Vaults allow you to securely store and then reference secrets from within other entities. This ensures that secrets aren’t visible in plaintext throughout the platform, in places such as kong.conf,
declarative configuration files, logs, or the UI.
For example, you could store a certificate and a key in a Vault, then reference them from a Certificate entity. This way, the certificate and key are not stored in the entity directly and are more secure.
You can add secrets to Vaults in one of the following ways:
You can store and reference the following as secrets in a Vault:
kong.conf are referenceable. For example:
Konnect Config Store limitations:
- 1: You can’t reference secrets stored in a Konnect Config Store Vault in
kong.confbecause Konnect resolves the secret after Kong Gateway connects to the Control Plane. For this same reason, you can’t use Konnect Config Store secrets directly in Lua code via the Kong PDK, for example.- 2: In Konnect, the Kong Gateway license is managed and stored by Konnect, and doesn’t need to be stored manually in any Vault.
The following plugin fields can be stored and referenced as secrets:
| Plugin | Referenceable Plugin Fields |
|---|---|
|
Access Control Enforcement
( ace)
|
|
|
ACME
( acme)
|
|
|
AI AWS Guardrails
( ai-aws-guardrails)
|
|
|
AI Azure Content Safety
( ai-azure-content-safety)
|
|
|
AI Custom Guardrail
( ai-custom-guardrail)
|
|
|
AI GCP Model Armor
( ai-gcp-model-armor)
|
|
|
AI Lakera Guard
( ai-lakera-guard)
|
|
|
AI LLM as Judge
( ai-llm-as-judge)
|
|
|
AI MCP OAuth2
( ai-mcp-oauth2)
|
|
|
AI MCP Proxy
( ai-mcp-proxy)
|
|
|
AI Proxy
( ai-proxy)
|
|
|
AI Proxy Advanced
( ai-proxy-advanced)
|
|
|
AI RAG Injector
( ai-rag-injector)
|
|
|
AI Rate Limiting Advanced
( ai-rate-limiting-advanced)
|
|
|
AI Request Transformer
( ai-request-transformer)
|
|
|
AI Response Transformer
( ai-response-transformer)
|
|
|
AI Semantic Cache
( ai-semantic-cache)
|
|
|
AI Semantic Prompt Guard
( ai-semantic-prompt-guard)
|
|
|
AI Semantic Response Guard
( ai-semantic-response-guard)
|
|
|
AWS Lambda
( aws-lambda)
|
|
|
Azure Functions
( azure-functions)
|
|
|
Basic Auth
( basic-auth)
|
|
|
Confluent
( confluent)
|
|
|
Confluent Consume
( confluent-consume)
|
|
|
Datadog
( datadog)
|
|
|
Datakit
( datakit)
|
|
|
Forward Proxy Advanced
( forward-proxy)
|
|
|
GraphQL Proxy Caching Advanced
( graphql-proxy-cache-advanced)
|
|
|
GraphQL Rate Limiting Advanced
( graphql-rate-limiting-advanced)
|
|
|
HTTP Log
( http-log)
|
|
|
JWT Signer
( jwt-signer)
|
|
|
Kafka Consume
( kafka-consume)
|
|
|
Kafka Log
( kafka-log)
|
|
|
Kafka Upstream
( kafka-upstream)
|
|
|
LDAP Authentication Advanced
( ldap-auth-advanced)
|
|
|
Loggly
( loggly)
|
|
|
Metering & Billing
( metering-and-billing)
|
|
|
OAuth 2.0 Introspection
( oauth2-introspection)
|
|
|
OpenID Connect
( openid-connect)
|
|
|
OpenTelemetry
( opentelemetry)
|
|
|
Proxy Caching Advanced
( proxy-cache-advanced)
|
|
|
Rate Limiting
( rate-limiting)
|
|
|
Rate Limiting Advanced
( rate-limiting-advanced)
|
|
|
Request Callout
( request-callout)
|
|
|
Request Transformer Advanced
( request-transformer-advanced)
|
|
|
Response Rate Limiting
( response-ratelimiting)
|
|
|
SAML
( saml)
|
|
|
Service Protection
( service-protection)
|
|
|
Session
( session)
|
|
|
Solace Consume
( solace-consume)
|
|
|
Solace Log
( solace-log)
|
|
|
Solace Upstream
( solace-upstream)
|
|
|
Standard Webhooks
( standard-webhooks)
|
|
|
Upstream OAuth
( upstream-oauth)
|
|
| Plugin | Referenceable Plugin Fields |
|---|---|
|
Access Control Enforcement
( ace)
|
|
|
ACME
( acme)
|
|
|
AI AWS Guardrails
( ai-aws-guardrails)
|
|
|
AI Azure Content Safety
( ai-azure-content-safety)
|
|
|
AI GCP Model Armor
( ai-gcp-model-armor)
|
|
|
AI Lakera Guard
( ai-lakera-guard)
|
|
|
AI LLM as Judge
( ai-llm-as-judge)
|
|
|
AI MCP OAuth2
( ai-mcp-oauth2)
|
|
|
AI Proxy
( ai-proxy)
|
|
|
AI Proxy Advanced
( ai-proxy-advanced)
|
|
|
AI RAG Injector
( ai-rag-injector)
|
|
|
AI Rate Limiting Advanced
( ai-rate-limiting-advanced)
|
|
|
AI Request Transformer
( ai-request-transformer)
|
|
|
AI Response Transformer
( ai-response-transformer)
|
|
|
AI Semantic Cache
( ai-semantic-cache)
|
|
|
AI Semantic Prompt Guard
( ai-semantic-prompt-guard)
|
|
|
AI Semantic Response Guard
( ai-semantic-response-guard)
|
|
|
AWS Lambda
( aws-lambda)
|
|
|
Azure Functions
( azure-functions)
|
|
|
Basic Auth
( basic-auth)
|
|
|
Confluent
( confluent)
|
|
|
Confluent Consume
( confluent-consume)
|
|
|
Datadog
( datadog)
|
|
|
Datakit
( datakit)
|
|
|
Forward Proxy Advanced
( forward-proxy)
|
|
|
GraphQL Proxy Caching Advanced
( graphql-proxy-cache-advanced)
|
|
|
GraphQL Rate Limiting Advanced
( graphql-rate-limiting-advanced)
|
|
|
HTTP Log
( http-log)
|
|
|
JWT Signer
( jwt-signer)
|
|
|
Kafka Consume
