AWS Secrets Manager

AWS Secrets Manager can be configured in multiple ways.

To access secrets stored in the AWS Secrets Manager, Kong Gateway needs to be configured with an IAM Role that has sufficient permissions to read the required secret values.

Kong Gateway can automatically fetch IAM role credentials based on your AWS environment, observing the following precedence order:

  • Fetch from credentials defined in environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
  • Fetch from profile and credential file, defined by AWS_PROFILE and AWS_SHARED_CREDENTIALS_FILE.
  • Fetch from an ECS container credential provider.
  • Fetch from an EKS IAM roles for service account.
  • Fetch from EC2 IMDS metadata. Both v1 and v2 are supported

Kong Gateway also supports role assuming which allows you to use a different IAM role to fetch secrets from AWS Secrets Manager. This is a common practice in permission division and governance and cross-AWS account management.

You can customize the vault object by configuring a vaults entity in Kong Gateway.

AWS Secrets Manager configuration

To configure the vault backend with AWS Secrets Manager, you need to configure Kong Gateway to have the required IAM roles to access any relevant secrets.

For example, to use the secrets management with AWS environment variable credentials, configure the following environment variables on your Kong Gateway data plane:

  1. export AWS_ACCESS_KEY_ID=<access_key_id>
  2. export AWS_SECRET_ACCESS_KEY=<secrets_access_key>
  3. export AWS_SESSION_TOKEN=<token>
  4. export AWS_REGION=<aws-region>

The region used by default with references can also be specified with the following environment variable on your control plane:

  1. export KONG_VAULT_AWS_REGION=<aws-region>

Additionally, if you want to use assume_role, make sure you have the following environment variables on your Kong Gateway data plane:

  1. export KONG_VAULT_AWS_ASSUME_ROLE_ARN=<aws_iam_role_arn>
  2. export KONG_VAULT_AWS_ROLE_SESSION_NAME=<aws_assume_role_session_name>

The vault backend configuration field can also be configured in the kong.conf file. See Gateway Enterprise configuration reference.

Note: When using AWS Vault as a backend, make sure you have configured system as part of the lua_ssl_trusted_certificate configuration directive so that the SSL certificates used by the official AWS API can be trusted by Kong.

Examples

For example, an AWS Secrets Manager secret with the name secret-name may have multiple key=value pairs:

  1. {
  2. "foo": "bar",
  3. "snip": "snap"
  4. }

Access these secrets from secret-name like this:

  1. {vault://aws/secret-name/foo}
  2. {vault://aws/secret-name/snip}

If you have an AWS Secrets Manager secret with multiple versions, you can access the current version or any previous version of the secret by specifying a version in the reference.

In the following example, AWSCURRENT refers to the latest secret version and AWSPREVIOUS refers to an older version:

  1. # For AWSCURRENT, not specifying version
  2. {vault://aws/secret-name/foo}
  3. # For AWSCURRENT, specifying version == 1
  4. {vault://aws/secret-name/foo#1}
  5. # For AWSPREVIOUS, specifying version == 2
  6. {vault://aws/secret-name/foo#2}

Note: The slash symbol (/) is a valid character for the secret name in AWS SecretsManager. If you want to reference a secret name that starts with a slash or has two consecutive slashes, transform one of the slashes in the name into URL-encoded format. For example:

  • A secret named /secret/key should be referenced as {vault://aws/%2Fsecret/key}
  • A secret named secret/path//aaa/key should be referenced as {vault://aws/secret/path/%2Faaa/key}

Since Kong Gateway tries to resolve the secret reference as a valid URL, using a slash instead of a URL-encoded slash will result in unexpected secret name fetching.

Configuration via vaults entity

The vault entity can only be used once the database is initialized. Secrets for values that are used before the database is initialized can’t make use of the vaults entity.

Admin API

Declarative configuration

  1. curl -i -X PUT http://localhost:8001/vaults/aws-sm-vault \
  2. --data name=aws \
  3. --data description="Storing secrets in AWS Secrets Manager" \
  4. --data config.region="us-east-1"

Result:

  1. {
  2. "config": {
  3. "region": "us-east-1"
  4. },
  5. "created_at": 1644942689,
  6. "description": "Storing secrets in AWS Secrets Manager",
  7. "id": "2911e119-ee1f-42af-a114-67061c3831e5",
  8. "name": "aws",
  9. "prefix": "aws-sm-vault",
  10. "tags": null,
  11. "updated_at": 1644942689
  12. }

Secrets management support was added in decK 1.16.

