Configure the Konnect Config Store vault
- Use the Konnect API to create a Config Store using the
/config-storesendpoint. - Create a Konnect Vault using the
/vaults/endpoint. - Store your secret as a key/value pair using the
/secretsendpoint. - Reference the secret using the Vault prefix and key (for example:
{vault://mysecretvault/secret-key}).
Prerequisites
Kong Konnect
This is a Konnect tutorial and requires a Konnect personal access token.
-
Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
-
Export your token to an environment variable:
export KONNECT_TOKEN='YOUR_KONNECT_PAT'Copied to clipboard! -
Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN --deck-outputCopied to clipboard!This sets up a Konnect Control Plane named
quickstart, provisions a local Data Plane, and prints out the following environment variable exports:export DECK_KONNECT_TOKEN=$KONNECT_TOKEN export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com export KONNECT_PROXY_URL='http://localhost:8000'Copied to clipboard!Copy and paste these into your terminal to configure your session.
Configure a Konnect Config Store
Before you can configure a Konnect Vault, you must first create a Config Store using the Control Planes Configuration API by sending a POST request to the /config-stores endpoint:
curl -X POST "$KONNECT_CONTROL_PLANE_URL/v2/control-planes/$CONTROL_PLANE_ID/config-stores" \
-H "Accept: application/json"\
-H "Content-Type: application/json"\
-H "Authorization: Bearer $DECK_KONNECT_TOKEN" \
--json '{
"name": "my-config-store"
}'
Export the Config Store ID in the response body as an environment variable so you can use it later:
export DECK_CONFIG_STORE_ID='CONFIG STORE ID'
Configure Konnect as your Vault
Enable Konnect as your vault with the Vault entity:
echo '
_format_version: "3.0"
vaults:
- name: konnect
prefix: mysecretvault
description: Storing secrets in Konnect
config:
config_store_id: "${{ env "DECK_CONFIG_STORE_ID" }}"
' | deck gateway apply -
Store a secret in your Konnect Vault
By storing a secret in a Konnect Vault, you can reference it within kong.conf or as a referenceable plugin fields without having to store any values in plain-text.
Store your secret by sending a POST request to the /secrets endpoint:
curl -X POST "$KONNECT_CONTROL_PLANE_URL/v2/control-planes/$CONTROL_PLANE_ID/config-stores/$DECK_CONFIG_STORE_ID/secrets/" \
-H "Accept: application/json"\
-H "Content-Type: application/json"\
-H "Authorization: Bearer $DECK_KONNECT_TOKEN" \
--json '{
"key": "secret-key",
"value": "my-secret-value"
}'
Validate
You can validate that your secret was stored correctly by sending a GET request to the /secrets endpoint:
curl -X GET "$KONNECT_CONTROL_PLANE_URL/v2/control-planes/$CONTROL_PLANE_ID/config-stores/$DECK_CONFIG_STORE_ID/secrets/" \
-H "Accept: application/json"\
-H "Content-Type: application/json"\
-H "Authorization: Bearer $DECK_KONNECT_TOKEN"
If your secret was successfully stored in Konnect, the endpoint should return a 201 status code and your secret-key key in the output.
You can now reference your Konnect secret in configurations as {vault://mysecretvault/secret-key}.
Cleanup
Clean up Konnect environment
If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.