Reference Format

We use the URL syntax to describe references to a secret store.

  1. {vault://<vault-backend|entity>/<secret-id>[/<secret-key][?query]}

Protocol/Scheme

  1. {vault://<vault-backend|entity>/<secret-id>[/<secret-key]}
  2.  ^^^^^

The vault in the URL is used as an identifier for Kong. We use this to reference a vault.

Host/Path

  1. {vault://<vault-prefix>/<secret-id>[/<secret-key]}
  2.          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

The host and path of the URL defines the following:

Vault Prefix

The prefix for a vault can be either the name of the backend or the name of vault entity that you created.

Examples:

  1. {vault://env/<secret-id>[/<secret-key]}
  2.          ^^^

or using a vault entity

  1. {vault://my-env-vault/<secret-id>[/<secret-key]}
  2.          ^^^^^^^^^^^^

Secret ID

The secret-id is used as an identifier for a secret stored in a vault. The vault may return either a string value (a single secret) or multiple related secrets like username and password as a secret object.

Secret Key

The secret-key is used to identify the secret within the secret-id object.

Query

Query arguments are used to denote configuration options in a key=value format to the Vault Prefix