Configure AWS Secrets Manager as a vault backend

Uses: Kong Gateway decK
Minimum Version
Kong Gateway - 3.4
TL;DR

Set the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN environment variables, then start Kong Gateway with these environment variables. Create a Vault entity and add the required region parameter.

Prerequisites

This tutorial requires at least one secret in AWS Secrets Manager. In this example, the secret is named my-aws-secret and contains a key/value pair in which the key is token.

You will also need the following authentication information to connect your AWS Secrets Manager with Kong Gateway Enterprise:

  • Your access key ID
  • Your secret access key
  • Your session token
  • Your AWS region, us-east-1 in this example
export AWS_ACCESS_KEY_ID='YOUR AWS ACCESS KEY ID'
export AWS_SECRET_ACCESS_KEY='YOUR AWS SECRET ACCESS KEY'
Copied to clipboard!

If you get an error stating “The security token included in the request is invalid”, you need to set the AWS_SESSION_TOKEN environment variable.

Note that these variables need to be passed when creating your Data Plane container.

Alternative connection methods such as assume role and how to use an aws_session_token can be found on the AWS Secrets Manager page

Configure the Vault entity

Using decK, create a Vault entity with the required parameters for AWS:

echo '
_format_version: "3.0"
vaults:
  - name: aws
    prefix: aws-vault
    description: Storing secrets in AWS Secrets Manager
    config:
      region: us-east-1
' | deck gateway apply -
Copied to clipboard!

Validate

To validate that the secret was stored correctly in AWS you can use the kong vault get command within the Data Plane container.

 kong vault get {vault://aws-vault/my-aws-secret/token}
Copied to clipboard!

If the vault was configured correctly, this command should return the value of the secret. Then, you can use {vault://aws-vault/my-aws-secret/token} to reference the secret in any referenceable field.

Cleanup

If you created new AWS resources for this tutorial, make sure to delete them to avoid unnecessary charges.

FAQs

Did this doc help?

Something wrong?

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!