Skip to content
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
    • Kong Konnect
    • Kong Mesh
    • Plugin Hub
    • decK
    • Kubernetes Ingress Controller
    • Insomnia
    • Kuma

    • Docs contribution guidelines
  • Plugin Hub
  • Support
  • Community
  • Kong Academy
Early Access
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kubernetes Ingress Controller
  • Insomnia
  • Kuma

  • Docs contribution guidelines
    • Overview of Konnect
    • Architecture
    • Network Resiliency and Availability
    • Port and Network Requirements
    • Compatibility
    • Stages of Software Availability
    • Release Notes
      • Control Plane Upgrades FAQ
      • Supported Installation Options
    • Overview
    • Access a Konnect Account
    • Set up a Runtime
    • Configure a Service
    • Implement and Test the Service
      • Publish and Consume Services
      • Register Applications
    • Import Kong Gateway Entities into Konnect
    • Overview
      • Overview
      • Dashboard
      • Manage Runtime Groups with UI
      • Manage Runtime Groups with decK
      • Installation Options
      • Install with Docker
      • Install on Kubernetes
      • Install on Linux
      • Install on AWS
      • Install on Azure
      • Upgrade a Runtime Instance to a New Version
      • Renew Certificates
      • Runtime Parameter Reference
      • Overview
      • Runtime Configuration
    • Create Consumer Groups
      • Overview
      • Set Up and Use a Vault in Konnect
    • Plugin Ordering Reference
    • Troubleshoot
    • Overview
      • Konnect Services
      • Service Versions
      • Service Implementations
      • Manage Service Documentation
      • Overview
      • Configure a Plugin on a Service
      • Configure a Plugin on a Route
    • Overview
    • Access the Dev Portal
    • Sign Up for a Dev Portal Account
      • Manage Developer Access
      • Manage Application Registration Requests
      • Manage Application Connections
      • Auto Approve Dev and App Registrations
      • Azure OIDC
      • Application Overview
      • Enable and Disable App Registration
        • Okta
        • Curity
        • Auth0
      • Create, Edit, and Delete an Application
      • Register an Application with a Service
      • Generate Credentials for an Application
    • Customize Dev Portal
    • Troubleshoot
    • Introduction to Analytics
    • Summary Dashboard
    • Analyze Services and Routes
    • Generate Reports
    • Troubleshoot
      • Manage a Konnect Account or Plan
      • Change to a Different Plan
      • Manage Payment Methods and Invoices
      • Overview
        • Overview
        • Manage Teams
        • Teams Reference
        • Roles Reference
      • Manage Users
      • Set up SSO with OIDC
      • Set up SSO with Okta
    • Account and Org Deactivation
    • Troubleshoot
    • Overview
      • API Documentation
      • Identity Integration Guide
      • API Documentation
      • Overview
      • Nodes
      • Data Plane Certificiates
        • Services
        • Routes
        • Consumers
        • Plugins
        • Upstreams
        • Certificates
        • CA Certificates
        • SNIs
        • Targets
        • Vaults
      • API Spec
      • Filtering

github-edit-pageEdit this page

report-issueReport an issue

enterprise-switcher-iconSwitch to OSS

On this page
  • Vaults interface in Konnect
  • Use cases
  • Supported vaults in Konnect
  • See also
Kong Konnect
  • Home
  • Kong Konnect
  • Runtime Manager
  • Secrets Management in Konnect

Secrets Management in Konnect

Secrets management in Konnect allows you to store secrets in centralized vaults, making it easier to manage security and governance policies.

Secrets can be part of the core gateway configuration, or part of gateway configuration associated with APIs serviced by the gateway. The most common types of secrets include:

  • Certificates
  • API keys
  • Personal access tokens
  • Credentials for databases
  • Certain plugin fields, like session_secret in the OIDC plugin

You can use vaults to safely store and retrieve secrets used in Kong Gateway deployments, improving the fundamental security of your applications. In the configuration, you can reference the secrets stored in vaults as variables instead of displaying the actual value of the secret in plaintext. This way, the Konnect platform never stores sensitive credentials.

Vaults interface in Konnect

Vaults interface

Figure 1: Overview page for all vaults configured for a runtime group.

Number Item Description
1 Vaults menu link Main link to the vaults configuration for a runtime group. Appears when you select a runtime group.
2 Add vault Click the Add vault button to set up any supported Konnect vault backend.
3 Vault entry Select a vault entry to open the configuration page for the particular vault. On each vault’s configuration page, you can edit or delete the vault, or copy the entire configuration as JSON.
4 Vault ID The vault’s UUID.
5 Vault action menu From this menu, you can view, edit, or delete a vault’s configuration.

Use cases

Vaults have several use cases:

  • Storing secrets securely
  • Managing access to secrets with fine-grained policies
  • Applying internal security policies
  • Automating secret rotation
  • Auditing secrets usage
  • Encryption of secrets at rest

Konnect does not:

  • Store credentials to access the vault itself. You must provide those credentials to the Kong Gateway data plane directly.
  • Update or modify the secrets in 3rd party vaults.

Vaults are configurable per runtime group. You can’t use the same vault across multiple runtime groups.

Supported vaults in Konnect

Konnect supports the following vault backends:

  • AWS Secrets Manager
  • HashiCorp Vault
  • GCP Secret Manager
  • Environment variables

You can manage all of these vaults through the Runtime Manager or with decK.

See also

Check out the example use case for storing certificates in a vault.

For detailed vault configuration references and guides, see the Kong Gateway documentation:

  • AWS Secrets Manager
  • GCP Secrets Manager
  • HashiCorp Vault
  • Environment variables
Thank you for your feedback.
Was this page useful?
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2023