PermalinkReference Format
We use the URL syntax to describe references to a secret store.
{vault://<vault-backend|entity>/<secret-id>[/<secret-key][/][?query][#version]}
PermalinkProtocol/Scheme
{vault://<vault-backend|entity>/<secret-id>[/<secret-key]}
^^^^^
The vault in the URL is used as an identifier for Kong. We use this to reference a vault.
PermalinkHost/Path
{vault://<vault-prefix>/<secret-id>[/<secret-key]}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The host and path of the URL defines the following:
PermalinkVault Prefix
The prefix for a vault can be either the name of the backend or the name of vault entity that you created.
Examples:
{vault://env/<secret-id>[/<secret-key]}
^^^
or using a vault entity
{vault://my-env-vault/<secret-id>[/<secret-key]}
^^^^^^^^^^^^
PermalinkSecret ID
The secret-id is used as an identifier for a secret stored in a vault. The vault
may return either a string value (a single secret) or multiple related secrets
like username and password as a secret object.
PermalinkSecret Key
The secret-key is used to identify the secret within the secret-id object.
If secret key ends with
/, then it is not considered as a Secret Key but as a part of Secret Id. The difference between Secret Key and Secret Id is that only the Secret Id is sent to vault API, and the Secret Key is only used when processing
PermalinkQuery
Query arguments are used to denote configuration options in a key=value format to the Vault Prefix
PermalinkVersion
{vault://<vault-backend|entity>/<secret-id>[/<secret-key][/][?query][#version]}
^^^^^^^^
The version, specified as the fragment of the Vault URL, identifies the version number of the secret stored in a vault backend. Applies to any vault backend that supports versioning.