( kafka-consume)
|
|
|
Kafka Log
( kafka-log)
|
|
|
Kafka Upstream
( kafka-upstream)
|
|
|
LDAP Authentication Advanced
( ldap-auth-advanced)
|
|
|
Loggly
( loggly)
|
|
|
OAuth 2.0 Introspection
( oauth2-introspection)
|
|
|
OpenID Connect
( openid-connect)
|
|
|
OpenTelemetry
( opentelemetry)
|
|
|
Proxy Caching Advanced
( proxy-cache-advanced)
|
|
|
Rate Limiting
( rate-limiting)
|
|
|
Rate Limiting Advanced
( rate-limiting-advanced)
|
|
|
Request Callout
( request-callout)
|
|
|
Request Transformer Advanced
( request-transformer-advanced)
|
|
|
Response Rate Limiting
( response-ratelimiting)
|
|
|
SAML
( saml)
|
|
|
Service Protection
( service-protection)
|
|
|
Session
( session)
|
|
|
Solace Consume
( solace-consume)
|
|
|
Solace Log
( solace-log)
|
|
|
Solace Upstream
( solace-upstream)
|
|
|
Standard Webhooks
( standard-webhooks)
|
|
|
Upstream OAuth
( upstream-oauth)
|
|
| Plugin | Referenceable Plugin Fields |
|---|---|
|
ACME
( acme)
|
|
|
AI AWS Guardrails
( ai-aws-guardrails)
|
|
|
AI Azure Content Safety
( ai-azure-content-safety)
|
|
|
AI GCP Model Armor
( ai-gcp-model-armor)
|
|
|
AI LLM as Judge
( ai-llm-as-judge)
|
|
|
AI MCP OAuth2
( ai-mcp-oauth2)
|
|
|
AI Proxy
( ai-proxy)
|
|
|
AI Proxy Advanced
( ai-proxy-advanced)
|
|
|
AI RAG Injector
( ai-rag-injector)
|
|
|
AI Rate Limiting Advanced
( ai-rate-limiting-advanced)
|
|
|
AI Request Transformer
( ai-request-transformer)
|
|
|
AI Response Transformer
( ai-response-transformer)
|
|
|
AI Semantic Cache
( ai-semantic-cache)
|
|
|
AI Semantic Prompt Guard
( ai-semantic-prompt-guard)
|
|
|
AI Semantic Response Guard
( ai-semantic-response-guard)
|
|
|
AWS Lambda
( aws-lambda)
|
|
|
Azure Functions
( azure-functions)
|
|
|
Confluent
( confluent)
|
|
|
Confluent Consume
( confluent-consume)
|
|
|
Datadog
( datadog)
|
|
|
Datakit
( datakit)
|
|
|
Forward Proxy Advanced
( forward-proxy)
|
|
|
GraphQL Proxy Caching Advanced
( graphql-proxy-cache-advanced)
|
|
|
GraphQL Rate Limiting Advanced
( graphql-rate-limiting-advanced)
|
|
|
HTTP Log
( http-log)
|
|
|
JWT Signer
( jwt-signer)
|
|
|
Kafka Consume
( kafka-consume)
|
|
|
Kafka Log
( kafka-log)
|
|
|
Kafka Upstream
( kafka-upstream)
|
|
|
LDAP Authentication Advanced
( ldap-auth-advanced)
|
|
|
Loggly
( loggly)
|
|
|
OAuth 2.0 Introspection
( oauth2-introspection)
|
|
|
OpenID Connect
( openid-connect)
|
|
|
OpenTelemetry
( opentelemetry)
|
|
|
Proxy Caching Advanced
( proxy-cache-advanced)
|
|
|
Rate Limiting
( rate-limiting)
|
|
|
Rate Limiting Advanced
( rate-limiting-advanced)
|
|
|
Request Callout
( request-callout)
|
|
|
Request Transformer Advanced
( request-transformer-advanced)
|
|
|
Response Rate Limiting
( response-ratelimiting)
|
|
|
SAML
( saml)
|
|
|
Service Protection
( service-protection)
|
|
|
Session
( session)
|
|
|
Solace Consume
( solace-consume)
|
|
|
Solace Log
( solace-log)
|
|
|
Solace Upstream
( solace-upstream)
|
|
|
Standard Webhooks
( standard-webhooks)
|
|
|
Upstream OAuth
( upstream-oauth)
|
|
| Plugin | Referenceable Plugin Fields |
|---|---|
|
ACME
( acme)
|
|
|
AI AWS Guardrails
( ai-aws-guardrails)
|
|
|
AI Azure Content Safety
( ai-azure-content-safety)
|
|
|
AI Proxy
( ai-proxy)
|
|
|
AI Proxy Advanced
( ai-proxy-advanced)
|
|
|
AI RAG Injector
( ai-rag-injector)
|
|
|
AI Rate Limiting Advanced
( ai-rate-limiting-advanced)
|
|
|
AI Request Transformer
( ai-request-transformer)
|
|
|
AI Response Transformer
( ai-response-transformer)
|
|
|
AI Semantic Cache
( ai-semantic-cache)
|
|
|
AI Semantic Prompt Guard
( ai-semantic-prompt-guard)
|
|
|
AWS Lambda
( aws-lambda)
|
|
|
Azure Functions
( azure-functions)
|
|
|
Confluent
( confluent)
|
|
|
Confluent Consume
( confluent-consume)
|
|
|
Datadog
( datadog)
|
|
|
Forward Proxy Advanced
( forward-proxy)
|
|
|
GraphQL Proxy Caching Advanced
( graphql-proxy-cache-advanced)
|
|
|
GraphQL Rate Limiting Advanced
( graphql-rate-limiting-advanced)
|
|
|
HTTP Log
( http-log)
|
|
|
JWT Signer
( jwt-signer)
|
|
|
Kafka Consume
( kafka-consume)
|
|
|
Kafka Log
( kafka-log)
|
|
|
Kafka Upstream
( kafka-upstream)
|
|
|
LDAP Authentication Advanced
( ldap-auth-advanced)
|
|
|
Loggly
( loggly)
|
|
|
OAuth 2.0 Introspection
( oauth2-introspection)
|
|
|
OpenID Connect
( openid-connect)
|
|
|
OpenTelemetry
( opentelemetry)
|
|
|
Proxy Caching Advanced
( proxy-cache-advanced)
|
|
|
Rate Limiting
( rate-limiting)
|
|
|
Rate Limiting Advanced
( rate-limiting-advanced)
|
|
|
Request Callout
( request-callout)
|
|
|
Request Transformer Advanced
( request-transformer-advanced)
|
|
|
Response Rate Limiting
( response-ratelimiting)
|
|
|
SAML
( saml)
|
|
|
Service Protection
( service-protection)
|
|
|
Session
( session)
|
|
|
Solace Upstream
( solace-upstream)
|
|
|
Standard Webhooks
( standard-webhooks)
|
|
|
Upstream OAuth
( upstream-oauth)
