Set Up and Use a Vault in Konnect
The following example shows you how to replace certificates used in Kong Gateway
runtime instances with a reference. You can do the same thing with any supported fields. This is the most basic form of secrets management.
Set up a vault
First, define your environment variables.
Open the Vaults page in Konnect:
- From the navigation menu, open Runtime Manager.
- Select a runtime group.
- From the expanded runtime group menu, open Vaults.
Set up a new vault. For this example, we’re going to use the environment variable vault.
- Click Add vault.
- Choose a vault type.
Enter an environment variable prefix. This will be the prefix that the vault
uses to recognize relevant values on the data plane.
For this example, you can use
Set a prefix that you want to use in references.
For this example, use
Optionally, add a description for the vault, and tag it.
Setting tags is optional, but recommended. If you want to manage
your vault configuration declaratively, tagging your vaults and managing subsets of configuration
with tags lets you protect your vaults from accidental change or deletion.
See the declarative configuration guide for vaults
for more information and best practices.
- Save the vault configuration.
Define a reference
Now that you have your environment variables set up, you can define references for them.
This next step has to be configured on the runtime instance.
For each runtime instance that needs to use this vault,
define an environment variable key and assign a secret to it.
export MY_SECRET_CERT="<cert data>" \
export MY_SECRET_KEY="<key data>"
Restart the runtime instance to load the values.
Next, set up references to these environment variables in URL format so Kong Gateway can recognize these secrets.
In this case, the references would look like this:
vault is a scheme that indicates that the value is a secret.
env defines the backend because you’re storing the secret in an environment variable.
my-secret-cert correspond to the previously defined environment variables.
Use the reference in configuration
Now, you can reference the secrets in proxy configuration.
Set up a cert and key using these references:
- From your runtime group side menu, open Certificates.
- Click Add certificate.
- In the Cert field, paste
- In the Key field, paste
- Save to see your certificate added to the list.
The Konnect control plane can now access the certificates
on the runtime instances using the references you provided.
You can also store secrets in a secure vault backend.
For a list of supported vault backend implementations, see the