Skip to content
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
    • Kong Konnect
    • Kong Mesh
    • Plugin Hub
    • decK
    • Kubernetes Ingress Controller
    • Insomnia
    • Kuma

    • Docs contribution guidelines
  • Plugin Hub
  • Support
  • Community
  • Kong Academy
Early Access
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kubernetes Ingress Controller
  • Insomnia
  • Kuma

  • Docs contribution guidelines
    • Overview of Konnect
    • Architecture
    • Network Resiliency and Availability
    • Port and Network Requirements
    • Compatibility
    • Stages of Software Availability
    • Release Notes
      • Control Plane Upgrades FAQ
      • Supported Installation Options
    • Overview
    • Access a Konnect Account
    • Set up a Runtime
    • Configure a Service
    • Implement and Test the Service
      • Publish and Consume Services
      • Register Applications
    • Import Kong Gateway Entities into Konnect
    • Overview
      • Overview
      • Dashboard
      • Manage Runtime Groups with UI
      • Manage Runtime Groups with decK
      • Installation Options
      • Install with Docker
      • Install on Kubernetes
      • Install on Linux
      • Install on AWS
      • Install on Azure
      • Upgrade a Runtime Instance to a New Version
      • Renew Certificates
      • Runtime Parameter Reference
      • Overview
      • Runtime Configuration
    • Create Consumer Groups
      • Overview
      • Set Up and Use a Vault in Konnect
    • Plugin Ordering Reference
    • Troubleshoot
    • Overview
      • Konnect Services
      • Service Versions
      • Service Implementations
      • Manage Service Documentation
      • Overview
      • Configure a Plugin on a Service
      • Configure a Plugin on a Route
    • Overview
    • Access the Dev Portal
    • Sign Up for a Dev Portal Account
      • Manage Developer Access
      • Manage Application Registration Requests
      • Manage Application Connections
      • Auto Approve Dev and App Registrations
      • Azure OIDC
      • Application Overview
      • Enable and Disable App Registration
        • Okta
        • Curity
        • Auth0
      • Create, Edit, and Delete an Application
      • Register an Application with a Service
      • Generate Credentials for an Application
    • Customize Dev Portal
    • Troubleshoot
    • Introduction to Analytics
    • Summary Dashboard
    • Analyze Services and Routes
    • Generate Reports
    • Troubleshoot
      • Manage a Konnect Account or Plan
      • Change to a Different Plan
      • Manage Payment Methods and Invoices
      • Overview
        • Overview
        • Manage Teams
        • Teams Reference
        • Roles Reference
      • Manage Users
      • Set up SSO with OIDC
      • Set up SSO with Okta
    • Account and Org Deactivation
    • Troubleshoot
    • Overview
      • API Documentation
      • Identity Integration Guide
      • API Documentation
      • Overview
      • Nodes
      • Data Plane Certificiates
        • Services
        • Routes
        • Consumers
        • Plugins
        • Upstreams
        • Certificates
        • CA Certificates
        • SNIs
        • Targets
        • Vaults
      • API Spec
      • Filtering

github-edit-pageEdit this page

report-issueReport an issue

enterprise-switcher-iconSwitch to OSS

On this page
  • Set up a vault
  • Define a reference
  • Use the reference in configuration
Kong Konnect
  • Home
  • Kong Konnect
  • Runtime Manager
  • Vaults
  • Set Up and Use a Vault in Konnect

Set Up and Use a Vault in Konnect

The following example shows you how to replace certificates used in Kong Gateway runtime instances with a reference. You can do the same thing with any supported fields. This is the most basic form of secrets management.

Set up a vault

First, define your environment variables.

Open the Vaults page in Konnect:

  1. From the navigation menu, open runtimes icon Runtime Manager.
  2. Select a runtime group.
  3. From the expanded runtime group menu, open Vaults.

Set up a new vault. For this example, we’re going to use the environment variable vault.

  1. Click Add vault.
  2. Choose a vault type.
  3. Enter an environment variable prefix. This will be the prefix that the vault uses to recognize relevant values on the data plane.

    For this example, you can use MY_SECRET.

  4. Set a prefix that you want to use in references.

    For this example, use my-secret.

  5. Optionally, add a description for the vault, and tag it.

    Setting tags is optional, but recommended. If you want to manage your vault configuration declaratively, tagging your vaults and managing subsets of configuration with tags lets you protect your vaults from accidental change or deletion. See the declarative configuration guide for vaults for more information and best practices.

  6. Save the vault configuration.

Define a reference

Now that you have your environment variables set up, you can define references for them. This next step has to be configured on the runtime instance.

For each runtime instance that needs to use this vault, define an environment variable key and assign a secret to it.

export MY_SECRET_CERT="<cert data>" \
export MY_SECRET_KEY="<key data>"

Restart the runtime instance to load the values.

Next, set up references to these environment variables in URL format so Kong Gateway can recognize these secrets.

In this case, the references would look like this:

{vault://env/my-secret-cert}
{vault://env/my-secret-key}
  • vault is a scheme that indicates that the value is a secret.
  • env defines the backend because you’re storing the secret in an environment variable.
  • my-secret-key and my-secret-cert correspond to the previously defined environment variables.

Use the reference in configuration

Now, you can reference the secrets in proxy configuration.

Set up a cert and key using these references:

  1. From your runtime group side menu, open Certificates.
  2. Click Add certificate.
  3. In the Cert field, paste {vault://env/my-secret-cert}.
  4. In the Key field, paste {vault://env/my-secret-key}.
  5. Save to see your certificate added to the list.

The Konnect control plane can now access the certificates on the runtime instances using the references you provided.

You can also store secrets in a secure vault backend. For a list of supported vault backend implementations, see the Backends Overview.

Thank you for your feedback.
Was this page useful?
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2023