|
|
| Plugin | Referenceable Plugin Fields |
|---|---|
|
ACME
( acme)
|
|
|
AI Azure Content Safety
( ai-azure-content-safety)
|
|
|
AI Proxy
( ai-proxy)
|
|
|
AI Proxy Advanced
( ai-proxy-advanced)
|
|
|
AI RAG Injector
( ai-rag-injector)
|
|
|
AI Rate Limiting Advanced
( ai-rate-limiting-advanced)
|
|
|
AI Request Transformer
( ai-request-transformer)
|
|
|
AI Response Transformer
( ai-response-transformer)
|
|
|
AI Semantic Cache
( ai-semantic-cache)
|
|
|
AI Semantic Prompt Guard
( ai-semantic-prompt-guard)
|
|
|
AWS Lambda
( aws-lambda)
|
|
|
Azure Functions
( azure-functions)
|
|
|
Confluent
( confluent)
|
|
|
Confluent Consume
( confluent-consume)
|
|
|
Datadog
( datadog)
|
|
|
Forward Proxy Advanced
( forward-proxy)
|
|
|
GraphQL Proxy Caching Advanced
( graphql-proxy-cache-advanced)
|
|
|
GraphQL Rate Limiting Advanced
( graphql-rate-limiting-advanced)
|
|
|
HTTP Log
( http-log)
|
|
|
JWT Signer
( jwt-signer)
|
|
|
Kafka Consume
( kafka-consume)
|
|
|
Kafka Log
( kafka-log)
|
|
|
Kafka Upstream
( kafka-upstream)
|
|
|
LDAP Authentication Advanced
( ldap-auth-advanced)
|
|
|
Loggly
( loggly)
|
|
|
OAuth 2.0 Introspection
( oauth2-introspection)
|
|
|
OpenID Connect
( openid-connect)
|
|
|
OpenTelemetry
( opentelemetry)
|
|
|
Proxy Caching Advanced
( proxy-cache-advanced)
|
|
|
Rate Limiting
( rate-limiting)
|
|
|
Rate Limiting Advanced
( rate-limiting-advanced)
|
|
|
Request Callout
( request-callout)
|
|
|
Request Transformer Advanced
( request-transformer-advanced)
|
|
|
Response Rate Limiting
( response-ratelimiting)
|
|
|
SAML
( saml)
|
|
|
Service Protection
( service-protection)
|
|
|
Session
( session)
|
|
|
Standard Webhooks
( standard-webhooks)
|
|
|
Upstream OAuth
( upstream-oauth)
|
|
| Plugin | Referenceable Plugin Fields |
|---|---|
|
ACME
( acme)
|
|
|
AI Azure Content Safety
( ai-azure-content-safety)
|
|
|
AI Proxy
( ai-proxy)
|
|
|
AI Proxy Advanced
( ai-proxy-advanced)
|
|
|
AI Rate Limiting Advanced
( ai-rate-limiting-advanced)
|
|
|
AI Request Transformer
( ai-request-transformer)
|
|
|
AI Response Transformer
( ai-response-transformer)
|
|
|
AI Semantic Cache
( ai-semantic-cache)
|
|
|
AI Semantic Prompt Guard
( ai-semantic-prompt-guard)
|
|
|
AWS Lambda
( aws-lambda)
|
|
|
Azure Functions
( azure-functions)
|
|
|
Confluent
( confluent)
|
|
|
Datadog
( datadog)
|
|
|
Forward Proxy Advanced
( forward-proxy)
|
|
|
GraphQL Proxy Caching Advanced
( graphql-proxy-cache-advanced)
|
|
|
GraphQL Rate Limiting Advanced
( graphql-rate-limiting-advanced)
|
|
|
HTTP Log
( http-log)
|
|
|
JWT Signer
( jwt-signer)
|
|
|
Kafka Log
( kafka-log)
|
|
|
Kafka Upstream
( kafka-upstream)
|
|
|
LDAP Authentication Advanced
( ldap-auth-advanced)
|
|
|
Loggly
( loggly)
|
|
|
OAuth 2.0 Introspection
( oauth2-introspection)
|
|
|
OpenID Connect
( openid-connect)
|
|
|
OpenTelemetry
( opentelemetry)
|
|
|
Proxy Caching Advanced
( proxy-cache-advanced)
|
|
|
Rate Limiting
( rate-limiting)
|
|
|
Rate Limiting Advanced
( rate-limiting-advanced)
|
|
|
Request Transformer Advanced
( request-transformer-advanced)
|
|
|
Response Rate Limiting
( response-ratelimiting)
|
|
|
SAML
( saml)
|
|
|
Service Protection
( service-protection)
|
|
|
Session
( session)
|
|
|
Standard Webhooks
( standard-webhooks)
|
|
|
Upstream OAuth
( upstream-oauth)
|
|
| Plugin | Referenceable Plugin Fields |
|---|---|
|
ACME
( acme)
|
|
|
AI Azure Content Safety
( ai-azure-content-safety)
|
|
|
AI Proxy
( ai-proxy)
|
|
|
AI Proxy Advanced
( ai-proxy-advanced)
|
|
|
AI Rate Limiting Advanced
( ai-rate-limiting-advanced)
|
|
|
AI Request Transformer
( ai-request-transformer)
|
|
|
AI Response Transformer
( ai-response-transformer)
|
|
|
AI Semantic Cache
( ai-semantic-cache)
|
|
|
AI Semantic Prompt Guard
( ai-semantic-prompt-guard)
|
|
|
AWS Lambda
( aws-lambda)
|
|
|
Azure Functions
( azure-functions)
|
|
|
Confluent
( confluent)
|
|
|
Datadog
( datadog)
|
|
|
Forward Proxy Advanced
( forward-proxy)
|
|
|
GraphQL Proxy Caching Advanced
( graphql-proxy-cache-advanced)
|
|
|
GraphQL Rate Limiting Advanced
( graphql-rate-limiting-advanced)
|
|
|
HTTP Log
( http-log)
|
|
|
JWT Signer
( jwt-signer)
|
|
|
Kafka Log
( kafka-log)
|
|
|
Kafka Upstream
( kafka-upstream)
|
|
|
LDAP Authentication Advanced
( ldap-auth-advanced)
|
|
|
Loggly
( loggly)
|
|
|
OAuth 2.0 Introspection
( oauth2-introspection)
|
|
|
OpenID Connect
( openid-connect)
|
|
|
OpenTelemetry
( opentelemetry)
|
|
|
Proxy Caching Advanced
( proxy-cache-advanced)
|
|
|
Rate Limiting
( rate-limiting)
|
|
|
Rate Limiting Advanced
( rate-limiting-advanced)
|
|
|
Request Transformer Advanced
( request-transformer-advanced)
|
|
|
Response Rate Limiting
( response-ratelimiting)
|
|
|
SAML
( saml)
|
|
|
Session
( session)
|
|
|
Standard Webhooks
( standard-webhooks)
|
|
|
Upstream OAuth
