Configure AWS Secrets Manager as a vault backend

Uses: Kong Gateway decK

Deployment Platform:

Prerequisites

AWS configuration

This tutorial requires at least one secret in AWS Secrets Manager. In this example, the secret is named my-aws-secret and contains a key/value pair in which the key is token.

You will also need the following authentication information to connect your AWS Secrets Manager with Kong Gateway Enterprise:

Your access key ID
Your secret access key
Your session token
Your AWS region, us-east-1 in this example

export AWS_ACCESS_KEY_ID='YOUR AWS ACCESS KEY ID'
export AWS_SECRET_ACCESS_KEY='YOUR AWS SECRET ACCESS KEY'

Copied to clipboard!

If you get an error stating “The security token included in the request is invalid”, you need to set the AWS_SESSION_TOKEN environment variable.

Note that these variables need to be passed when creating your Data Plane container.

Alternative connection methods such as assume role and how to use an aws_session_token can be found on the AWS Secrets Manager page

Kong Konnect

This is a Konnect tutorial and requires a Konnect personal access token.

Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
Export your token to an environment variable:
```
 export KONNECT_TOKEN='YOUR_KONNECT_PAT'
```
Copied to clipboard!

Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:

 curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN --deck-output

Copied to clipboard!

This sets up a Konnect Control Plane named quickstart, provisions a local Data Plane, and prints out the following environment variable exports:

 export DECK_KONNECT_TOKEN=$KONNECT_TOKEN
 export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart
 export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com
 export KONNECT_PROXY_URL='http://localhost:8000'

Copied to clipboard!

Copy and paste these into your terminal to configure your session.

Kong Gateway running

This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.

Export your license to an environment variable:
```
 export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'
```
Copied to clipboard!

Run the quickstart script:

curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATA \
  -e AWS_ACCESS_KEY_ID \
  -e AWS_SECRET_ACCESS_KEY \
  -e AWS_SESSION_TOKEN

Copied to clipboard!

Once Kong Gateway is ready, you will see the following message:

 Kong Gateway Ready

decK

Configure the Vault entity

Using decK, create a Vault entity with the required parameters for AWS:

echo '
_format_version: "3.0"
vaults:
  - name: aws
    prefix: aws-vault
    description: Storing secrets in AWS Secrets Manager
    config:
      region: us-east-1
' | deck gateway apply -

      
        
      
    
Copied to clipboard!

Validate

To validate that the secret was stored correctly in AWS you can use the kong vault get command within the Data Plane container.

 kong vault get {vault://aws-vault/my-aws-secret/token}

Copied to clipboard!

If the vault was configured correctly, this command should return the value of the secret. Then, you can use {vault://aws-vault/my-aws-secret/token} to reference the secret in any referenceable field.

Cleanup

Clean up AWS resources

If you created new AWS resources for this tutorial, make sure to delete them to avoid unnecessary charges.

Clean up Konnect environment

Destroy the Kong Gateway container

FAQs

How do I rotate my secrets in AWS Secrets Manager and how does Kong Gateway pick up the new secret values?

My secret in AWS Secret Manager has a / backslash in the secret name. How do I reference this secret in Kong Gateway?

I have secrets stored in multiple AWS Secret Manager regions, how do I reference those secrets in Kong Gateway?

You can create multiple Vault entities, one per region with the config.region parameter. You’d then reference the secret by the name of the Vault:

{vault://aws-eu-central-vault/secret-name/foo}
{vault://aws-us-west-vault/secret-name/snip}

Copied to clipboard!

Next Steps

Review the Vaults entity