:"algorithm,omitempty"`
 	ClockSkew           int64    `json:"clock_skew,omitempty" yaml:"clock_skew,omitempty"`
 	SignedHeaders       []string `json:"signed_headers,omitempty" yaml:"signed_headers,omitempty"`

diff --git a/api/v2/apisixconsumer_types.go b/api/v2/apisixconsumer_types.go
@@ -161,23 +161,26 @@ type ApisixConsumerHMACAuth struct {
 
 // ApisixConsumerHMACAuthValue defines configuration for HMAC authentication.
 type ApisixConsumerHMACAuthValue struct {
-	// AccessKey is the identifier used to look up the HMAC secret.
-	AccessKey string `json:"access_key" yaml:"access_key"`
+	// KeyID is the identifier used to look up the HMAC secret.
+	KeyID string `json:"key_id,omitempty" yaml:"key_id"`
 	// SecretKey is the HMAC secret used to sign the request.
 	SecretKey string `json:"secret_key" yaml:"secret_key"`
-	// Algorithm specifies the hashing algorithm (e.g., "hmac-sha256").
+
+	// AccessKey is the identifier used to look up the HMAC secret. Deprecated from consumer configuration
+	AccessKey string `json:"access_key,omitempty" yaml:"access_key"`
+	// Algorithm specifies the hashing algorithm (e.g., "hmac-sha256"). Deprecated from consumer configuration
 	Algorithm string `json:"algorithm,omitempty" yaml:"algorithm,omitempty"`
-	// ClockSkew is the allowed time difference (in seconds) between client and server clocks.
+	// ClockSkew is the allowed time difference (in seconds) between client and server clocks. Deprecated from consumer configuration
 	ClockSkew int64 `json:"clock_skew,omitempty" yaml:"clock_skew,omitempty"`
-	// SignedHeaders lists the headers that must be included in the signature.
+	// SignedHeaders lists the headers that must be included in the signature. Deprecated from consumer configuration
 	SignedHeaders []string `json:"signed_headers,omitempty" yaml:"signed_headers,omitempty"`
-	// KeepHeaders determines whether the HMAC signature headers are preserved after verification.
+	// KeepHeaders determines whether the HMAC signature headers are preserved after verification. Deprecated from consumer configuration
 	KeepHeaders bool `json:"keep_headers,omitempty" yaml:"keep_headers,omitempty"`
-	// EncodeURIParams indicates whether URI parameters are encoded when calculating the signature.
+	// EncodeURIParams indicates whether URI parameters are encoded when calculating the signature. Deprecated from consumer configuration
 	EncodeURIParams bool `json:"encode_uri_params,omitempty" yaml:"encode_uri_params,omitempty"`
-	// ValidateRequestBody enables HMAC validation of the request body.
+	// ValidateRequestBody enables HMAC validation of the request body. Deprecated from consumer configuration
 	ValidateRequestBody bool `json:"validate_request_body,omitempty" yaml:"validate_request_body,omitempty"`
-	// MaxReqBody sets the maximum size (in bytes) of the request body that can be validated.
+	// MaxReqBody sets the maximum size (in bytes) of the request body that can be validated. Deprecated from consumer configuration
 	MaxReqBody int64 `json:"max_req_body,omitempty" yaml:"max_req_body,omitempty"`
 }
 

