Skip to content
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
    • Kong Konnect
    • Kong Mesh
    • Plugin Hub
    • decK
    • Kubernetes Ingress Controller
    • Insomnia
    • Kuma

    • Docs contribution guidelines
  • Plugin Hub
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kubernetes Ingress Controller
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • 3.3.x (latest)
  • 3.2.x
  • 3.1.x
  • 3.0.x
  • 2.8.x
  • 2.7.x
  • 2.6.x
  • Older Enterprise versions (2.1-2.5)
  • Older OSS versions (2.1-2.5)
  • Archive (pre-2.1)

github-edit-pageEdit this page

report-issueReport an issue

enterprise-switcher-iconSwitch to OSS

On this pageOn this page
  • Configuration via environment variables
  • Configuration via vaults entity
  • Vault configuration options
Kong Gateway
3.1.x
  • Home
  • Kong Gateway
  • Kong Enterprise
  • Secrets Management
  • Backends
  • Environment Variables Vault
You are browsing documentation for an outdated version. See the latest documentation here.

Environment Variables Vault

Storing secrets in environment variables is a common method, as they can be injected at build time.

Configuration via environment variables

Define a secret in a environment variable:

export MY_SECRET_VALUE=EXAMPLE_VALUE

You can now reference this secret:

{vault://env/my-secret-value}

You can also define a flat json string if you want to store multiple secrets in a single environment variable. Nested json is not supported.

export PG_CREDS='{"username":"user", "password":"pass"}'

This allows you to reference the secrets separately:

{vault://env/pg-creds/username}
{vault://env/pg-creds/password}

When adding an environment variable with Helm, ensure that the variable being passed has kong- appended to it.

Configuration via vaults entity

The Vault entity can only be used once the database is initialized. Secrets for values that are used before the database is initialized can’t make use of the Vaults entity.

Admin API
Declarative configuration
cURL
HTTPie
curl -i -X PUT http://HOSTNAME:8001/vaults/my-env-vault \
  --data name=env \
  --data description="Store secrets in environment variables"
http -f PUT :8001/vaults/my-env-vault \
  name="env" \
  description="Store secrets in environment variables"

Result:

{
    "config": {
        "prefix": null
    },
    "created_at": 1644942689,
    "description": "Store secrets in environment variables",
    "id": "2911e119-ee1f-42af-a114-67061c3831e5",
    "name": "env",
    "prefix": "my-env-vault",
    "tags": null,
    "updated_at": 1644942689
}

Secrets management is supported in decK 1.16 and later.

Add the following snippet to your declarative configuration file:

_format_version: "3.0"
vaults:
- config:
    prefix: null
  description: Store secrets in environment variables
  name: env
  prefix: my-env-vault

With the entity in place you can reference secrets like this:

{vault://my-env-vault/my-secret-value}

Vault configuration options

Use the following configuration options to configure the vaults entity through any of the supported tools:

  • Admin API
  • Declarative configuration
  • Kong Manager
  • Konnect

Configuration options for an environment variable vault in Kong Gateway:

Parameter Field name Description
vaults.config.prefix config-prefix (Kong Manager)
Environment variable prefix (Konnect)
The prefix for the environment variable that the value will be stored in.

Common options:

Parameter Field name Description
vaults.description
optional
Description An optional description for your vault.
vaults.name Name The type of vault. Accepts one of: env, gcp, aws, or hcv. Set env for the environment variable vault.
vaults.prefix Prefix The reference prefix. You need this prefix to access secrets stored in this vault. For example, {vault://my-env-vault/<some-secret>}.
Thank you for your feedback.
Was this page useful?
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2023