Kong Gateway Enterprise integrates with major cloud providers to support cloud-native IAM authentication in place of static credentials. This allows you to use AWS IAM, Azure Microsoft Entra ID, or GCP IAM to authenticate Kong Gateway with cloud-hosted backing services such as databases, caches, secret stores, object storage, and serverless functions.
Cloud provider integration support for Kong Gateway Enterprise
Uses:
Kong Gateway
Related Documentation
Tags
Related Resources
Feature support
The following shows which Kong Gateway features support cloud provider IAM authentication.
- PostgreSQL database (AWS, Azure, GCP)
- Redis (see plugin docs)
- Vault (AWS, GCP, and Azure)
- Data plane resilience
-
Note: AI plugins support more AI models and service providers beyond AWS, Azure, and GCP. See the Kong AI Gateway overview for a full list of supported providers.
Authentication methods support
Each cloud provider offers different IAM authentication mechanisms. The following table lists which authentication methods Kong Gateway supports for each cloud provider.
Unless otherwise noted, each supported authentication method can be used with any Kong Gateway feature that integrates with that cloud provider, as listed in the feature support matrix.
Important: Identity Federation isn’t supported as an authentication method for any cloud provider.
|
Cloud provider |
Supported authentication methods |
|---|---|
| AWS |
|
| GCP |
|
| Azure |
|
HashiCorp Vault cloud authentication
Kong Gateway Enterprise integrates with HashiCorp Vault as a secrets backend for storing and managing sensitive data such as certificates, API keys, and other credentials. To securely connect to a HashiCorp Vault instance, Kong Gateway Enterprise supports multiple authentication methods across generic, infrastructure, and cloud categories.
You can use both internal and external authentication methods depending on your environment. Internal authentication methods handle authentication entirely within HashiCorp Vault using credentials specific to Vault itself, such as a Vault token or an AppRole. External authentication relies on an identity managed by an external provider or infrastructure platform, such as Kubernetes, AWS IAM, or Azure Microsoft Entra ID. Authentication via a cloud provider uses JWT authentication. For details on which specific cloud IAM authentication mechanisms are supported, see the cloud provider support matrix.
Supported authentication methods
The following table describes which authentication methods are supported for HashiCorp Vault:
|
Method |
Description |
Type |
|---|---|---|
| Token | Authenticate with a Vault token. | Internal |
| TLS Certificate | Authenticate using SSL/TLS client certificates. | Internal |
| AppRole | Authenticate with HashiCorp Vault-defined roles. | Internal |
| JWT v3.13+ | Authenticate with a JWT from an OIDC provider. | External |
| Kubernetes | Authenticate using a Kubernetes Service Account token. This method is suitable when Kong Gateway Enterprise runs inside a Kubernetes cluster. | External |
| AWS v3.14+ | Authenticate using AWS IAM credentials, including the AWS EC2/IAM auth method supported by HashiCorp Vault. | External |
| Azure v3.14+ | Authenticate using Azure Microsoft Entra credentials. | External |
| GCP v3.14+ | Authenticate using GCP IAM credentials. | External |