Skip to content
You are browsing the Kong Gateway documentation archive for version 2.8. This documentation is no longer actively maintained. Please see the latest Kong Gateway documentation.
|
Kong Gateway
2.8.x (latest) LTS
github-edit-pageEdit this page
report-issueReport an issue

HashiCorp Vault

Configuration

HashiCorp Vault can be configured with environment variables or with a Vault entity.

Environment variables

export KONG_VAULT_HCV_PROTOCOL=<protocol(http|https)>
export KONG_VAULT_HCV_HOST=<hostname>
export KONG_VAULT_HCV_PORT=<portnumber>
export KONG_VAULT_HCV_MOUNT=<mountpoint>
export KONG_VAULT_HCV_KV=<v1|v2>
export KONG_VAULT_HCV_TOKEN=<tokenstring>

You can also store this information in an entity.

Entity

The Vault entity can only be used once the database is initialized. Secrets for values that are used before the database is initialized can’t make use of the Vaults entity.

API Endpoint update

If you’re using 2.8.2 or below, or have not set vaults_use_new_style_api=on in kong.conf you will need to replace /vaults/ with /vaults-beta/ in the examples below.

curl -i -X PUT http://HOSTNAME:8001/vaults/my-hashicorp-vault \
  --data name="hcv" \
  --data description="Storing secrets in HashiCorp Vault" \
  --data config.protocol="https" \
  --data config.host="localhost" \
  --data config.port="8200" \
  --data config.mount="secret" \
  --data config.kv="v2" \
  --data config.token="<mytoken>"

http -f PUT :8001/vaults/my-hashicorp-vault \
  name="hcv" \
  description="Storing secrets in HashiCorp Vault" \
  config.protocol="https" \
  config.host="localhost" \
  config.port="8200" \
  config.mount="secret" \
  config.kv="v2" \
  config.token="<mytoken>"

Result:

{
    "config": {
        "host": "localhost",
        "kv": "v2",
        "mount": "secret",
        "port": 8200,
        "protocol": "https",
        "token": "<mytoken>"
    },
    "created_at": 1645008893,
    "description": "Storing secrets in HashiCorp Vault",
    "id": "0b43d867-05db-4bed-8aed-0fccb6667837",
    "name": "hcv",
    "prefix": "my-hashicorp-vault",
    "tags": null,
    "updated_at": 1645008893
}

Examples

For example, a HashiCorp Vault with a path of secret/hello and a key=value pair of foo=world created like this:

vault kv put secret/hello foo=world

Key                Value
---                -----
created_time       2022-01-15T01:40:03.740833Z
custom_metadata    <nil>
deletion_time      n/a
destroyed          false
version            1

Would make it secrets available by:

{vault://hcv/hello/foo}

Or if you configured an entity

{vault://my-hashicorp-vault/hello/foo}