Decrypt Fields: Decrypt fields using a static key - Policy

Decrypt fields using a static keyv+

Decrypt a message field using a static key.

The static key must be a secret reference to a 256-bit (32-byte) base64-encoded string, or the key itself as a string. We recommend using secret references to avoid exposing sensitive data in your configuration.

Prerequisites

A static key.
A corresponding Encrypt fields policy that uses the static key. Event Gateway uses the key reference in the message payload set by the Encrypt fields policy and looks for the actual key in key_sources to successfully decrypt.

Set up the policy

curl -X POST https://{region}.api.konghq.com/v1/event-gateways/{eventGatewayId}/virtual-clusters/{virtualClusterId}/consume-policies \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "decrypt-static-key",
      "type": "decrypt_fields",
      "config": {
        "failure_mode": "mark",
        "key_sources": [
          {
            "type": "static"
          }
        ],
        "decrypt_fields": {
          "paths": [
            {
              "match": "personal.ssn"
            }
          ]
        }
      }
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
virtualClusterId: The id of the Virtual Cluster.
eventGatewayId: The id of the Event Gateway.
eventGatewayListenerId: The id of the Event Gateway Listener.

See the Konnect Event Gateway API reference to learn about region-specific URLs and personal access tokens.

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect-beta = {
      source  = "kong/konnect-beta"
    }
  }
}

provider "konnect-beta" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Copied!

Add the following to your Terraform configuration:

resource "konnect_event_gateway_consume_policy_decrypt_fields" "my_virtual_cluster_policy_decrypt_fields" {
  provider = konnect-beta
  type = "decrypt_fields"
  config = {
    failure_mode = "mark"
    key_sources = [
      {
        type = "static"
      }    ]

    decrypt_fields = {
      paths = [
        {
          match = "personal.ssn"
        }      ]
    }
  }


  virtual_cluster_id = konnect_event_gateway_virtual_cluster.my_virtual_cluster.id

  gateway_id = konnect_event_gateway.my_event_gateway.id
}

Copied!

The following example creates a new decrypt_fields policy.

Add this snippet to an event_gateways resource in your declarative configuration file, and then manage it with kongctl:

event_gateway_policy.yaml

Copied!

event_gateways:
  - ref: eventGatewayName
    name: eventGatewayName
    virtual_clusters:
    - ref: virtualClusterName
      name: virtualClusterName
      consume_policies:
      - ref: decrypt-static-key
        type: decrypt_fields
        decrypt_fields:
          name: decrypt-static-key
          config:
            failure_mode: mark
            key_sources:
            - type: static
            decrypt_fields:
              paths:
              - match: personal.ssn

Make sure to replace the following placeholders with your own values:

eventGatewayName: The name of your Event Gateway.
virtualClusterName: The name of the Virtual Cluster.

Decrypt Fields

Decrypt fields using a static keyv+

Prerequisites

Set up the policy

Help us make these docs great!

Still need help?