You are browsing documentation for an outdated version. See the latest documentation here.
Using environment variables with decK
When you use decK to apply configurations to Kong Gateway,
decK reads data in plain text from a state file by default. To improve security, you
can also store sensitive information, for example apiKey or client_secret, in
environment variables. decK can then read data directly from the environment
variables and apply it.
Create environment variables with the DECK_ prefix and reference them as
${{ env "DECK_*" }} in your state file.
For storing Kong Gateway secrets in environment variables, see Secrets Management with decK. The reference format for secrets is not the same as references for environment variables used by decK.
The following example demonstrates how to apply an API key stored in an environment variable. You can use this method for any sensitive content.
-
Create an environment variable:
export DECK_API_KEY={YOUR_API_KEY} -
Save the following snippet into a
env-demo.yamlfile:_format_version: "3.0" consumers: - keyauth_credentials: - key: ${{ env "DECK_API_KEY" }} username: demo id: 36718320-e67d-4162-8b50-aa685e06c64c plugins: - config: anonymous: null hide_credentials: false key_in_body: false key_in_header: true key_in_query: true key_names: - apikey run_on_preflight: true enabled: true name: key-auth protocols: - grpc - grpcs - http - httpsThis snippet enables the key authentication plugin globally and creates a consumer named
demowith an API key. -
Run
deck sync -s env-demo.yamlto sync this file.The output should look something like this, where
abcis the API key stored in the environment variable:creating consumer demo creating key-auth abc for consumer 36718320-e67d-4162-8b50-aa685e06c64c creating plugin key-auth (global) Summary: Created: 3 Updated: 0 Deleted: 0