Store the Kong Gateway database credentials with AWS Secrets Manager
Create a secret in AWS Secrets Manager with your PostgreSQL credentials, and start Kong Gateway with the required environment variables:
-
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_SESSION_TOKEN, andAWS_REGIONto connect to AWS -
KONG_PG_USERandKONG_PG_PASSWORD, where the values are references to your AWS secret
Prerequisites
AWS configuration
This tutorial requires:
- An AWS subscription with access to AWS Secrets Manager and the following permissions:
secretsmanager:CreateSecretsecretsmanager:PutSecretValuesecretsmanager:GetSecretValue
- AWS CLI installed
You’ll also need the following authentication information to connect your AWS Secrets Manager with Kong Gateway:
- Your access key ID
- Your secret access key
- Your session token
- Your AWS region,
us-east-1in this example
For this example, you can get temporary credentials from the AWS portal.
Create environment variables to store these credentials:
export AWS_ACCESS_KEY_ID=your-aws-access-key-id
export AWS_SECRET_ACCESS_KEY=your-aws-secret-access-key
export AWS_SESSION_TOKEN=your-aws-session-token
export AWS_REGION="us-east-1"
Create a Docker network
First, create a Docker network:
docker network create kong-net
The Docker network will be used for communication between Kong Gateway and the database.
Run the database
Create the kong-database container for the PostgreSQL database:
docker run -d --name kong-database \
--network=kong-net \
-p 5432:5432 \
-e "POSTGRES_USER=admin" \
-e "POSTGRES_PASSWORD=password" \
postgres:9.6
The username and password specified in this command are the PostgreSQL master credentials.
Create environment variables
Define the username and password to use to connect Kong Gateway to the database and store them in environment variables:
export KONG_PG_USER=kong
export KONG_PG_PASSWORD=KongPassword
Create a database user
Create a user in the PostgreSQL container, using the credentials defined in the previous step:
docker exec -it kong-database psql -U admin -c \
"CREATE USER ${KONG_PG_USER} WITH PASSWORD '${KONG_PG_PASSWORD}'"
Create a database
Create a database named kong, with the user you created as the owner:
docker exec -it kong-database psql -U admin -c "CREATE DATABASE kong OWNER ${KONG_PG_USER};"
Create a secret in AWS Secrets Manager
Use the AWS CLI to create a new secret named kong-gateway-database containing the username and password you defined:
aws secretsmanager create-secret --name kong-gateway-database \
--description "Kong GW Database credentials" \
--secret-string '{"pg_user":"'${KONG_PG_USER}'","pg_password":"'${KONG_PG_PASSWORD}'"}'
Initialize the database
Use the kong migrations bootstrap command to initialize the database:
docker run --rm \
--network=kong-net \
-e "KONG_DATABASE=postgres" \
-e "KONG_PG_HOST=kong-database" \
-e KONG_PG_USER \
-e KONG_PG_PASSWORD \
kong/kong-gateway:latest kong migrations bootstrap
Note:
kong migrationsdoes not support secrets management, so this step passes the database credentials with environment variables.
Start Kong Gateway
Create the Kong Gateway container with your AWS credentials and the vault references in the environment:
docker run -d --name kong-gateway \
--network=kong-net \
-e "KONG_DATABASE=postgres" \
-e "KONG_PG_HOST=kong-database" \
-e AWS_ACCESS_KEY_ID \
-e AWS_SECRET_ACCESS_KEY \
-e AWS_REGION \
-e AWS_SESSION_TOKEN \
-e "KONG_PG_USER={vault://aws/kong-gateway-database/pg_user}" \
-e "KONG_PG_PASSWORD={vault://aws/kong-gateway-database/pg_password}" \
-e KONG_LICENSE_DATA \
kong/kong-gateway:latest
This command returns the ID of the Kong Gateway container.
Validate
To verify that everything worked as expected, you can check its status with this command:
docker container ls
If the kong-gateway container is running, that means it successfully connected to the database using the credentials in the vault.
Cleanup
Destroy the Kong Gateway container
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d