1. Docs

Vendor API

The Vendor API is a service that is delivered in a Docker container (Vendor Bridge) that is run within your SaaS infrastructure. It provides an API that can be used to manage tenants and KMS configurations by communicating with the Config Broker on your behalf. This is useful when tenant and KMS configuration management needs to be done programmatically.

The Vendor Bridge encrypts and decrypts vendor created configurations, but it does not store them for longer than each request. It is cryptographically guaranteed to not have access to tenant-created KMS configurations.


The Vendor Bridge Docker container is hosted publicly on the IronCore Labs Docker registry. Find the latest tag available and pull down the image by running this command:

docker pull gcr.io/ironcore-images/vendor-bridge:{tag}

You can see the changes in each version of the Vendor Bridge in its changelog.

After you have successfully pulled the Vendor Bridge, you should be able to see the image listed in your docker images list.


In order to successfully start the Docker container, you need to provide it with a Vendor Bridge configuration generated from the Configuration Broker. Once you have this configuration, you can run

docker run \ --env-file vendor-bridge-config.env \ -p 42849:3000 \ -m 256M \ --cpus=2 \ gcr.io/ironcore-images/vendor-bridge:{tag}

The exposed port 42849 can be changed to a different value of your choosing if you want to run the service on a different port. If the image starts successfully, then the Vendor Bridge service is running locally on the provided port.

The -m argument to Docker sets the amount of memory available to the container. We recommend allocating at least 512M for the container. The -c argument to Docker sets the number of CPUs available to the container. We recommend allocating at least 2 CPUs for the container.

When the Vendor Bridge service starts, it immediately attempts to make a request to the Configuration Broker to retrieve metadata about the service account.

Once the container has successfully started, it can be accessed from your applications using the REST API specified here.

Was this page helpful?