diff --git a/config/crd-nocel/apisix.apache.org_v2.yaml b/config/crd-nocel/apisix.apache.org_v2.yaml
@@ -101,28 +101,36 @@ spec:
                         properties:
                           access_key:
                             description: AccessKey is the identifier used to look
-                              up the HMAC secret.
+                              up the HMAC secret. Deprecated from consumer configuration
                             type: string
                           algorithm:
                             description: Algorithm specifies the hashing algorithm
-                              (e.g., "hmac-sha256").
+                              (e.g., "hmac-sha256"). Deprecated from consumer configuration
                             type: string
                           clock_skew:
                             description: ClockSkew is the allowed time difference
-                              (in seconds) between client and server clocks.
+                              (in seconds) between client and server clocks. Deprecated
+                              from consumer configuration
                             format: int64
                             type: integer
                           encode_uri_params:
                             description: EncodeURIParams indicates whether URI parameters
-                              are encoded when calculating the signature.
+                              are encoded when calculating the signature. Deprecated
+                              from consumer configuration
                             type: boolean
                           keep_headers:
                             description: KeepHeaders determines whether the HMAC signature
-                              headers are preserved after verification.
+                              headers are preserved after verification. Deprecated
+                              from consumer configuration
                             type: boolean
+                          key_id:
+                            description: KeyID is the identifier used to look up the
+                              HMAC secret.
+                            type: string
                           max_req_body:
                             description: MaxReqBody sets the maximum size (in bytes)
-                              of the request body that can be validated.
+                              of the request body that can be validated. Deprecated
+                              from consumer configuration
                             format: int64
                             type: integer
                           secret_key:
@@ -131,17 +139,20 @@ spec:
                             type: string
                           signed_headers:
                             description: SignedHeaders lists the headers that must
-                              be included in the signature.
+                              be included in the signature. Deprecated from consumer
+                              configuration
                             items:
                               type: string
                             type: array
                           validate_request_body:
                             description: ValidateRequestBody enables HMAC validation
-                              of the request body.
+                              of the request body. Deprecated from consumer configuration
                             type: boolean
                         required:
-                        - access_key
                         - secret_key
+                        oneOf:
+                        - required: ["key_id", "secret_key"]
+                        - required: ["access_key", "secret_key"]
                         type: object
                     type: object
                   jwtAuth:

diff --git a/config/crd/bases/apisix.apache.org_apisixconsumers.yaml b/config/crd/bases/apisix.apache.org_apisixconsumers.yaml
@@ -101,28 +101,36 @@ spec:
                         properties:
                           access_key:
                             description: AccessKey is the identifier used to look
-                              up the HMAC secret.
+                              up the HMAC secret. Deprecated from consumer configuration
                             type: string
                           algorithm:
                             description: Algorithm specifies the hashing algorithm
-                              (e.g., "hmac-sha256").
+                              (e.g., "hmac-sha256"). Deprecated from consumer configuration
                             type: string
                           clock_skew:
                             description: ClockSkew is the allowed time difference
-                              (in seconds) between client and server clocks.
+                              (in seconds) between client and server clocks. Deprecated
+                              from consumer configuration
                             format: int64
                             type: integer
                           encode_uri_params:
                             description: EncodeURIParams indicates whether URI parameters
-                              are encoded when calculating the signature.
+                              are encoded when calculating the signature. Deprecated
+                              from consumer configuration
                             type: boolean
                           keep_headers:
                             description: KeepHeaders determines whether the HMAC signature
-                              headers are preserved after verification.
+                              headers are preserved after verification. Deprecated
+                              from consumer configuration
                             type: boolean
+                          key_id:
+                            description: KeyID is the identifier used to look up the
+                              HMAC secret.
+                            type: string
                           max_req_body:
                             description: MaxReqBody sets the maximum size (in bytes)
-                              of the request body that can be validated.
+                              of the request body that can be validated. Deprecated
+                              from consumer configuration
                             format: int64
                             type: integer
                           secret_key:
@@ -131,16 +139,16 @@ spec:
                             type: string
                           signed_headers:
                             description: SignedHeaders lists the headers that must
-                              be included in the signature.
+                              be included in the signature. Deprecated from consumer
+                              configuration
                             items:
                               type: string
                             type: array
                           validate_request_body:
                             description: ValidateRequestBody enables HMAC validation
-                              of the request body.
+                              of the request body. Deprecated from consumer configuration
                             type: boolean
                         required:
-                        - access_key
                         - secret_key
                         type: object
                     type: object

diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml
@@ -22,7 +22,12 @@ patches:
     name: consumers.apisix.apache.org
     group: apiextensions.k8s.io
     version: v1
-
+- path: patches/hmac_auth_validation.yaml
+  target:
+    kind: CustomResourceDefinition
+    name: apisixconsumers.apisix.apache.org
+    group: apiextensions.k8s.io
+    version: v1
 # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix.
 # patches here are for enabling the conversion webhook for each CRD
 #- path: patches/webhook_in_gatewayproxies.yaml

