Environment Variables Vault

Storing secrets in environment variables is a common method, as they can be injected at build time.

Configuration via environment variables

Define a secret in a environment variable:

  1. export MY_SECRET_VALUE=EXAMPLE_VALUE

You can now reference this secret:

  1. {vault://env/my-secret-value}

You can also define a flat json string if you want to store multiple secrets in a single environment variable. Nested json is not supported.

  1. export PG_CREDS='{"username":"user", "password":"pass"}'

This allows you to reference the secrets separately:

  1. {vault://env/pg-creds/username}
  2. {vault://env/pg-creds/password}

When adding an environment variable with Helm, ensure that the variable being passed has kong- appended to it.

Configuration via vaults entity

The Vault entity can only be used once the database is initialized. Secrets for values that are used before the database is initialized can’t make use of the Vaults entity.

Admin API

Declarative configuration

  1. curl -i -X PUT http://HOSTNAME:8001/vaults/my-env-vault \
  2.   --data name=env \
  3.   --data description="Store secrets in environment variables"

Result:

  1. {
  2.     "config": {
  3.         "prefix": null
  4.     },
  5.     "created_at": 1644942689,
  6.     "description": "Store secrets in environment variables",
  7.     "id": "2911e119-ee1f-42af-a114-67061c3831e5",
  8.     "name": "env",
  9.     "prefix": "my-env-vault",
  10.     "tags": null,
  11.     "updated_at": 1644942689
  12. }

Secrets management is supported in decK 1.16 and later.

Add the following snippet to your declarative configuration file:

  1. _format_version: "3.0"
  2. vaults:
  3. - config:
  4.     prefix: null
  5.   description: Store secrets in environment variables
  6.   name: env
  7.   prefix: my-env-vault

With the entity in place you can reference secrets like this:

  1. {vault://my-env-vault/my-secret-value}

Vault configuration options

Use the following configuration options to configure the vaults entity through any of the supported tools:

  • Admin API
  • Declarative configuration
  • Kong Manager
  • Konnect

Configuration options for an environment variable vault in Kong Gateway:

ParameterField nameDescription
vaults.config.prefixconfig-prefix (Kong Manager)
Environment variable prefix (Konnect)		The prefix for the environment variable that the value will be stored in.

Common options:

ParameterField nameDescription
vaults.description
optional		DescriptionAn optional description for your vault.
vaults.nameNameThe type of vault. Accepts one of: env, gcp, aws, or hcv. Set env for the environment variable vault.
vaults.prefixPrefixThe reference prefix. You need this prefix to access secrets stored in this vault. For example, {vault://my-env-vault/<some-secret>}.