You are browsing documentation for an outdated version. See the latest documentation here.

kong.vault

This module can be used to resolve, parse, and verify vault references.

kong.vault.is_reference(reference)

Checks if the passed in reference looks like a reference. Valid references start with {vault:// and end with }.

If you need more thorough validation, use kong.vault.parse_reference.

Parameters

  • reference (string): reference to check

Returns

  • boolean: true is the passed in reference looks like a reference, otherwise false

Usage

  1. kong.vault.is_reference("{vault://env/key}") -- true
  2. kong.vault.is_reference("not a reference")   -- false

kong.vault.parse_reference(reference)

Parses and decodes the passed in reference and returns a table containing its components.

Given a following resource:

  1.  "{vault://env/cert/key?prefix=SSL_#1}"

This function will return following table:

  1.  {
  2.    name     = "env",  -- name of the Vault entity or Vault strategy
  3.    resource = "cert", -- resource where secret is stored
  4.    key      = "key",  -- key to lookup if the resource is secret object
  5.    config   = {       -- if there are any config options specified
  6.      prefix = "SSL_"
  7.    },
  8.    version  = 1       -- if the version is specified
  9.  }

Parameters

  • reference (string): reference to parse

Returns

  1. table|nil: a table containing each component of the reference, or nil on error

  2. string|nil: error message on failure, otherwise nil

Usage

  1. local ref, err = kong.vault.parse_reference("{vault://env/cert/key?prefix=SSL_#1}") -- table

kong.vault.get(reference)

Resolves the passed in reference and returns the value of it.

Parameters

  • reference (string): reference to resolve

Returns

  1. string|nil: resolved value of the reference

  2. string|nil: error message on failure, otherwise nil

Usage

  1. local value, err = kong.vault.get("{vault://env/cert/key}")

kong.vault.try(callback, options)

Helper function for automatic secret rotation. Currently experimental.

Parameters

  • callback (function): callback function
  • options (table): options containing credentials and references

Returns

  1. string|nil: return value of the callback function

  2. string|nil: error message on failure, otherwise nil

Usage

  1. local function connect(options)
  2.   return database_connect(options)
  3. end
  5. local connection, err = kong.vault.try(connect, {
  6.   username = "john",
  7.   password = "doe",
  8.   ["$refs"] = {
  9.     username = "{vault://aws/database-username}",
  10.     password = "{vault://aws/database-password}",
  11.   }
  12. })