Decrypt fields using an AWS key vaultv+
Decrypt a message field using a specific AWS key vault.
Prerequisites
- A corresponding Encrypt fields policy. Event Gateway uses the AWS ARN from the Encrypt fields policy to find the key for the Decrypt fields policy.
curl -X POST https://{region}.api.konghq.com/v1/event-gateways/{eventGatewayId}/virtual-clusters/{virtualClusterId}/consume-policies \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "decrypt-using-aws",
"type": "decrypt_fields",
"config": {
"failure_mode": "mark",
"key_sources": [
{
"type": "aws"
}
],
"decrypt_fields": {
"paths": [
{
"match": "personal.ssn"
}
]
}
}
}
'Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
virtualClusterId: Theidof the Virtual Cluster. -
eventGatewayId: Theidof the Event Gateway. -
eventGatewayListenerId: Theidof the Event Gateway Listener.
See the Konnect Event Gateway API reference to learn about region-specific URLs and personal access tokens.
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect-beta = {
source = "kong/konnect-beta"
}
}
}
provider "konnect-beta" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}Add the following to your Terraform configuration:
resource "konnect_event_gateway_consume_policy_decrypt_fields" "my_virtual_cluster_policy_decrypt_fields" {
provider = konnect-beta
type = "decrypt_fields"
config = {
failure_mode = "mark"
key_sources = [
{
type = "aws"
} ]
decrypt_fields = {
paths = [
{
match = "personal.ssn"
} ]
}
}
virtual_cluster_id = konnect_event_gateway_virtual_cluster.my_virtual_cluster.id
gateway_id = konnect_event_gateway.my_event_gateway.id
}The following example creates a new decrypt_fields policy.
Add this snippet to an event_gateways resource in your declarative configuration file, and then manage it with kongctl:
event_gateways:
- ref: eventGatewayName
name: eventGatewayName
virtual_clusters:
- ref: virtualClusterName
name: virtualClusterName
consume_policies:
- ref: decrypt-using-aws
type: decrypt_fields
decrypt_fields:
name: decrypt-using-aws
config:
failure_mode: mark
key_sources:
- type: aws
decrypt_fields:
paths:
- match: personal.ssnMake sure to replace the following placeholders with your own values:
-
eventGatewayName: Thenameof your Event Gateway. -
virtualClusterName: Thenameof the Virtual Cluster.