DIRECTORY_ID=$(curl -X POST "https://us.api.konghq.com/v2/directories" \
--no-progress-meter --fail-with-body \
-H "Authorization: Bearer $KONNECT_TOKEN"\
-H "Content-Type: application/json" \
--json '{
"name": "kong-identity-directory",
"description": "Directory for this tutorial",
"allow_all_control_planes": true
}' | jq -r ".id"
)Authenticate Principals with the Key Authentication plugin
Create a principal, create an API key for it, then enable the Key Authentication plugin with principals.enabled: true and set principals.directory to your directory name. Authenticate by sending the API key in the apikey header.
Prerequisites
Kong Konnect
This is a Konnect tutorial and requires a Konnect personal access token.
-
Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
-
Export your token to an environment variable:
export KONNECT_TOKEN='YOUR_KONNECT_PAT' -
Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN \ --deck-outputThis sets up a Konnect Control Plane named
quickstart, provisions a local Data Plane, and prints out the following environment variable exports:export DECK_KONNECT_TOKEN=$KONNECT_TOKEN export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com export KONNECT_PROXY_URL='http://localhost:8000'Copy and paste these into your terminal to configure your session.
Kong Gateway running
This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.
-
Export your license to an environment variable:
export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE' -
Run the quickstart script:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATAOnce Kong Gateway is ready, you will see the following message:
Kong Gateway Ready
decK v1.64.0+
To complete this tutorial, install decK. We recommend keeping decK up to date with the latest version (1.64.0).
decK is a CLI tool for managing Kong Gateway declaratively with state files.
This guide uses deck gateway apply, which directly applies entity configuration to your Gateway instance.
You can check your current decK version with deck version.
Required entities
For this tutorial, you’ll need Kong Gateway entities, like Gateway Services and Routes, pre-configured. These entities are essential for Kong Gateway to function but installing them isn’t the focus of this guide. Follow these steps to pre-configure them:
-
Run the following command:
echo ' _format_version: "3.0" services: - name: example-service url: http://httpbin.konghq.com/anything routes: - name: example-route paths: - "/anything" service: name: example-service protocols: - http - https ' | deck gateway apply -
To learn more about entities, you can read our entities documentation.
Kong Identity directory
A directory is a regional collection of principals. Create a directory for this tutorial:
Create a Principal
Create the Principal by sending a POST request to the /v2/directories/{directoryId}/principals endpoint:
PRINCIPAL_ID=$(curl -X POST "https://us.api.konghq.com/v2/directories/$DIRECTORY_ID/principals" \
--no-progress-meter --fail-with-body \
-H "Authorization: Bearer $KONNECT_TOKEN" \
--json '{
"display_name": "example-principal",
"description": "Example principal"
}' | jq -r ".id"
)This script:
- Creates a Principal named
example-principal - Saves the returned ID as
$PRINCIPAL_ID
Add key auth
Add an API key credential to the principal so clients can authenticate with Kong Gateway using key auth.
The following example:
- Sets a system-generated key (
v1) - Stores the key secret as
$KEY_SECRET
KEY_SECRET=$(curl -X POST "https://us.api.konghq.com/v2/directories/$DIRECTORY_ID/principals/$PRINCIPAL_ID/api-keys" \
--no-progress-meter --fail-with-body \
-H "Authorization: Bearer $KONNECT_TOKEN" \
--json '{
"type": "v1"
}' | jq -r ".secret"
)Get the directory name
To configure the Key Auth plugin, you’ll need the name of the directory you created. Store it as DECK_DIRECTORY_NAME with this script:
DECK_DIRECTORY_NAME=$(curl -X GET "https://us.api.konghq.com/v2/directories" \
--no-progress-meter --fail-with-body \
-H "Authorization: Bearer $KONNECT_TOKEN" | jq -r ".data[0].name"
)Export the directory name so decK can read it during sync:
export DECK_DIRECTORY_NAMEConfigure the Key Auth plugin via decK
Enable the Key Auth plugin to allow clients to authenticate with a key when they make a request:
echo '
_format_version: "3.0"
plugins:
- name: key-auth
route: example-route
config:
identity_realms: []
principals:
enabled: true
directory: "${{ env "DECK_DIRECTORY_NAME" }}"
' | deck gateway apply -This configuration:
- Enables the plugin on
example-route. - Sets principal authentication by looking up API keys in the
kong-identity-directorydirectory.
Validate
By default, the Key Auth plugin reads the key from the apikey header.
First, run the following to verify that requests without a valid key are rejected:
curl -i $KONNECT_PROXY_URL/anything curl -i http://localhost:8000/anything This request returns a 401 error with the message Unauthorized.
Then, run the following command to test principal authentication using the API key stored in $KEY_SECRET:
curl -i "$KONNECT_PROXY_URL/anything" \
--no-progress-meter --fail-with-body \
-H "apikey: $KEY_SECRET"curl -i "http://localhost:8000/anything" \
--no-progress-meter --fail-with-body \
-H "apikey: $KEY_SECRET"Cleanup
Clean up Konnect environment
If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.
Destroy the Kong Gateway container
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d