AWS Secrets Manager

This feature is released as and should not be deployed in a production environment.

Configuration

AWS Secrets Manager can be configured in multiple ways. The current version of Kong Gateway’s implementation only supports configuring via environment variables.

  1. export AWS_ACCESS_KEY_ID=<access_key_id>
  2. export AWS_SECRET_ACCESS_KEY=<secrets_access_key>
  3. export AWS_REGION=<aws-region>

Examples

For example, let’s use an AWS Secrets Manager Secret with the name my-secret-name.

In this object, you have multiple key=value pairs.

  1. {
  2.   "foo": "bar",
  3.   "snip": "snap",
  4. }

Access these secrets from my-secret-name like this:

  1. {vault://aws/my-secret-name/foo}
  2. {vault://aws/my-secret-name/snap}

Entity

The Vault entity can only be used once the database is initialized. Secrets for values that are used before the database is initialized can’t make use of the Vaults entity.

cURL

HTTPie

  1. curl -i -X PUT http://<hostname>:8001/vaults-beta/my-aws-sm-vault  \
  2.   --data name=aws \
  3.   --data description="Storing secrets in AWS Secrets Manager" \
  4.   --data config.region="us-east-1"
  1. http PUT :8001/vaults-beta/my-aws-sm-vault name="aws" \
  2.   description="Storing secrets in AWS Secrets Manager" \
  3.   config.region="us-east-1" \
  4.   -f

Result:

  1. {
  2.     "config": {
  3.         "region": "us-east-1"
  4.     },
  5.     "created_at": 1644942689,
  6.     "description": "Storing secrets in AWS Secrets Manager",
  7.     "id": "2911e119-ee1f-42af-a114-67061c3831e5",
  8.     "name": "aws",
  9.     "prefix": "my-aws-sm-vault",
  10.     "tags": null,
  11.     "updated_at": 1644942689
  12. }

With the Vault entity in place, you can now reference the secrets. This allows you to drop the AWS_REGION environment variable.

  1. {vault://my-aws-sm-vault/my-secret-name/foo}
  2. {vault://my-aws-sm-vault/my-secret-name/snap}

Advanced Examples

You can create multiple entities, which lets you have secrets in different regions:

  1. http PUT :8001/vaults-beta/aws-eu-central-vault name=aws config.region="eu-central-1" -f 
  2. http PUT :8001/vaults-beta/aws-us-west-vault name=aws config.region="us-west-1" -f

This lets you source secrets from different regions:

  1. {vault://aws-eu-central-vault/my-secret-name/foo}
  2. {vault://aws-us-west-vault/my-secret-name/snap}