Edit this page
Report an issueSecrets Management in Konnect
Secrets management in Konnect allows you to store secrets in centralized vaults, making it easier to manage security and governance policies.
Secrets can be part of the core gateway configuration, or part of gateway configuration associated with APIs serviced by the gateway. The most common types of secrets include:
- Certificates
- API keys
- Personal access tokens
- Credentials for databases
- Certain plugin fields, like
session_secretin the OIDC plugin
You can use vaults to safely store and retrieve secrets used in Kong Gateway deployments, improving the fundamental security of your applications. In the configuration, you can reference the secrets stored in vaults as variables instead of displaying the actual value of the secret in plaintext. This way, the Konnect platform never stores sensitive credentials.
Vaults interface in Konnect
Figure 1: Overview page for all vaults configured for a control plane.
| Number | Item | Description |
|---|---|---|
| 1 | Vaults menu link | Main link to the vaults configuration for a control plane. Appears when you select a control plane. |
| 2 | New Vault | Click the New Vault button to set up any supported Konnect vault backend. |
| 3 | Vault entry | Select a vault entry to open the configuration page for the particular vault. On each vault’s configuration page, you can edit or delete the vault, or copy the entire configuration as JSON. |
| 4 | Vault action menu | From this menu, you can view, edit, or delete a vault’s configuration. |
Use cases
Vaults have several use cases:
- Storing secrets securely
- Managing access to secrets with fine-grained policies
- Applying internal security policies
- Automating secret rotation without restarting the gateway
- Auditing secrets usage
- Encryption of secrets at rest
Konnect does not:
- Update or modify the secrets in 3rd party vaults.
Vaults are configurable per control plane. You can’t use the same vault across multiple control planes.
Supported vaults in Konnect
Konnect supports the following vault backends:
- Konnect Config Store
- AWS Secrets Manager
- HashiCorp Vault
- GCP Secret Manager
- Azure Key Vault
- Environment variables
You can manage all of these vaults through the Gateway Manager or with decK.
See also
Check out the example use case for storing certificates in a vault.
For detailed vault configuration references and guides, see the Kong Gateway documentation:
