AWS Secrets Manager
AWS Secrets Manager can be configured in multiple ways.
The current version of Kong Gateway’s implementation only supports
configuring AWS Secrets Manager via environment variables.
You can further customize the vault object by configuring a
vaults entity in Kong Gateway.
AWS Secrets Manager configuration
Configure the following environment variables on your Kong Gateway data plane:
The region used by default with references can also be specified with the
following environment variable on your control plane:
For example, an AWS Secrets Manager Secret with the name
secret-name may have multiple key=value pairs:
Access these secrets from
secret-name like this:
Configuration via vaults entity
The Vault entity can only be used once the database is initialized. Secrets for values that are used before the database is initialized can’t make use of the Vaults entity.
With the Vault entity in place, you can now reference the secrets. This allows you to drop the
Secrets in different regions
You can create multiple entities, which lets you have secrets in different regions:
curl -X PUT http://HOSTNAME:8001/vaults/aws-eu-central-vault -d name=aws -d config.region="eu-central-1"
curl -X PUT http://HOSTNAME:8001/vaults/aws-us-west-vault -d name=aws -d config.region="us-west-1"
This lets you source secrets from different regions:
Vault configuration options
Use the following configuration options to configure the
vaults entity through
any of the supported tools:
- Admin API
- Declarative configuration
- Kong Manager
Configuration options for an AWS Secrets Manager vault in Kong Gateway:
||The AWS region your vault is located in.
||Time-to-live (in seconds) of a secret from the vault when it’s cached. The special value of 0 means “no rotation” and it’s the default. When using non-zero values, it is recommended that they’re at least 1 minute.
||Time-to-live (in seconds) of a vault miss (no secret). Negatively cached secrets will remain valid until
neg_ttl is reached, after which Kong will attempt to refresh the secret again. The default value for
neg_ttl is 0, meaning no negative caching occurs.
||Time (in seconds) for how long secrets will remain in use after they are expired (
config.ttl is over). This is useful when a vault becomes unreachable, or when a secret is deleted from the Vault and isn’t replaced immediately. On this both cases, the Gateway will keep trying to refresh the secret for
resurrect_ttl seconds. After that, it will stop trying to refresh. We recommend assigning a sufficiently high value to this configuration option to ensure a seamless transition in case there are unexpected issues with the Vault. The default value for
resurrect_ttl is 1e8 seconds, which is about 3 years.
||An optional description for your vault.
||The type of vault. Accepts one of:
aws for AWS Secrets Manager.
||The reference prefix. You need this prefix to access secrets stored in this vault. For example,