Skip to content
Kong Logo | Kong Docs Logo
search
  • Docs
    • Explore the API Specs
      View all API Specs View all API Specs View all API Specs arrow image
    • Documentation
      API Specs
      Kong Gateway
      Lightweight, fast, and flexible cloud-native API gateway
      Kong Konnect
      Single platform for SaaS end-to-end connectivity
      Kong Mesh
      Enterprise service mesh based on Kuma and Envoy
      decK
      Helps manage Kong’s configuration in a declarative fashion
      Kong Ingress Controller
      Works inside a Kubernetes cluster and configures Kong to proxy traffic
      Kong Gateway Operator
      Manage your Kong deployments on Kubernetes using YAML Manifests
      Insomnia
      Collaborative API development platform
      Kuma
      Open-source distributed control plane with a bundled Envoy Proxy integration
  • Plugin Hub
    • Explore the Plugin Hub
      View all plugins View all plugins View all plugins arrow image
    • Functionality View all View all arrow image
      View all plugins
      Authentication's icon
      Authentication
      Protect your services with an authentication layer
      Security's icon
      Security
      Protect your services with additional security layer
      Traffic Control's icon
      Traffic Control
      Manage, throttle and restrict inbound and outbound API traffic
      Serverless's icon
      Serverless
      Invoke serverless functions in combination with other plugins
      Analytics & Monitoring's icon
      Analytics & Monitoring
      Visualize, inspect and monitor APIs and microservices traffic
      Transformations's icon
      Transformations
      Transform request and responses on the fly on Kong
      Logging's icon
      Logging
      Log request and response data using the best transport for your infrastructure
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
Kong Konnect
  • Home icon
  • Kong Konnect
  • Gateway Manager
  • Configuration
  • Secrets Management in Konnect
github-edit-pageEdit this page
report-issueReport an issue
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kong Ingress Controller
  • Kong Gateway Operator
  • Insomnia
  • Kuma

  • Docs contribution guidelines
enterprise-switcher-icon Switch to OSS
On this pageOn this page
  • Vaults interface in Konnect
  • Use cases
  • Supported vaults in Konnect
  • See also

Secrets Management in Konnect

Secrets management in Konnect allows you to store secrets in centralized vaults, making it easier to manage security and governance policies.

Secrets can be part of the core gateway configuration, or part of gateway configuration associated with APIs serviced by the gateway. The most common types of secrets include:

  • Certificates
  • API keys
  • Personal access tokens
  • Credentials for databases
  • Certain plugin fields, like session_secret in the OIDC plugin

You can use vaults to safely store and retrieve secrets used in Kong Gateway deployments, improving the fundamental security of your applications. In the configuration, you can reference the secrets stored in vaults as variables instead of displaying the actual value of the secret in plaintext. This way, the Konnect platform never stores sensitive credentials.

Vaults interface in Konnect

Vaults interface

Figure 1: Overview page for all vaults configured for a control plane.

Number Item Description
1 Vaults menu link Main link to the vaults configuration for a control plane. Appears when you select a control plane.
2 New Vault Click the New Vault button to set up any supported Konnect vault backend.
3 Vault entry Select a vault entry to open the configuration page for the particular vault. On each vault’s configuration page, you can edit or delete the vault, or copy the entire configuration as JSON.
4 Vault action menu From this menu, you can view, edit, or delete a vault’s configuration.

Use cases

Vaults have several use cases:

  • Storing secrets securely
  • Managing access to secrets with fine-grained policies
  • Applying internal security policies
  • Automating secret rotation without restarting the gateway
  • Auditing secrets usage
  • Encryption of secrets at rest

Konnect does not:

  • Store credentials to access the vault itself. You must provide those credentials to the Kong Gateway data plane directly.
  • Update or modify the secrets in 3rd party vaults.

Vaults are configurable per control plane. You can’t use the same vault across multiple control planes.

Supported vaults in Konnect

Konnect supports the following vault backends:

  • AWS Secrets Manager
  • HashiCorp Vault
  • GCP Secret Manager
  • Azure Key Vault
  • Environment variables

You can manage all of these vaults through the Gateway Manager or with decK.

See also

Check out the example use case for storing certificates in a vault.

For detailed vault configuration references and guides, see the Kong Gateway documentation:

  • AWS Secrets Manager
  • GCP Secrets Manager
  • HashiCorp Vault
  • Azure Key Vault
  • Environment variables
Thank you for your feedback.
Was this page useful?
Too much on your plate? close cta icon
More features, less infrastructure with Kong Konnect. 1M requests per month for free.
Try it for Free
  • Kong
    Powering the API world

    Increase developer productivity, security, and performance at scale with the unified platform for API management, service mesh, and ingress controller.

    • Products
      • Kong Konnect
      • Kong Gateway Enterprise
      • Kong Gateway
      • Kong Mesh
      • Kong Ingress Controller
      • Kong Insomnia
      • Product Updates
      • Get Started
    • Documentation
      • Kong Konnect Docs
      • Kong Gateway Docs
      • Kong Gateway Enterprise Docs
      • Kong Mesh Docs
      • Kong Insomnia Docs
      • Kong Konnect Plugin Hub
    • Open Source
      • Kong Gateway
      • Kuma
      • Insomnia
      • Kong Community
    • Company
      • About Kong
      • Customers
      • Careers
      • Press
      • Events
      • Contact
  • Terms• Privacy• Trust and Compliance
© Kong Inc. 2023