Advanced Secrets Configuration

Vault implementations offer a variety of advanced configuration options. For specific configuration parameters for your vault backend, see the backend reference.

Query arguments

You can configure your vault backend with query arguments.

For example, the following query uses an option called prefix with the value SECURE_:

  1. {vault://env/my-secret-config-value?prefix=SECURE_}

For more information on available configuration options, refer to respective vault backend documentation.

Environment variables

You can configure your vault backend with KONG_VAULT_<vault-backend>_<config_opt> environment variables.

For example, Kong Gateway might look for an environment variable that matches KONG_VAULT_ENV_PREFIX:

  1. export KONG_VAULT_ENV_PREFIX=SECURE_

Vaults entity

You can configure your vault backend using the vaults entity.

The Vault entity can only be used once the database is initialized. Secrets for values that are used before the database is initialized can’t make use of the Vaults entity.

Create a Vault entity:

cURL

HTTPie

  1. curl -i -X PUT http://HOSTNAME:8001/vaults/my-env-vault-1  \
  2.   --data name=env \
  3.   --data description='ENV vault for secrets' \
  4.   --data config.prefix=SECRET_
  1. http -f PUT :8001/vaults/my-env-vault-1 \
  2.   name=env \
  3.   description="ENV vault for secrets" \
  4.   config.prefix=SECRET_

Result:

  1. {
  2.     "config": {
  3.         "prefix": "SECRET_"
  4.     },
  5.     "created_at": 1644929952,
  6.     "description": "ENV vault for secrets",
  7.     "id": "684ff5ea-7f65-4377-913b-880857f39251",
  8.     "name": "env",
  9.     "prefix": "my-env-vault-1",
  10.     "tags": null,
  11.     "updated_at": 1644929952
  12. }

Config options depend on the associated backend used.

This lets you drop the configuration from environment variables and query arguments and use the entity name in the reference:

  1. {vault://my-env-vault/my-secret-config-value}

Vaults CLI

  1. Usage: kong vault COMMAND [OPTIONS]
  3. Vault utilities for Kong Gateway.
  5. Example usage:
  6.  TEST=hello kong vault get env/test
  8. The available commands are:
  9.   get <reference>  Retrieves a value for <reference>
  11. Options:
  12.  -c,--conf    (optional string)  configuration file
  13.  -p,--prefix  (optional string)  override prefix directory
  14.  --v              verbose
  15.  --vv             debug

Declarative configuration

Secrets management is supported in decK 1.16 and later.

You can configure a vault backend with decK. For example:

  1. vaults:
  2. - config:
  3.     prefix: MY_SECRET_
  4.   description: ENV vault for secrets
  5.   name: env
  6.   prefix: my-env-vault

For more information on configuring vaults and using secret references in declarative configuration files, see Secret Management with decK.

Shared configuration parameters

Every vault supports the following configuration parameters:

ParameterUI field nameDescription
vaults.description optionalDescriptionAn optional description for your vault.
vaults.nameN/AThe type of vault. Accepts one of: env, gcp, aws, or hcv.
vaults.prefixPrefixThe reference prefix. You need this prefix to access secrets stored in this vault. For example, {vault://my-env-vault/<some-secret>}.