( upstream-oauth)
|
|
| Plugin | Referenceable Plugin Fields |
|---|---|
|
ACME
( acme)
|
|
|
AI Azure Content Safety
( ai-azure-content-safety)
|
|
|
AI Proxy
( ai-proxy)
|
|
|
AI Rate Limiting Advanced
( ai-rate-limiting-advanced)
|
|
|
AI Request Transformer
( ai-request-transformer)
|
|
|
AI Response Transformer
( ai-response-transformer)
|
|
|
AWS Lambda
( aws-lambda)
|
|
|
Azure Functions
( azure-functions)
|
|
|
Datadog
( datadog)
|
|
|
Forward Proxy Advanced
( forward-proxy)
|
|
|
GraphQL Proxy Caching Advanced
( graphql-proxy-cache-advanced)
|
|
|
GraphQL Rate Limiting Advanced
( graphql-rate-limiting-advanced)
|
|
|
HTTP Log
( http-log)
|
|
|
JWT Signer
( jwt-signer)
|
|
|
Kafka Log
( kafka-log)
|
|
|
Kafka Upstream
( kafka-upstream)
|
|
|
LDAP Authentication Advanced
( ldap-auth-advanced)
|
|
|
Loggly
( loggly)
|
|
|
OAuth 2.0 Introspection
( oauth2-introspection)
|
|
|
OpenID Connect
( openid-connect)
|
|
|
OpenTelemetry
( opentelemetry)
|
|
|
Proxy Caching Advanced
( proxy-cache-advanced)
|
|
|
Rate Limiting
( rate-limiting)
|
|
|
Rate Limiting Advanced
( rate-limiting-advanced)
|
|
|
Request Transformer Advanced
( request-transformer-advanced)
|
|
|
Response Rate Limiting
( response-ratelimiting)
|
|
|
SAML
( saml)
|
|
|
Session
( session)
|
|
| Plugin | Referenceable Plugin Fields |
|---|---|
|
ACME
( acme)
|
|
|
AWS Lambda
( aws-lambda)
|
|
|
Azure Functions
( azure-functions)
|
|
|
Datadog
( datadog)
|
|
|
Forward Proxy Advanced
( forward-proxy)
|
|
|
GraphQL Rate Limiting Advanced
( graphql-rate-limiting-advanced)
|
|
|
HTTP Log
( http-log)
|
|
|
Kafka Log
( kafka-log)
|
|
|
Kafka Upstream
( kafka-upstream)
|
|
|
LDAP Authentication Advanced
( ldap-auth-advanced)
|
|
|
Loggly
( loggly)
|
|
|
OAuth 2.0 Introspection
( oauth2-introspection)
|
|
|
OpenID Connect
( openid-connect)
|
|
|
OpenTelemetry
( opentelemetry)
|
|
|
Proxy Caching Advanced
( proxy-cache-advanced)
|
|
|
Rate Limiting
( rate-limiting)
|
|
|
Rate Limiting Advanced
( rate-limiting-advanced)
|
|
|
Request Transformer Advanced
( request-transformer-advanced)
|
|
|
Response Rate Limiting
( response-ratelimiting)
|
|
|
SAML
( saml)
|
|
|
Session
( session)
|
|
Each vault has its own required configuration. You can provide this configuration by creating a Vault entity, or by configuring specific environment variables before starting Kong Gateway.
For more information, choose a Vault below to see the specific configuration required.
| Backend | Kong Gateway OSS | Kong Gateway Enterprise | Konnect supported |
|---|---|---|---|
| Environment variable | Supported | Supported | Supported |
| Konnect (Konnect Config Store) | Not supported | Not supported | Supported |
| AWS Secrets Manager | Not supported | Supported | Supported |
| Azure Key Vaults | Not supported | Supported | Supported |
| Google Cloud Secret | Not supported | Supported | Supported |
| HashiCorp Vault | Not supported | Supported | Supported |
| CyberArk Secrets Manager (Conjur) v3.11+ | Not supported | Supported | Supported |
When you want to use a secret stored in a Vault, you can reference the secret with a vault reference. You can use the vault reference in places such as kong.conf, declarative configuration files, logs, or in the UI.
The Vault backend may store multiple related secrets inside an object, but the reference should always point to a key that resolves to a string value. For example, the following reference:
{vault://hcv/pg/username}
Would point to a secret object called pg inside a HashiCorp Vault, which may return the following value:
{
"username": "john",
"password": "doe"
}
Kong Gateway receives the payload and extracts the "username" value of "john" for the secret reference of
{vault://hcv/pg/username}.
Vault references must be used for the whole referenced value.
Imagine that you’re calling a upstream service with the authentication token ABC123:
| Works | Configuration Value | Vault Value |
|---|---|---|
| false | Bearer {vault://hcv/myservice-auth-token} | ABC123 |
| true | {vault://hcv/myservice-auth-token} | Bearer ABC123 |
When using Vault references in plugin configs to add headers, ensure that the secret value stored in your Vault follows the
key:valueformat. The entire header definition, both name and value, needs to be provided by the resolved secret.
By default, Kong Gateway automatically refreshes secrets once every minute in the background. You can also configure how often Kong Gateway refreshes secrets using the Vault entity configuration.
There are two types of refresh configuration available:
For more information, see Secret management.
When you set up a Vault, each provider has specific parameters that you can or must configure to integrate the Vault with a provider. For the entire Vault configuration schema, see the schema reference.
