kong.vault

This module can be used to resolve, parse, and verify vault references.

kong.vault.is_reference(reference)

Checks if the passed in reference looks like a reference. Valid references start with {vault:// and end with }.

If you need more thorough validation, use kong.vault.parse_reference.

Parameters

  • reference (string): reference to check

Returns

  • boolean: true is the passed in reference looks like a reference, otherwise false

Usage

  1. kong.vault.is_reference("{vault://env/key}") -- true
  2. kong.vault.is_reference("not a reference") -- false

kong.vault.parse_reference(reference)

Parses and decodes the passed in reference and returns a table containing its components.

Given a following resource:

  1. "{vault://env/cert/key?prefix=SSL_#1}"

This function will return following table:

  1. {
  2. name = "env", -- name of the Vault entity or Vault strategy
  3. resource = "cert", -- resource where secret is stored
  4. key = "key", -- key to lookup if the resource is secret object
  5. config = { -- if there are any config options specified
  6. prefix = "SSL_"
  7. },
  8. version = 1 -- if the version is specified
  9. }

Parameters

  • reference (string): reference to parse

Returns

  1. table|nil: a table containing each component of the reference, or nil on error

  2. string|nil: error message on failure, otherwise nil

Usage

  1. local ref, err = kong.vault.parse_reference("{vault://env/cert/key?prefix=SSL_#1}") -- table

kong.vault.get(reference)

Resolves the passed in reference and returns the value of it.

Parameters

  • reference (string): reference to resolve

Returns

  1. string|nil: resolved value of the reference

  2. string|nil: error message on failure, otherwise nil

Usage

  1. local value, err = kong.vault.get("{vault://env/cert/key}")

kong.vault.try(callback, options)

Helper function for automatic secret rotation. Currently experimental.

Parameters

  • callback (function): callback function
  • options (table): options containing credentials and references

Returns

  1. string|nil: return value of the callback function

  2. string|nil: error message on failure, otherwise nil

Usage

  1. local function connect(options)
  2. return database_connect(options)
  3. end
  4. local connection, err = kong.vault.try(connect, {
  5. username = "john",
  6. password = "doe",
  7. ["$refs"] = {
  8. username = "{vault://aws/database-username}",
  9. password = "{vault://aws/database-password}",
  10. }
  11. })