Decrypt Fields: Decrypt fields using an AWS key vault - Policy

Decrypt fields using an AWS key vaultv+

Decrypt a message field using a specific AWS key vault.

Prerequisites

A corresponding Encrypt fields policy. Event Gateway uses the AWS ARN from the Encrypt fields policy to find the key for the Decrypt fields policy.

Set up the policy

curl -X POST https://{region}.api.konghq.com/v1/event-gateways/{eventGatewayId}/virtual-clusters/{virtualClusterId}/consume-policies \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "decrypt-using-aws",
      "type": "decrypt_fields",
      "config": {
        "failure_mode": "mark",
        "key_sources": [
          {
            "type": "aws"
          }
        ],
        "decrypt_fields": {
          "paths": [
            {
              "match": "personal.ssn"
            }
          ]
        }
      }
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
virtualClusterId: The id of the Virtual Cluster.
eventGatewayId: The id of the Event Gateway.
eventGatewayListenerId: The id of the Event Gateway Listener.

See the Konnect Event Gateway API reference to learn about region-specific URLs and personal access tokens.

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect-beta = {
      source  = "kong/konnect-beta"
    }
  }
}

provider "konnect-beta" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Copied!

Add the following to your Terraform configuration:

resource "konnect_event_gateway_consume_policy_decrypt_fields" "my_virtual_cluster_policy_decrypt_fields" {
  provider = konnect-beta
  type = "decrypt_fields"
  config = {
    failure_mode = "mark"
    key_sources = [
      {
        type = "aws"
      }    ]

    decrypt_fields = {
      paths = [
        {
          match = "personal.ssn"
        }      ]
    }
  }


  virtual_cluster_id = konnect_event_gateway_virtual_cluster.my_virtual_cluster.id

  gateway_id = konnect_event_gateway.my_event_gateway.id
}

Copied!

The following example creates a new decrypt_fields policy.

Add this snippet to an event_gateways resource in your declarative configuration file, and then manage it with kongctl:

event_gateway_policy.yaml

Copied!

event_gateways:
  - ref: eventGatewayName
    name: eventGatewayName
    virtual_clusters:
    - ref: virtualClusterName
      name: virtualClusterName
      consume_policies:
      - ref: decrypt-using-aws
        type: decrypt_fields
        decrypt_fields:
          name: decrypt-using-aws
          config:
            failure_mode: mark
            key_sources:
            - type: aws
            decrypt_fields:
              paths:
              - match: personal.ssn

Make sure to replace the following placeholders with your own values:

eventGatewayName: The name of your Event Gateway.
virtualClusterName: The name of the Virtual Cluster.

Decrypt Fields

Decrypt fields using an AWS key vaultv+

Prerequisites

Set up the policy

Help us make these docs great!

Still need help?