Using environment variables with decK
When you use decK to apply configurations to Kong Gateway,
decK reads data in plain text from a state file by default. To improve security, you
can also store sensitive information, for example apiKey
or client_secret
, in
environment variables. decK can then read data directly from the environment
variables and apply it.
Create environment variables with the DECK_
prefix and reference them as
${{ env "DECK_*" }}
in your state file.
The following example demonstrates how to apply an apiKey stored in an environment variable. You can use this method for any sensitive content.
- Create an environment variable:
export DECK_API_KEY=
{API_KEY} -
Save the following snippet into a
env-demo.yaml
file:_format_version: "1.1" consumers: - keyauth_credentials: - key: ${{ env "DECK_API_KEY" }} username: demo id: 36718320-e67d-4162-8b50-aa685e06c64c plugins: - config: anonymous: null hide_credentials: false key_in_body: false key_in_header: true key_in_query: true key_names: - apikey run_on_preflight: true enabled: true name: key-auth protocols: - grpc - grpcs - http - https
This snippet enables the key authentication plugin globally and creates a consumer named
demo
with an apiKey. -
Run
deck sync -s env-demo.yaml
to sync this file.The output should look something like this, where
abc
is the apiKey stored in the environment variable:creating consumer demo creating key-auth abc for consumer 36718320-e67d-4162-8b50-aa685e06c64c creating plugin key-auth (global) Summary: Created: 3 Updated: 0 Deleted: 0