Advanced Secrets Configuration

This feature is released as and should not be deployed in a production environment.

Vault implementations offer a variety of advanced configuration options.

Query arguments

You can configure your vault backend with query arguments.

For example, the following query uses an option called prefix with the value SECURE_:

  1. {vault://env/my-secret-config-value?prefix=SECURE_}

For more information on available configuration options, refer to respective vault backend documentation.

Environment Variables

You can configure your vault backend with KONG_VAULT_<vault-backend>_<config_opt> environment variables.

For example, Kong Gateway might look for an environment variable that matches KONG_VAULT_ENV_PREFIX:

  1. export KONG_VAULT_ENV_PREFIX=SECURE_

Vaults entity

You can configure your vault backend using the vaults entity.

For the beta release of this feature, the endpoint is /vaults-beta.

  1. http PUT :8001/vaults-beta/my-env-vault \
  2.   name=env \
  3.   description="ENV vault for secrets" \
  4.   config.prefix=SECURE_ \
  5.   -f

This lets you drop the configuration from environment variables and query arguments and use the entity name in the reference.

  1. {vault://my-env-vault/my-secret-config-value}

For more information, see the section on the Vaults entity.

Vaults CLI

Beta warning: In the beta release, only the kong vault get command is supported.

  1. Usage: kong vault COMMAND [OPTIONS]
  3. Vault utilities for Kong.
  5. Example usage:
  6.  TEST=hello kong vault get env/test
  8. The available commands are:
  9.   get <reference>  Retrieves a value for <reference>
  11. Options:
  12.  --v              verbose
  13.  --vv             debug

Vaults Entity

Beta warning:
The API endpoint is suffixed with -beta to avoid any possible conflicts. This will be changed in the future. Kong Manager has currently no supports for configuring vault entities.

The Vault entity can only be used once the database is initialized. Secrets for values that are used before the database is initialized can’t make use of the Vaults entity.

Create a Vault entity:

cURL

HTTPie

  1. $ curl -i -X PUT http://<hostname>:8001/vaults-beta/my-env-vault-1  \
  2.         --data name=env \
  3.         --data description='ENV vault for secrets' \
  4.         --data config.prefix=SECRET_
  1. http PUT :8001/vaults-beta/my-env-vault-1 \
  2.   name=env \
  3.   description="ENV vault for secrets" \
  4.   config.prefix=SECRET_  \
  5.   -f

Result:

  1. {
  2.     "config": {
  3.         "prefix": "SECRET_"
  4.     },
  5.     "created_at": 1644929952,
  6.     "description": "ENV vault for secrets",
  7.     "id": "684ff5ea-7f65-4377-913b-880857f39251",
  8.     "name": "env",
  9.     "prefix": "my-env-vault-1",
  10.     "tags": null,
  11.     "updated_at": 1644929952
  12. }

Config options depend on the associated backend used.