Get Started with Secrets Management
- Getting started
  - Define a reference
  - Using the reference
    - Environment variable
    - Configuration file

Get Started with Secrets Management

Secrets are generally confidential values that should not appear in plain text in the application. There are several products that help you store, retrieve, and rotate these secrets securely as well as audit the access to them. Kong Gateway offers a mechanism to set up references to these secrets which makes your Kong Gateway installation more secure.

Getting started

The following example uses the most basic form of secrets management: storing secrets in environment variables. In this example, you will replace a plaintext password to your PostgreSQL database with a reference to an environment variable.

You can also store secrets in a secure vault backend. For a list of supported vault backend implementations, see the Backends Overview.

In this example we’ll replace our plaintext password to our PostgreSQL database with a reference. To do so, define your environment variable and assign a secret value to it.

Define a reference

Define your environment variable and assign a secret value to it:

export MY_SECRET_POSTGRES_PASSWORD="opensesame"

Next, set up a reference to this environment variable so that Kong Gateway can find this secret. We use a Uniform Resource Locator (URL) format for this.

In this case, the reference would look like this:

{vault://env/my-secret-postgres-password}

Where:

vault is the scheme (protocol) that we use to indicate that this is a secret.
env is the name of the backend (Environment Variables), since we’re storing the secret in a ENV variable.
my-secret-postgres-password corresponds to the environment variable that you just defined.

Note that the reference is wrapped in curly braces.

Using the reference

You can specify configuration options using environment variables or by directly updating the kong.conf configuration file.

Environment variable

Set the KONG_PG_PASSWORD environment variable to the following, adjusting my-secret-postgres-password to your own password object name:

KONG_PG_PASSWORD={vault://env/my-secret-postgres-password}

Configuration file

The kong.conf file contains the property pg_password. Replace the original value with the following, adjusting my-secret-postgres-password to your own password object name:

pg_password={vault://env/my-secret-postgres-password}

Upon startup, Kong Gateway tries to detect and transparently resolve references.

For quick debugging or testing, you can use the CLI for vaults.

See the Advanced Usage documentation for more information on the configuration options for each vault backend.