Encrypt fields with AWS Key Vaultv+
Use an AWS Key Vault to encrypt fields of a message value.
Prerequisites
-
An AWS KMS key ARN.
-
A corresponding field decryption policy.
Environment variables
-
PARENT_POLICY_ID: The UUID of the parent Schema Validation policy. -
AWS_KEY_ARN: The KMS key ARN in this format:arn:aws:kms:REGION:ACCOUNT_ID:key/KEY_ID
curl -X POST https://{region}.api.konghq.com/v1/event-gateways/{eventGatewayId}/virtual-clusters/{virtualClusterId}/produce-policies \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "encrypt-ssn-field",
"type": "encrypt_fields",
"parent_policy_id": "'$PARENT_POLICY_ID'",
"config": {
"failure_mode": "reject",
"encrypt_fields": [
{
"paths": [
{
"match": "personal.ssn"
}
],
"encryption_key": {
"type": "aws",
"arn": "'$AWS_KEY_ARN'"
}
}
]
}
}
'Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
virtualClusterId: Theidof the Virtual Cluster. -
eventGatewayId: Theidof the Event Gateway. -
eventGatewayListenerId: Theidof the Event Gateway Listener.
See the Konnect Event Gateway API reference to learn about region-specific URLs and personal access tokens.
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect-beta = {
source = "kong/konnect-beta"
}
}
}
provider "konnect-beta" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}Add the following to your Terraform configuration:
resource "konnect_event_gateway_produce_policy_encrypt_fields" "my_virtual_cluster_policy_encrypt_fields" {
provider = konnect-beta
type = "encrypt_fields"
parent_policy_id = var.parent_policy_id
config = {
failure_mode = "reject"
encrypt_fields = [
{
paths = [
{
match = "personal.ssn"
} ]
encryption_key = {
type = "aws"
arn = var.aws_key_arn
}
} ]
}
virtual_cluster_id = konnect_event_gateway_virtual_cluster.my_virtual_cluster.id
gateway_id = konnect_event_gateway.my_event_gateway.id
}This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "aws_key_arn" {
type = string
}The following example creates a new encrypt_fields policy.
Add this snippet to an event_gateways resource in your declarative configuration file, and then manage it with kongctl:
event_gateways:
- ref: eventGatewayName
name: eventGatewayName
virtual_clusters:
- ref: virtualClusterName
name: virtualClusterName
produce_policies:
- ref: encrypt-ssn-field
type: encrypt_fields
encrypt_fields:
name: encrypt-ssn-field
parent_policy_id: "${policy_id}"
config:
failure_mode: reject
encrypt_fields:
- paths:
- match: personal.ssn
encryption_key:
type: aws
arn: "${key_id}"Make sure to replace the following placeholders with your own values:
-
eventGatewayName: Thenameof your Event Gateway. -
virtualClusterName: Thenameof the Virtual Cluster.