diff --git a/config/crd/patches/hmac_auth_validation.yaml b/config/crd/patches/hmac_auth_validation.yaml
@@ -0,0 +1,8 @@
+- op: replace
+  path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/authParameter/properties/hmacAuth/properties/value/required
+  value: ["secret_key"]
+- op: add
+  path: /spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/authParameter/properties/hmacAuth/properties/value/oneOf
+  value:
+    - required: ["key_id", "secret_key"]
+    - required: ["access_key", "secret_key"]
diff --git a/docs/en/latest/reference/api-reference.md b/docs/en/latest/reference/api-reference.md
@@ -745,15 +745,16 @@ ApisixConsumerHMACAuthValue defines configuration for HMAC authentication.
 
 | Field | Description |
 | --- | --- |
-| `access_key` _string_ | AccessKey is the identifier used to look up the HMAC secret. |
+| `key_id` _string_ | KeyID is the identifier used to look up the HMAC secret. |
 | `secret_key` _string_ | SecretKey is the HMAC secret used to sign the request. |
-| `algorithm` _string_ | Algorithm specifies the hashing algorithm (e.g., "hmac-sha256"). |
-| `clock_skew` _integer_ | ClockSkew is the allowed time difference (in seconds) between client and server clocks. |
-| `signed_headers` _string array_ | SignedHeaders lists the headers that must be included in the signature. |
-| `keep_headers` _boolean_ | KeepHeaders determines whether the HMAC signature headers are preserved after verification. |
-| `encode_uri_params` _boolean_ | EncodeURIParams indicates whether URI parameters are encoded when calculating the signature. |
-| `validate_request_body` _boolean_ | ValidateRequestBody enables HMAC validation of the request body. |
-| `max_req_body` _integer_ | MaxReqBody sets the maximum size (in bytes) of the request body that can be validated. |
+| `access_key` _string_ | AccessKey is the identifier used to look up the HMAC secret. Deprecated from consumer configuration |
+| `algorithm` _string_ | Algorithm specifies the hashing algorithm (e.g., "hmac-sha256"). Deprecated from consumer configuration |
+| `clock_skew` _integer_ | ClockSkew is the allowed time difference (in seconds) between client and server clocks. Deprecated from consumer configuration |
+| `signed_headers` _string array_ | SignedHeaders lists the headers that must be included in the signature. Deprecated from consumer configuration |
+| `keep_headers` _boolean_ | KeepHeaders determines whether the HMAC signature headers are preserved after verification. Deprecated from consumer configuration |
+| `encode_uri_params` _boolean_ | EncodeURIParams indicates whether URI parameters are encoded when calculating the signature. Deprecated from consumer configuration |
+| `validate_request_body` _boolean_ | ValidateRequestBody enables HMAC validation of the request body. Deprecated from consumer configuration |
+| `max_req_body` _integer_ | MaxReqBody sets the maximum size (in bytes) of the request body that can be validated. Deprecated from consumer configuration |
 
 
 _Appears in:_

diff --git a/docs/en/latest/upgrade-guide.md b/docs/en/latest/upgrade-guide.md
@@ -150,6 +150,10 @@ More details: [ADC Backend Differences](https://github.com/api7/adc/blob/2449ca8
 
 The `ApisixClusterConfig` CRD has been removed in 2.0.0. global rules and configurations should now be managed through the `ApisixGlobalRule` CRDs.
 
+#### `ApisixConsumer` - `hmac-auth`
+
+In apisix >= 3.11, most of the hmac-auth related configuration has been deprecated from consumer and moved to service/route level. The name of a `required` field has also been changed from `access_key` to `key_id`. If you have ApisixConsumer configuration with hmac-auth plugin compatible with <3.11, they will not be compatible with newer versions of APISIX. Since all 3+ versions of apisix are supported by ingress controller, if you dont upgrade APISIX, you don't need to change your ApisixConsumer configuration. But when using >3.11, pass all configurations other than `key_id`(previously `access_key`) via PluginConfig or ApisixRoute.
+
 #### Ingress
 
 ##### API Version Support