You are browsing documentation for an older version. See the latest documentation here.
AWS Secrets Manager
Configuration
AWS Secrets Manager can be configured in multiple ways. The current version of Kong Gateway implementation only supports configuring via environment variables.
export AWS_ACCESS_KEY_ID=<access_key_id>
export AWS_SECRET_ACCESS_KEY=<secrets_access_key>
export AWS_REGION=<aws-region>
Examples
For example, let’s use an AWS Secrets Manager Secret with the name my-secret-name
.
In this object, you have multiple key=value pairs.
{
"foo": "bar",
"snip": "snap",
}
Access these secrets from my-secret-name
like this:
{vault://aws/my-secret-name/foo}
{vault://aws/my-secret-name/snip}
Entity
The Vault entity can only be used once the database is initialized. Secrets for values that are used before the database is initialized can’t make use of the Vaults entity.
API Endpoint update
If you’re using 2.8.2 or below, or have not set
vaults_use_new_style_api=on
inkong.conf
you will need to replace/vaults/
with/vaults-beta/
in the examples below.
Result:
{
"config": {
"region": "us-east-1"
},
"created_at": 1644942689,
"description": "Storing secrets in AWS Secrets Manager",
"id": "2911e119-ee1f-42af-a114-67061c3831e5",
"name": "aws",
"prefix": "my-aws-sm-vault",
"tags": null,
"updated_at": 1644942689
}
With the Vault entity in place, you can now reference the secrets. This allows you to drop the AWS_REGION
environment variable.
{vault://my-aws-sm-vault/my-secret-name/foo}
{vault://my-aws-sm-vault/my-secret-name/snip}
Advanced Examples
You can create multiple entities, which lets you have secrets in different regions:
curl -X PUT http://HOSTNAME:8001/vaults/aws-eu-central-vault -d name=aws -d config.region="eu-central-1"
curl -X PUT http://HOSTNAME:8001/vaults/aws-us-west-vault -d name=aws -d config.region="us-west-1"
This lets you source secrets from different regions:
{vault://aws-eu-central-vault/my-secret-name/foo}
{vault://aws-us-west-vault/my-secret-name/snip}