You can set up a Vault in one of the following ways:
kong.conf, set at Kong Gateway startupThe Vault entity can only be used once the database is initialized. Secrets for values that are used before the database is initialized can’t make use of the Vaults entity.
|
Field name |
Parameter format |
Description |
|---|---|---|
| Environment Variable Prefix |
|
The prefix for the environment variable that the value will be stored in. |
|
Base64 Decode v3.11+ |
|
Decode all secrets in this vault as base64. Useful for binary data. If some of the secrets in the vault are not base64-encoded, an error will occur when using them. We recommend creating a separate vault for base64 secrets. |
Kong Gateway must have the required IAM roles to access any relevant secrets. Configure the following AWS environment variables on your Kong Gateway data plane:
export AWS_ACCESS_KEY_ID=your-access-key-id
export AWS_SECRET_ACCESS_KEY=your-secret-access-key
export AWS_SESSION_TOKEN=your-session-token
For a complete tutorial on how to set up AWS as a Vault entity, see the following:
The following table lists all of the available configuration parameters for an AWS Secrets Manager Vault:
|
Field name |
Parameter format |
Description |
|---|---|---|
| AWS region |
|
The AWS region where your vault is located. |
|
AWS Secrets Manager Endpoint URL v3.4+ |
|
The endpoint URL of the AWS Secrets Manager service. If not specified, the default is https://secretsmanager.{region}.amazonaws.com. You can override this by specifying a complete URL including the http/https scheme.
|
|
Assume AWS IAM Role ARN v3.4+ |
|
The target IAM role ARN to assume when accessing AWS Secrets Manager. If specified, the backend will assume this role using your current runtime’s IAM Role. Leave empty if not using an assumed role. |
|
Role Session Name v3.4+ |
|
The session name used when assuming a role. Defaults to KongVault.
|
|
AWS STS Endpoint URL v3.8+ |
|
A custom STS endpoint URL used for IAM role assumption. Overrides the default https://sts.amazonaws.com or regional variant https://sts.<region>.amazonaws.com. Include the full http/https scheme. Only specify this if using a private VPC endpoint for STS.
|
| TTL |
|
The time-to-live (in seconds) for cached secrets. A value of 0 (default) disables rotation. If non-zero, use at least 60 seconds. |
| Negative TTL |
|
The TTL (in seconds) for caching failed secret lookups. A value of 0 (default) disables negative caching. When the TTL expires, Kong will retry fetching the secret. |
| Resurrect TTL |
|
The duration (in seconds) for which expired secrets will continue to be used if the vault is unreachable or the secret is deleted. After this time, Kong stops retrying. The default is 1e8 seconds (~3 years) to ensure resilience during unexpected issues. |
|
Base64 Decode v3.11+ |
|
Decode all secrets in this vault as base64. Useful for binary data. If some of the secrets in the vault are not base64-encoded, an error will occur when using them. We recommend creating a separate vault for base64 secrets. |
Kong Gateway uses a key to automatically authenticate with the Azure Key Vaults API and grant you access. You must set the following environment variable on your data plane to connect with an Azure Key Vault:
export AZURE_CLIENT_SECRET=YOUR_CLIENT_SECRET
At minimum, you’ll also need to set the following values on your data plane.
Note: If you’re using an Instance Managed Identity Token, setting these environment variables isn’t necessary.
export KONG_VAULT_AZURE_VAULT_URI=https://your-vault.vault.azure.com
export KONG_VAULT_AZURE_TENANT_ID=YOUR_TENANT_ID
export KONG_VAULT_AZURE_CLIENT_ID=YOUR_CLIENT_ID
The following table lists all of the available configuration parameters for an Azure Key Vault:
|
Field name |
Parameter format |
Description |
|---|---|---|
| Vault URI |
|
The URI from which the vault is reachable. This value can be found in your Azure Key Vault Dashboard under the Vault URI entry. |
| Client ID |
|
The client ID for your registered application. You can find this in the Azure Dashboard under App Registrations. |
| Tenant ID |
|
The DirectoryId and TenantId are the same: both refer to the GUID representing your Azure Active Directory tenant. Microsoft documentation and products may use either term depending on context.
|
| Location |
|
Each Azure geography includes one or more regions that meet specific data residency and compliance requirements. |
| Type |
|
Azure Key Vault supports different data types such as keys, secrets, and certificates. Kong currently supports only secrets.
|
| TTL |
|
Time-to-live (in seconds) for a cached secret. A value of 0 (default) means no rotation. For non-zero values, it is recommended to use intervals of at least 60 seconds. |
| Negative TTL |
|
Time-to-live (in seconds) for caching failed secret lookups. A value of 0 (default) disables negative caching. After neg_ttl expires, Kong retries fetching the secret.
|
| Resurrect TTL |
|
Duration (in seconds) that secrets remain usable after expiration (config.ttl limit). Useful when the vault is unreachable or a secret is deleted. Kong retries refreshing the secret for this duration. Afterward, it stops. The default is 1e8 seconds (~3 years) to ensure resiliency during issues.
|
|
Base64 Decode v3.11+ |
|
Decode all secrets in this vault as base64. Useful for binary data. If some of the secrets in the vault are not base64-encoded, an error will occur when using them. We recommend creating a separate vault for base64 secrets. |
To configure GCP Secret Manager, the GCP_SERVICE_ACCOUNT environment variable must be set to the JSON document referring to the credentials for your service account:
export GCP_SERVICE_ACCOUNT=$(cat gcp-project-c61f2411f321.json)
Kong Gateway uses the key to automatically authenticate with the GCP API and grant you access.
To use GCP Secret Manager with Workload Identity on a GKE cluster, update your pod spec so that the service account is attached to the pod. For configuration information, read the Workload Identity configuration documentation.
Notes:
- With Workload Identity, setting the
GCP_SERVICE_ACCOUNTisn’t necessary.- When using GCP Vault as a backend, make sure you have configured system as part of the
lua_ssl_trusted_certificateconfiguration directive so that the SSL certificates used by the official GCP API can be trusted by Kong.