Add the following snippet into your declarative configuration file:

  1. _format_version: "3.0"
  2. vaults:
  3. - config:
  4. region: us-east-1
  5. description: Storing secrets in AWS Secrets Manager
  6. name: aws
  7. prefix: aws-sm-vault

With the vault entity in place, you can now reference the secrets. This allows you to drop the AWS_REGION environment variable.

  1. {vault://aws-sm-vault/secret-name/foo}
  2. {vault://aws-sm-vault/secret-name/snip}

Secrets in different regions

You can create multiple entities, which lets you have secrets in different regions:

  1. curl -X PUT http://localhost:8001/vaults/aws-eu-central-vault -d name=aws -d config.region="eu-central-1"
  1. curl -X PUT http://localhost:8001/vaults/aws-us-west-vault -d name=aws -d config.region="us-west-1"

This lets you source secrets from different regions:

  1. {vault://aws-eu-central-vault/secret-name/foo}
  2. {vault://aws-us-west-vault/secret-name/snip}

Vault configuration options

Use the following configuration options to configure the vaults entity through any of the supported tools:

  • Admin API
  • Declarative configuration
  • Kong Manager
  • Konnect

Configuration options for an AWS Secrets Manager vault in Kong Gateway:

ParameterField nameDescription
vaults.config.regionAWS regionThe AWS region your vault is located in.
vaults.config.endpoint_urlAWS Secrets Manager Endpoint URLThe endpoint URL of the AWS Secrets Manager service. If not specified, the value used by vault will be the official AWS Secrets Manager service url which is https://secretsmanager.{region}.amazonaws.com. You can specify a complete URL(including the http/https scheme) to override the endpoint.
vaults.config.assume_role_arnAssume AWS IAM role ARNThe target IAM role ARN that will assume as the AWS Secrets Manager service. If specified, the vault backend will do additional role assuming based on your current runtime’s IAM Role. If you are not using assume role, do not specify this value.
vaults.config.role_session_nameRole Session NameThe role session name used for role assuming. The default value is KongVault.
vaults.config.sts_endpoint_urlAWS STS Endpoint URLThe custom STS endpoint URL used for the IAM assume role in AWS Vault. You can specify a complete URL, including the http/https scheme. This value will override the default STS endpoint URL, which should be https://sts.amazonaws.com, or https://sts.<region>.amazonaws.com if AWS_STS_REGIONAL_ENDPOINTS is set to regional(by default). If you are not using a private VPC endpoint for STS service, you should not specify this value.
vaults.config.ttlTTLTime-to-live (in seconds) of a secret from the vault when it’s cached. The special value of 0 means “no rotation” and it’s the default. When using non-zero values, it is recommended that they’re at least 1 minute.
vaults.config.neg_ttlNegative TTLTime-to-live (in seconds) of a vault miss (no secret). Negatively cached secrets will remain valid until neg_ttl is reached, after which Kong will attempt to refresh the secret again. The default value for neg_ttl is 0, meaning no negative caching occurs.
vaults.config.resurrect_ttlResurrect TTLTime (in seconds) for how long secrets will remain in use after they are expired ( using config.ttl as the stopping point). This is useful when a vault becomes unreachable, or when a secret is deleted from the vault and isn’t replaced immediately. In both cases, gateway will keep trying to refresh the secret for resurrect_ttl seconds. After that, it will stop trying to refresh. Assigning a sufficiently high value to this configuration option is recommended to ensure a seamless transition in case there are unexpected issues with the vault. The default value for resurrect_ttl is 1^e8 seconds, which is about 3 years.

Common options:

ParameterField nameDescription
vaults.description
optional
DescriptionAn optional description for your vault.
vaults.nameNameThe type of vault. Accepts one of: env, gcp, aws, or hcv. Set aws for AWS Secrets Manager.
vaults.prefixPrefixThe reference prefix. You need this prefix to access secrets stored in this vault. For example, {vault://aws-sm-vault/<some-secret>}.