Using environment variables with decK
When you use decK to apply configurations to Kong Gateway,
decK reads data in plain text from a state file by default. To improve security, you
can also store sensitive information, for example apiKey
or client_secret
, in
environment variables. decK can then read data directly from the environment
variables and apply it.
Create environment variables with the DECK_
prefix and reference them as
${{ env "DECK_*" }}
in your state file.
For storing Kong Gateway secrets in environment variables, see Secrets Management with decK. The reference format for secrets is not the same as references for environment variables used by decK.
The following example demonstrates how to apply an API key stored in an environment variable. You can use this method for any sensitive content.
-
Create an environment variable:
export DECK_API_KEY={YOUR_API_KEY}
-
Save the following snippet into a
env-demo.yaml
file:_format_version: "3.0" consumers: - keyauth_credentials: - key: ${{ env "DECK_API_KEY" }} username: demo id: 36718320-e67d-4162-8b50-aa685e06c64c plugins: - config: anonymous: null hide_credentials: false key_in_body: false key_in_header: true key_in_query: true key_names: - apikey run_on_preflight: true enabled: true name: key-auth protocols: - grpc - grpcs - http - https
This snippet enables the key authentication plugin globally and creates a consumer named
demo
with an API key. -
Run the following command to sync this file:
deck gateway sync env-demo.yaml
The output should look something like this, where
abc
is the API key stored in the environment variable:creating consumer demo creating key-auth abc for consumer 36718320-e67d-4162-8b50-aa685e06c64c creating plugin key-auth (global) Summary: Created: 3 Updated: 0 Deleted: 0