For a complete tutorial on how to set up Google Cloud as a Vault entity, see the following:
The following table lists the available configuration parameters for a GCP Secret Manager Vault:
|
Field name |
Parameter format |
Description |
|---|---|---|
| Google Project ID |
|
The project ID from your Google API Console. You can find it by visiting your Google API Console and selecting “Manage all projects” in the projects list. |
| TTL |
|
Time-to-live (in seconds) for a cached secret. A value of 0 (default) disables rotation. For non-zero values, use a minimum of 60 seconds. |
| Negative TTL |
|
Time-to-live (in seconds) for caching failed secret lookups. A value of 0 (default) disables negative caching. Kong will retry fetching the secret after neg_ttl expires.
|
| Resurrect TTL |
|
Time (in seconds) that secrets remain in use after expiration (config.ttl ends). Useful if the vault is unreachable or the secret is deleted but not yet replaced. Kong continues to retry for resurrect_ttl seconds before giving up. The default is 1e8 seconds (~3 years) to support uninterrupted service during outages.
|
|
Base64 Decode v3.11+ |
|
Decode all secrets in this vault as base64. Useful for binary data. If some of the secrets in the vault are not base64-encoded, an error will occur when using them. We recommend creating a separate vault for base64 secrets. |
For a complete tutorial on how to set up HashiCorp Vault as a Kong Vault backend, see the following:
The following table lists the available configuration parameters for a HashiCorp Vault:
|
Field name |
Parameter format |
Description |
|---|---|---|
| Protocol |
|
The protocol to connect with. Accepts one of http or https.
|
| Host |
|
The hostname of your HashiCorp vault. |
| Port |
|
The port number of your HashiCorp vault. |
| Mount |
|
The mount point. |
| Kv |
|
The secrets engine version. Accepts v1 or v2.
|
| Token |
|
A token string. |
| TTL |
|
Time-to-live (in seconds) for a cached secret. A value of 0 (default) disables rotation. For non-zero values, use at least 60 seconds. |
| Negative TTL |
|
Time-to-live (in seconds) for caching failed secret lookups. A value of 0 (default) disables negative caching. Kong retries after neg_ttl expires.
|
| Resurrect TTL |
|
Time (in seconds) that secrets remain in use after expiration (config.ttl is over). Useful if the vault is unreachable or a secret is deleted. Kong continues retrying for resurrect_ttl seconds, then stops. Default is 1e8 seconds (~3 years).
|
|
Namespace v3.1+ |
|
Namespace for the Vault. Vault Enterprise requires a namespace to connect successfully. |
|
Authentication Method v3.1+ |
|
Defines the authentication mechanism for connecting to the HashiCorp Vault service. Accepts token, kubernetes, approle, cert, jwt, gcp_iam, gcp_gce, azure, aws_ec2, or aws_iam.
For |
|
Kubernetes Role v3.1+ |
|
Role assigned to the Kubernetes service account. Only used when keyring_vault_auth_method is set to kubernetes.
|
|
Kubernetes API Token File v3.1+ |
|
Path to the Kubernetes service account token file. Defaults to /run/secrets/kubernetes.io/serviceaccount/token if unspecified.
|
|
Kubernetes Auth Path v3.4+ |
|
Path for enabling the Kubernetes auth method. Defaults to kubernetes. Single leading/trailing slashes are trimmed.
|
|
App Role Auth Path v3.4+ |
|
Path for enabling the AppRole auth method. Defaults to AppRole. Single leading/trailing slashes are trimmed.
|
|
App Role Role ID v3.4+ |
|
Specifies the AppRole role ID in HashiCorp Vault. |
|
App Role Secret ID v3.4+ |
|
Defines the AppRole’s secret ID in HashiCorp Vault. |
|
App Role Secret ID File v3.4+ |
|
Path to a file containing the AppRole secret ID. |
|
App Role Response Wrapping v3.4+ |
|
Whether the secret ID is a response-wrapping token. Defaults to false. When true, Kong unwraps the token to get the actual secret ID. Note: tokens can only be unwrapped once; distribute them individually to Kong nodes.
|
|
Cert Key v3.11+ |
|
The key file for the client certificate. |
|
Cert v3.11+ |
|
The client certificate file. |
|
Role Name v3.11+ |
|
The trusted certificate role name. |
|
OAuth2 Role Name v3.13+ |
|
The configured role name in HashiCorp Vault for OAuth2 auth. When creating the role in HashiCorp Vault, make sure that the role_type is jwt and the token_policies have permissions to read the secrets.
|
|
OAuth2 Token Endpoint v3.13+ |
|
The OAuth2 token endpoint for Hashicorp Vault’s OAuth2 auth method. |
|
OAuth2 Client ID v3.13+ |
|
The OAuth2 client ID. |
|
OAuth2 Client Secret v3.13+ |
|
The OAuth2 client secret. |
|
OAuth2 Audiences v3.13+ |
|
Comma-separated list of OAuth2 audiences. |
|
GCP Auth Role v3.14+ |
|
The configured role name in HashiCorp Vault for GCP auth. Required when auth_method is gcp_iam or gcp_gce.
|
|
GCP Login Path v3.14+ |
|
The login path for GCP auth in HashiCorp Vault. Used with both gcp_iam and gcp_gce auth methods. Defaults to /v1/auth/gcp/login.
|
|
GCP Service Account v3.14+ |
|
The GCP service account email or identifier used for authentication. Required when auth_method is gcp_iam.
|
|
GCP JWT Expiration v3.14+ |
|
The expiration time for the GCP JWT token in seconds. Must be between 0 and 900. Required when auth_method is gcp_iam.
|
|
Azure Auth Role v3.14+ |
|
The configured role name in HashiCorp Vault for Azure auth. When creating the role in HashiCorp Vault, make sure that the role_type is azure and the token_policies have permissions to read the secrets. Required when auth_method is azure.
|
|
Azure Login Path v3.14+ |
|
The login path for Azure auth in HashiCorp Vault. Defaults to /v1/auth/azure/login.
|
|
AWS Auth Role v3.14+ |
|
The configured role name in HashiCorp Vault for AWS auth. When creating the role in HashiCorp Vault, make sure that the role_type is aws and the token_policies have permissions to read the secrets. Required when auth_method is aws_ec2 or aws_iam.
|
|
AWS Login Path v3.14+ |
|
The login path for AWS auth in HashiCorp Vault. Used with both aws_ec2 and aws_iam auth methods. Defaults to /v1/auth/aws/login.
|
|
AWS Auth Region v3.14+ |
|
The AWS region for the AWS auth method. Required when auth_method is aws_iam.
|
|
AWS Auth Nonce v3.14+ |
|
The nonce used for the AWS EC2 auth method. Required when auth_method is aws_ec2.
|
|
AWS Access Key ID v3.14+ |
|
The AWS access key ID for AWS IAM authentication. If not provided, the default credentials provider chain is used. Must be set together with aws_secret_access_key.
|
|
AWS Secret Access Key v3.14+ |
|
The AWS secret access key for AWS IAM authentication. If not provided, the default credentials provider chain is used. Must be set together with aws_access_key_id.
|
|
AWS STS Endpoint URL v3.14+ |
|
The AWS STS endpoint URL used by Kong Gateway when signing the GetCallerIdentity request for AWS IAM authentication. If not provided, defaults to the standard STS endpoint for the specified region. This setting only affects the STS endpoint that Kong Gateway itself contacts — it does not influence which STS endpoint HashiCorp Vault uses on its side.
|
|
AWS Assume Role ARN v3.14+ |
|
The ARN of the AWS IAM role to assume for authentication. Must be set together with aws_role_session_name.
|
|
AWS Role Session Name v3.14+ |
|
The session name to use when assuming an AWS IAM role. Defaults to kong. Must be set together with aws_assume_role_arn.
|
See a tutorial about how to set up CyberArk Secrets Manager (Conjur) as a Kong Vault backend in Kong Gateway.
