Skip to content
2023 API Summit Hackathon: Experiment with AI for APIs (August 28 - September 27) Learn More →
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
      Lightweight, fast, and flexible cloud-native API gateway
      Kong Konnect
      Single platform for SaaS end-to-end connectivity
      Kong Mesh
      Enterprise service mesh based on Kuma and Envoy
      decK
      Helps manage Kong’s configuration in a declarative fashion
      Kong Ingress Controller
      Works inside a Kubernetes cluster and configures Kong to proxy traffic
      Kong Gateway Operator
      Manage your Kong deployments on Kubernetes using YAML Manifests
      Insomnia
      Collaborative API development platform
      Kuma
      Open-source distributed control plane with a bundled Envoy Proxy integration
  • API Specs
  • Plugin Hub
    • Explore the Plugin Hub
      View all plugins View all plugins View all plugins arrow image
    • Functionality View all View all arrow image
      View all plugins
      Authentication's icon
      Authentication
      Protect your services with an authentication layer
      Security's icon
      Security
      Protect your services with additional security layer
      Traffic Control's icon
      Traffic Control
      Manage, throttle and restrict inbound and outbound API traffic
      Serverless's icon
      Serverless
      Invoke serverless functions in combination with other plugins
      Analytics & Monitoring's icon
      Analytics & Monitoring
      Visualize, inspect and monitor APIs and microservices traffic
      Transformations's icon
      Transformations
      Transform request and responses on the fly on Kong
      Logging's icon
      Logging
      Log request and response data using the best transport for your infrastructure
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
Kong Gateway
3.1.x
  • Home icon
  • Kong Gateway
  • Kong Enterprise
  • Secrets Management
  • Advanced Secrets Configuration
github-edit-pageEdit this page
report-issueReport an issue
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kong Ingress Controller
  • Kong Gateway Operator
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • 3.4.x (latest)
  • 3.3.x
  • 3.2.x
  • 3.1.x
  • 3.0.x
  • 2.8.x
  • 2.7.x
  • 2.6.x
  • Archive (pre-2.6)
enterprise-switcher-icon Switch to OSS
On this pageOn this page
  • Query arguments
  • Environment variables
  • Vaults entity
  • Vaults CLI
  • Declarative configuration
  • Shared configuration parameters
You are browsing documentation for an outdated version. See the latest documentation here.

Advanced Secrets Configuration

Vault implementations offer a variety of advanced configuration options. For specific configuration parameters for your vault backend, see the backend reference.

Query arguments

You can configure your vault backend with query arguments.

For example, the following query uses an option called prefix with the value SECURE_:

{vault://env/secret-config-value?prefix=SECURE_}

For more information on available configuration options, refer to respective vault backend documentation.

Environment variables

You can configure your vault backend with KONG_VAULT_<vault-backend>_<config_opt> environment variables.

For example, Kong Gateway might look for an environment variable that matches KONG_VAULT_ENV_PREFIX:

export KONG_VAULT_ENV_PREFIX=SECURE_

Vaults entity

You can configure your vault backend using the vaults entity.

The Vault entity can only be used once the database is initialized. Secrets for values that are used before the database is initialized can’t make use of the Vaults entity.

Create a Vault entity:

curl -i -X PUT http://HOSTNAME:8001/vaults/env-vault-1  \
  --data name=env \
  --data description='ENV vault for secrets' \
  --data config.prefix=SECRET_

Result:

{
    "config": {
        "prefix": "SECRET_"
    },
    "created_at": 1644929952,
    "description": "ENV vault for secrets",
    "id": "684ff5ea-7f65-4377-913b-880857f39251",
    "name": "env",
    "prefix": "env-vault-1",
    "tags": null,
    "updated_at": 1644929952
}

Config options depend on the associated backend used.

This lets you drop the configuration from environment variables and query arguments and use the entity name in the reference:

{vault://env-vault/secret-config-value}

Vaults CLI

Usage: kong vault COMMAND [OPTIONS]

Vault utilities for Kong Gateway.

Example usage:
 TEST=hello kong vault get env/test

The available commands are:
  get <reference>  Retrieves a value for <reference>

Options:
 -c,--conf    (optional string)  configuration file
 -p,--prefix  (optional string)  override prefix directory
 --v              verbose
 --vv             debug

Declarative configuration

Secrets management is supported in decK 1.16 and later.

You can configure a vault backend with decK. For example:

vaults:
- config:
    prefix: SECRET_
  description: ENV vault for secrets
  name: env
  prefix: env-vault

For more information on configuring vaults and using secret references in declarative configuration files, see Secret Management with decK.

Shared configuration parameters

Every vault supports the following configuration parameters:

Parameter UI field name Description
vaults.description optional Description An optional description for your vault.
vaults.name N/A The type of vault. Accepts one of: env, gcp, aws, or hcv.
vaults.prefix Prefix The reference prefix. You need this prefix to access secrets stored in this vault. For example, {vault://env-vault/<some-secret>}.

Most of the vaults also support secret rotation by using TTLs:

Parameter Field name Description
vaults.config.ttl TTL Time-to-live (in seconds) of a secret from the vault when it’s cached. The special value of 0 means “no rotation” and it’s the default. When using non-zero values, it is recommended that they’re at least 1 minute.
vaults.config.neg_ttl Negative TTL Time-to-live (in seconds) of a vault miss (no secret). Negatively cached secrets will remain valid until neg_ttl is reached. After this, Kong will attempt to refresh the secret again. The default value for neg_ttl is 0, which means no negative caching occurs.
vaults.config.resurrect_ttl Resurrect TTL Time (in seconds) for how long secrets will remain in use after they are expired (config.ttl is over). This is useful when a vault becomes unreachable, or when a secret is deleted from the Vault and isn’t replaced immediately. On this both cases, the Gateway will keep trying to refresh the secret for resurrect_ttl seconds. After that, it will stop trying to refresh. We recommend assigning a sufficiently high value to this configuration option to ensure a seamless transition in case there are unexpected issues with the Vault. The default value for resurrect_ttl is 1e8 seconds, which is about 3 years.
Thank you for your feedback.
Was this page useful?
Too much on your plate? close cta icon
More features, less infrastructure with Kong Konnect. 1M requests per month for free.
Try it for Free
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2023