Environment Variables Vault
Storing secrets in environment variables is a common method, as they can be injected at build time.
Configuration via environment variables
Define a secret in a environment variable:
export MY_SECRET_VALUE=EXAMPLE_VALUE
You can now reference this secret:
{vault://env/my-secret-value}
You can also define a flat json
string if you want to store multiple secrets
in a single environment variable. Nested json
is not supported.
export PG_CREDS='{"username":"user", "password":"pass"}'
This allows you to reference the secrets separately:
{vault://env/pg-creds/username}
{vault://env/pg-creds/password}
When adding an environment variable with Helm, ensure that the variable being passed has
kong-
prepended to it.
Configuration via vaults entity
The Vault entity can only be used once the database is initialized. Secrets for values that are used before the database is initialized can’t make use of the Vaults entity.
With the entity in place you can reference secrets like this:
{vault://my-env-vault/my-secret-value}
Vault configuration options
Use the following configuration options to configure the vaults entity through any of the supported tools:
- Admin API
- Declarative configuration
- Kong Manager
- Konnect
Configuration options for an environment variable vault in Kong Gateway:
Parameter | Field name | Description |
---|---|---|
vaults.config.prefix |
config-prefix (Kong Manager) Environment variable prefix (Konnect) |
The prefix for the environment variable that the value will be stored in. |
Common options:
Parameter | Field name | Description |
---|---|---|
vaults.description optional |
Description | An optional description for your vault. |
vaults.name |
Name | The type of vault. Accepts one of: env , gcp , aws , or hcv . Set env for the environment variable vault. |
vaults.prefix |
Prefix | The reference prefix. You need this prefix to access secrets stored in this vault. For example, {vault://my-env-vault/<some-secret>} . |