config.auth_method set to oauth2, and the requires HashiCorp and OAuth2 parameters.This is a Konnect tutorial and requires a Konnect personal access token.
Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
Export your token to an environment variable:
export KONNECT_TOKEN='YOUR_KONNECT_PAT'
Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN --deck-output
This sets up a Konnect Control Plane named quickstart, provisions a local Data Plane, and prints out the following environment variable exports:
export DECK_KONNECT_TOKEN=$KONNECT_TOKEN
export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart
export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com
export KONNECT_PROXY_URL='http://localhost:8000'
Copy and paste these into your terminal to configure your session.
This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.
Export your license to an environment variable:
export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'
Run the quickstart script:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATA
Once Kong Gateway is ready, you will see the following message:
Kong Gateway Ready
decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial, install decK version 1.43 or later.
This guide uses deck gateway apply, which directly applies entity configuration to your Gateway instance.
We recommend upgrading your decK installation to take advantage of this tool.
You can check your current decK version with deck version.
You’ll need an Auth0 account to complete this tutorial.
To use OAuth2 authentication for your HashiCorp Vault with Auth0 as the identity provider (IdP), there are two important configurations to prepare in Auth0. First, you must authorize an Auth0 application so Kong Gateway can use the Auth0 Management API on your behalf. Next, you will create an API audience that Kong Gateway applications will be granted access to.
To get started configuring Auth0, log in to your Auth0 dashboard and complete the following:
From the sidebar, select Applications > Applications.
Click Create Application.
Give the application a memorable name, like “HashiCorp Vault OAuth2”.
Select the application type Machine to Machine Applications and click Create.
Select Auth0 Management API from the drop-down list.
read:client_grantscreate:client_grantsdelete:client_grantsupdate:client_grantsread:clientscreate:clientsdelete:clientsupdate:clientsupdate:client_keysNote: If you’re using Developer Managed Scopes, add
read:resource_serversto the permissions for your initial client application.
Click Authorize.
On the application page, click the Settings tab, locate the values for Domain, Client ID and Client Secret, and export them as environment variables:
export DECK_DOMAIN="YOUR AUTH0 DOMAIN"
export DECK_CLIENT_ID="YOUR AUTH0 CLIENT ID"
export DECK_CLIENT_SECRET="YOUR AUTH0 CLIENT SECRET"
Important: This tutorial uses the literal
rootstring as your token, which should only be used in testing and development environments.
root as your token.
vault server -dev -dev-root-token-id root
VAULT_ADDR to export.VAULT_ADDR as an environment variable.vault status
vault auth enable jwt
vault write auth/jwt/config jwks_url="https://$DECK_DOMAIN/.well-known/jwks.json"
demo:
vault write auth/jwt/role/demo \
role_type=jwt \
user_claim=sub \
token_type=batch \
token_policies="default" \
bound_subject="$DECK_CLIENT_ID@clients" \
bound_audiences="https://$DECK_DOMAIN/api/v2/"
vault kv put -mount="secret" "password" pass1=my-password
export DECK_HCV_HOST=host.docker.internal
export DECK_HCV_TOKEN=root
In this tutorial, we’re using host.docker.internal as our host instead of the localhost variable that HashiCorp Vault uses by default. This is because if you used the quick-start script Kong Gateway is running in a Docker container and uses a different localhost. Because we are running HashiCorp Vault in dev mode, we are using root for our token value.
Navigate to http://localhost:8200/ to access the HashiCorp Vault UI.
Enter “root” in the Token field and click Sign in.
Click Policies.
Click default.
path "secret/*" {
capabilities = ["read"]
}
Create a Vault entity with the required parameters for HashiCorp Vault:
echo '
_format_version: "3.0"
vaults:
- name: hcv
prefix: hashicorp-vault
description: Storing secrets in HashiCorp Vault
config:
host: "${{ env "DECK_HCV_HOST" }}"
token: "${{ env "DECK_HCV_TOKEN" }}"
kv: v2
mount: secret
port: 8200
protocol: http
auth_method: oauth2
oauth2_role_name: demo
oauth2_token_endpoint: https://${{ env "DECK_DOMAIN" }}/oauth/token
oauth2_client_id: "${{ env "DECK_CLIENT_ID" }}"
oauth2_client_secret: "${{ env "DECK_CLIENT_SECRET" }}"
oauth2_audiences: https://${{ env "DECK_DOMAIN" }}/api/v2/
' | deck gateway apply -
Since Konnect data plane container names can vary, set your container name as an environment variable:
export KONNECT_DP_CONTAINER='your-dp-container-name'
To validate that the secret was stored correctly in HashiCorp Vault, you can call a secret from your vault using the kong vault get command within the Data Plane container.
docker exec $KONNECT_DP_CONTAINER kong vault get {vault://hashicorp-vault/password/pass1}
docker exec kong-quickstart-gateway kong vault get {vault://hashicorp-vault/password/pass1}
If the vault was configured correctly, this command should return the value of the secret. You can use {vault://hashicorp-vault/password/pass1} to reference the secret in any referenceable field.
For more information about supported secret types, see What can be stored as a secret.
Stop the HashiCorp Vault dev server container by running the following:
docker rm -f vault
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d
If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.
Can I configure Vault in a different way without using the Vault entity directly?
Yes, you can also configure a Vault in one of the following ways:
kong.conf, set at Kong Gateway startupSee the Vault reference for your provider for the available parameters and their format in each method.