The following table lists the available configuration parameters for a CyberArk Secrets Manager Vault:
|
Field name |
Parameter format |
Description |
|---|---|---|
|
Endpoint URL v3.11+ |
|
The CyberArk Secrets Manager backend URL to connect with. Accepts http or https protocols.
|
|
Authentication method v3.11+ |
|
Defines the authentication mechanism for connecting to the CyberArk Secrets Manager Vault service. Accepted value: api_key.
|
|
Account v3.11+ |
|
The CyberArk Secrets Manager organization account name. |
|
Login v3.11+ |
|
The login name of the workload identity. |
|
API Key v3.11+ |
|
The API key of the workload identity. |
|
TTL v3.11+ |
|
Time-to-live (in seconds) for a cached secret. A value of 0 (default) disables rotation. For non-zero values, use at least 60 seconds. |
|
Negative TTL v3.11+ |
|
Time-to-live (in seconds) for caching failed secret lookups. A value of 0 (default) disables negative caching.
Kong retries after neg_ttl expires.
|
|
Resurrect TTL v3.11+ |
|
Duration (in seconds) that secrets remain usable after expiration (config.ttl is over).
Useful when the vault is unreachable or a secret is deleted but not yet replaced.
Kong continues retrying for resurrect_ttl seconds, then stops. The default is 1e8 seconds (~3 years).
|
To access secrets stored in the AWS Secrets Manager, Kong Gateway needs to be configured with an IAM Role that has sufficient permissions to read the required secret values.
Kong Gateway can automatically fetch IAM role credentials based on your AWS environment, observing the following precedence order:
AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.AWS_PROFILE and AWS_SHARED_CREDENTIALS_FILE.Kong Gateway also supports role assuming (with vaults.config.assume_role_arn and vaults.config.role_session_name) which allows you to use a different IAM role to fetch secrets from AWS Secrets Manager. This is a common practice in permission division and governance and cross-AWS account management.
Note: IAM Identity Center credential provider and process credential provider are not supported.
Kong Gateway Enterprise integrates with HashiCorp Vault as a secrets backend for storing and managing sensitive data such as certificates, API keys, and other credentials. To securely connect to a HashiCorp Vault instance, Kong Gateway Enterprise supports multiple authentication methods across generic, infrastructure, and cloud categories.
You can use both internal and external authentication methods depending on your environment. Internal authentication methods handle authentication entirely within HashiCorp Vault using credentials specific to Vault itself, such as a Vault token or an AppRole. External authentication relies on an identity managed by an external provider or infrastructure platform, such as Kubernetes, AWS IAM, or Azure Microsoft Entra ID. Authentication via a cloud provider uses JWT authentication. For details on which specific cloud IAM authentication mechanisms are supported, see the cloud provider support matrix.
The following table describes which authentication methods are supported for HashiCorp Vault:
|
Method |
Description |
Type |
|---|---|---|
| Token | Authenticate with a Vault token. | Internal |
| TLS Certificate | Authenticate using SSL/TLS client certificates. | Internal |
| AppRole | Authenticate with HashiCorp Vault-defined roles. | Internal |
| JWT v3.13+ | Authenticate with a JWT from an OIDC provider. | External |
| Kubernetes | Authenticate using a Kubernetes Service Account token. This method is suitable when Kong Gateway Enterprise runs inside a Kubernetes cluster. | External |
| AWS v3.14+ | Authenticate using AWS IAM credentials, including the AWS EC2/IAM auth method supported by HashiCorp Vault. | External |
| Azure v3.14+ | Authenticate using Azure Microsoft Entra credentials. | External |
| GCP v3.14+ | Authenticate using GCP IAM credentials. | External |
You can set up a Vault in one of the following ways.
_format_version: "3.0"
vaults:
- name: env
description: ENV vault for secrets
prefix: my-env-vault
config:
prefix: MY_SECRET_
To create a Vault entity, call the Admin API’s /vaults endpoint.
curl -i -X POST http://localhost:8001/vaults/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "env",
"description": "ENV vault for secrets",
"prefix": "my-env-vault",
"config": {
"prefix": "MY_SECRET_"
}
}
'
To create a Vault entity, call the Konnect control plane config API’s /vaults endpoint.
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/vaults/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "env",
"description": "ENV vault for secrets",
"prefix": "my-env-vault",
"config": {
"prefix": "MY_SECRET_"
}
}
'
Make sure to replace the following placeholders with your own values:
region: Geographic region where your Kong Konnect is hosted and operates.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
controlPlaneId: The id of the control plane.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1alpha1
kind: KongVault
metadata:
name: env-vault
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
spec:
backend: env
description: ENV vault for secrets
prefix: my-env-vault
config:
prefix: MY_SECRET_
" | kubectl apply -f -
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
resource "konnect_gateway_vault" "my_vault" {
description = "ENV vault for secrets"
prefix = "my-env-vault"
config = {
prefix = "MY_SECRET_"
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}
The following creates a new Vault with basic configuration:
env
my-env-vault
ENV vault for secrets
You can store secrets as environment variables instead of configuring a Vault entity or third-party backend vault.
|
Use case |
Environment variable example |
Secret reference example |
|---|---|---|
| Single secret value |
export MY_SECRET_VALUE=example-secret
|
{vault://env/my-secret-value}
|
| Multiple secrets (flat JSON string) |
export PG_CREDS='{"username":"user", "password":"pass"}'
|
{vault://env/pg-creds/username}
{vault://env/pg-creds/password}
|
What types of fields can be used in Vaults?
Vaults work with “referenceable” fields. All fields in kong.conf are referenceable and some fields within entities (for example, plugins, certificates) are also. Refer to the appropriate entity documentation to learn more.
Can Vaults be referenced during custom plugin development?
