Configure AWS Secrets Manager as a vault backend
Set the AWS_ACCESS_KEY_ID
, AWS_SECRET_ACCESS_KEY
, and AWS_SESSION_TOKEN
environment variables, then start Kong Gateway with these environment variables. Create a Vault entity and add the required region
parameter.
Prerequisites
AWS configuration
This tutorial requires at least one secret in AWS Secrets Manager. In this example, the secret is named my-aws-secret
and contains a key/value pair in which the key is token
.
You will also need the following authentication information to connect your AWS Secrets Manager with Kong Gateway Enterprise:
- Your access key ID
- Your secret access key
- Your session token
- Your AWS region,
us-east-1
in this example
export AWS_ACCESS_KEY_ID='YOUR AWS ACCESS KEY ID'
export AWS_SECRET_ACCESS_KEY='YOUR AWS SECRET ACCESS KEY'
If you get an error stating “The security token included in the request is invalid”, you need to set the
AWS_SESSION_TOKEN
environment variable.
Note that these variables need to be passed when creating your Data Plane container.
Alternative connection methods such as assume role
and how to use an aws_session_token
can be found on the AWS Secrets Manager page
Configure the Vault entity
Using decK, create a Vault entity with the required parameters for AWS:
echo '
_format_version: "3.0"
vaults:
- name: aws
prefix: aws-vault
description: Storing secrets in AWS Secrets Manager
config:
region: us-east-1
' | deck gateway apply -
Validate
To validate that the secret was stored correctly in AWS you can use the kong vault get
command within the Data Plane container.
kong vault get {vault://aws-vault/my-aws-secret/token}
kong vault get {vault://aws-vault/my-aws-secret/token}
If the vault was configured correctly, this command should return the value of the secret. Then, you can use {vault://aws-vault/my-aws-secret/token}
to reference the secret in any referenceable field.
Cleanup
Clean up AWS resources
If you created new AWS resources for this tutorial, make sure to delete them to avoid unnecessary charges.