Background
From Kong Gateway 3.0, Secrets Management has become GA. Kong Gateway relies on many secrets, from database passwords to API keys used in plugins. Previously, you could use RBAC to restrict access to sensitive information from the Admin API and Kong Manager, but it would be great if you could manage secrets without displaying them in plain text. This is made possible by Secrets Management.
Supported Vaults
Currently, the following four types of Vaults are supported:
- AWS Secrets Manager
- GCP Secrets Manager
- HashiCorp Vault
- Environment Variable
Kong abstracts each of the above systems, so you can use them by simply changing the Vault keyword (hcv, aws, gcp, or env) when referencing. For example, to access the password field of a Postgres Secret in HashiCorp Vault, you can refer to it in the following format:
{vault://hcv/postgres/password}
For AWS Secrets Manager:
{vault://aws/postgres/password}
For environment variables:
|
|
Demo
Let’s actually use Secrets Management to reference Vault secrets and try deploying Kong.
Prepare the Vault Environment
Here, set TOKEN_ID to kong. This value will be used later for authentication.
|
|
Create a Secret
Enter the container and create a secret.
|
|
If you do not set VAULT_ADDR and VAULT_TOKEN, you will get the error: Get "https://127.0.0.1:8200/v1/sys/internal/ui/mounts/secret": http: server gave HTTP response to HTTPS client
.
Deploy Kong Gateway Using the Secret
Once Vault is up and running, start the Kong Gateway Docker container. For the DB connection parameter KONG_PG_PASSWORD
, change it to reference the secret from HashiCorp Vault as {vault://hcv/kong/pg_password}
. The connection information to Vault is set with the KONG_VAULT_HCV_*
parameters.
|
|
If the container starts successfully, you have successfully referenced the secret from Vault!
Deploy a Plugin Using the Secret
Since the Vault access information is set, you can also reference secrets when deploying plugins. In the following example, when deploying the Proxy Caching Advanced
plugin, the config.redis.password
setting is referenced from Vault.
|
|
That’s it! We’ve introduced how to manage and reference secrets with Kong GW. Currently, drivers for environment variables, HashiCorp Vault, AWS Secrets Manager, and GCP Secrets Manager are built-in and ready to use. Good news for Azure Key Vault fans: support will be added soon, so please stay tuned!