Yes. The plugin development kit (PDK) offers a Vaults module (kong.vault) that can be used to resolve, parse, and verify Vault references.
What data types can I use when referencing a secret in a Vault?
A secret reference points to a string value. No other data types are currently supported.
I have a secret with multiple versions, how do I specify an earlier version when I’m referencing the secret?
If you have a secret with multiple versions, you can access the current version or any previous version of the secret by specifying a version in the reference.
In the following AWS example, AWSCURRENT refers to the latest secret version and AWSPREVIOUS refers to an older version:
# For AWSCURRENT, not specifying version
{vault://aws/secret-name/foo}
# For AWSCURRENT, specifying version == 1
{vault://aws/secret-name/foo#1}
# For AWSPREVIOUS, specifying version == 2
{vault://aws/secret-name/foo#2}
This applies to all providers with versioned secrets.
My secret in AWS Secret Manager has a / backslash in the secret name. How do I reference this secret in Kong Gateway?
The slash symbol (/) is a valid character for the secret name in AWS Secrets Manager. If you want to reference a secret name that starts with a slash or has two consecutive slashes, transform one of the slashes in the name into URL-encoded format. For example:
/secret/key should be referenced as {vault://aws/%2Fsecret/key}
secret/path//aaa/key should be referenced as {vault://aws/secret/path/%2Faaa/key}
Since Kong Gateway tries to resolve the secret reference as a valid URL, using a slash instead of a URL-encoded slash will result in unexpected secret name fetching.
I have secrets stored in multiple AWS Secret Manager regions, how do I reference those secrets in Kong Gateway?
You can create multiple Vault entities, one per region with the config.region parameter. You’d then reference the secret by the name of the Vault:
{vault://aws-eu-central-vault/secret-name/foo}
{vault://aws-us-west-vault/secret-name/snip}
I’m using Google Workload Identity, how do I configure a Vault?
To use GCP Secret Manager with
Workload Identity
on a GKE cluster, update your pod spec so that the service account (GCP_SERVICE_ACCOUNT) is
attached to the pod. For configuration information, read the Workload
Identity configuration
documentation.
Notes:
- With Workload Identity, setting the
GCP_SERVICE_ACCOUNTisn’t necessary.- When using GCP Vault as a backend, make sure you have configured
systemas part of thelua_ssl_trusted_certificateconfiguration directive so that the SSL certificates used by the official GCP API can be trusted by Kong Gateway.
How does Kong Gateway retrieve secrets from HashiCorp Vault?
Kong Gateway retrieves secrets from HashiCorp Vault’s HTTP API through a two-step process: authentication and secret retrieval.
Step 1: Authentication
Depending on the authentication method defined in config.auth_method, Kong Gateway authenticates to HashiCorp Vault using one of the following methods:
token auth method, Kong Gateway uses the config.token as the client token.kubernetes auth method, Kong Gateway uses the service account JWT token mounted in the pod (path defined in the config.kube_api_token_file) to call the login API for the Kubernetes auth path on the HashiCorp Vault server and retrieve a client token.approle auth method, Kong Gateway uses the AppRole credentials to retrieve a client token. The AppRole role ID is configured by field config.approle_role_id, and the secret ID is configured by field config.approle_secret_id or config.approle_secret_id_file.
config.approle_response_wrapping to true, then the secret ID configured by
config.approle_secret_id or config.approle_secret_id_file will be a response wrapping token,
and Kong Gateway will call the unwrap API /v1/sys/wrapping/unwrap to unwrap the response wrapping token to fetch
the real secret ID. Kong Gateway will use the AppRole role ID and secret ID to call the login API for the AppRole auth path
on the HashiCorp Vault server and retrieve a client token.gcp_iam auth method, Kong Gateway generates a signed JWT using the GCP service account configured in config.gcp_service_account and exchanges it for a HashiCorp Vault token via the GCP login path (config.gcp_login_path). The role is specified by config.gcp_auth_role.gcp_gce (GCP Compute Engine) auth method, Kong Gateway uses the instance identity token from the GCE metadata server and exchanges it for a HashiCorp Vault token via the GCP login path (config.gcp_login_path). The role is specified by config.gcp_auth_role.azure auth method, Kong Gateway uses the Azure Managed Identity token and exchanges it for a HashiCorp Vault token via the Azure login path (config.azure_login_path). The role is specified by config.azure_auth_role.aws_ec2 auth method, Kong Gateway uses the EC2 instance identity document and a nonce (config.aws_auth_nonce) to authenticate with HashiCorp Vault via the AWS login path (config.aws_login_path). The role is specified by config.aws_auth_role.aws_iam auth method, Kong Gateway signs an AWS STS GetCallerIdentity request using IAM credentials (config.aws_access_key_id and config.aws_secret_access_key, or the default credential provider chain) and exchanges it for a HashiCorp Vault token via the AWS login path (config.aws_login_path). The role is specified by config.aws_auth_role. For cross-account authentication, config.aws_assume_role_arn and config.aws_role_session_name are required to assume an IAM role in the target account before signing the request.By calling the login API, Kong Gateway will retrieve a client token and then use it in the next step as the value of X-Vault-Token header to retrieve a secret.
Step 2: Retrieving the secret
Kong Gateway uses the client token retrieved in the authentication step to call the Read Secret API and retrieve the secret value. The request varies depending on the secrets engine version you’re using. Kong Gateway will parse the response of the read secret API automatically and return the secret value.
Can Azure Key Vault be used with a proxy?
v3.12+ Yes. Azure Key Vault supports proxy configuration using either environment variables or client constructor arguments.
Environment variables
export AZURE_HTTP_PROXY=http://proxy.example.com:8080
export AZURE_HTTPS_PROXY=http://proxy.example.com:8080
export AZURE_NO_PROXY=localhost,127.0.0.1,.local
export AZURE_AUTH_USERNAME=proxyuser
export AZURE_AUTH_PASSWORD=proxypass
Constructor arguments
local azure_client = require("resty.azure"):new({
tenant_id = "tenant-uuid",
client_id = "app-registration-client-id",
client_secret = "app-registration-client-secret",
http_proxy = "http://proxy.example.com:8080",
https_proxy = "http://proxy.example.com:8080",
no_proxy = "localhost,127.0.0.1,.local",
auth_username = "proxyuser",
auth_password = "proxypass",
})
Notes:
- Constructor arguments take precedence over environment variables.
- When
auth_usernameandauth_passwordare provided, they will be automatically converted to a Basic authentication header for both HTTP and HTTPS proxy authorization.