Decrypt fields with a dynamic list of fieldsv+
Use a dynamic expression to decrypt fields of a message value.
Prerequisites
- A corresponding Encrypt fields policy. Event Gateway uses the AWS ARN from the Encrypt fields policy to find the key for the Decrypt fields policy.
curl -X POST https://{region}.api.konghq.com/v1/event-gateways/{eventGatewayId}/virtual-clusters/{virtualClusterId}/consume-policies \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "decrypt-using-dynamic-paths",
"type": "decrypt_fields",
"config": {
"failure_mode": "mark",
"key_sources": [
{
"type": "aws"
}
],
"decrypt_fields": {
"paths": "${ context.auth.token.claims[\"role\"] == \"admin\" ? [] : [\"personal.ssn\", \"personal.name\"] }"
}
}
}
'Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
virtualClusterId: Theidof the Virtual Cluster. -
eventGatewayId: Theidof the Event Gateway. -
eventGatewayListenerId: Theidof the Event Gateway Listener.
See the Konnect Event Gateway API reference to learn about region-specific URLs and personal access tokens.
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect-beta = {
source = "kong/konnect-beta"
}
}
}
provider "konnect-beta" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}Add the following to your Terraform configuration:
resource "konnect_event_gateway_consume_policy_decrypt_fields" "my_virtual_cluster_policy_decrypt_fields" {
provider = konnect-beta
type = "decrypt_fields"
config = {
failure_mode = "mark"
key_sources = [
{
type = "aws"
} ]
decrypt_fields = {
paths = "${ context.auth.token.claims[\"role\"] == \"admin\" ? [] : [\"personal.ssn\", \"personal.name\"] }"
}
}
virtual_cluster_id = konnect_event_gateway_virtual_cluster.my_virtual_cluster.id
gateway_id = konnect_event_gateway.my_event_gateway.id
}The following example creates a new decrypt_fields policy.
Add this snippet to an event_gateways resource in your declarative configuration file, and then manage it with kongctl:
event_gateways:
- ref: eventGatewayName
name: eventGatewayName
virtual_clusters:
- ref: virtualClusterName
name: virtualClusterName
consume_policies:
- ref: decrypt-using-dynamic-paths
type: decrypt_fields
decrypt_fields:
name: decrypt-using-dynamic-paths
config:
failure_mode: mark
key_sources:
- type: aws
decrypt_fields:
paths: '${ context.auth.token.claims["role"] == "admin" ? [] : ["personal.ssn",
"personal.name"] }'Make sure to replace the following placeholders with your own values:
-
eventGatewayName: Thenameof your Event Gateway. -
virtualClusterName: Thenameof the Virtual Cluster.