You are browsing documentation for an outdated version. See the latest documentation here.

File access and permissions

This page describes the file access requirements for Kong Gateway.

Users and groups

When a user installs a Kong Gateway official binary package, or uses the Docker image, Kong defaults to running under the kong user and group.

The following directories and files are installed by the binary and owned by the kong user and group:

  • /usr/local/kong/: the default run-time data prefix directory for Kong
  • /usr/local/openresty/: the OpenResty installation
  • /etc/kong/: the default configuration directory

Note: The kong shell is set to /sbin/nologin, this prevents using SSH to log in and execute commands.

File read and write permissions

The following table contains Kong Gateway components and any additional file paths it accesses, in addition to the standard system files that the kong user already has access to.

ComponentFile path descriptionRead or Write
grpc-gatewayThe .proto file path configured in the plugin.Read
grpc-webThe .proto file path configured in the plugin.
Dependent on proxy path traffic.
Write
Granular tracingtracing_write_endpoint.
Only if tracing_write_strategy is set to file.
Dependent on proxy path traffic.
Write
Access logs and error logsUnder prefix, by default /usr/local/kong/kogs.
Dependent on proxy path traffic.
Write
Temporary dataUnder prefix, by default /user/local/kong.
Includes cached configuration values and temporary body buffers.
Write