Sign JWT with Consumer IDv3.14+
Sign an outgoing JWT in a request header using the authenticated Consumer’s ID as the subject. This example assumes a Consumer has already been authenticated before Datakit runs. This example contains the following nodes:
- The node
GET_CONSUMERretrieves the currently authenticated Consumer object. - The node
BUILD_CLAIMSuses jq to extract the Consumer’sidand build asubclaim. - The node
SIGN_JWTsigns a new JWT using an HMAC secret stored in Vault. - The node
BUILD_HEADERinjects the signed token into anX-Consumer-JWTrequest header sent to the upstream service.
Note: Datakit has a priority of 810, which means it runs after rate limiting plugins (priority 900 and above). If you use Consumer-based rate limits, Datakit must run first so the Consumer is set before rate limiting executes. You can adjust this with dynamic plugin ordering.
Prerequisites
-
You have configured a Consumer and an authentication plugin (for example, Key Auth or JWT).
-
You have configured a Vault secret for the HMAC signing key.
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: datakit
config:
resources:
vault:
jwt_hmac_key: "{vault://env/JWT_HMAC_SECRET}"
nodes:
- name: GET_CONSUMER
type: property
property: kong.client.consumer
- name: BUILD_CLAIMS
type: jq
input: GET_CONSUMER
jq: |
{
"sub": .id
}
- name: SIGN_JWT
type: jwt_sign
algorithm: HS256
expires_in: 300
static_claims:
iss: kong
inputs:
claims: BUILD_CLAIMS
key: vault.jwt_hmac_key
- name: BUILD_HEADER
type: jq
input: SIGN_JWT.token
jq: |
{
"X-Consumer-JWT": .
}
output: service_request.headers
Make the following request:
curl -i -X POST http://localhost:8001/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "datakit",
"config": {
"resources": {
"vault": {
"jwt_hmac_key": "{vault://env/JWT_HMAC_SECRET}"
}
},
"nodes": [
{
"name": "GET_CONSUMER",
"type": "property",
"property": "kong.client.consumer"
},
{
"name": "BUILD_CLAIMS",
"type": "jq",
"input": "GET_CONSUMER",
"jq": "{\n \"sub\": .id\n}\n"
},
{
"name": "SIGN_JWT",
"type": "jwt_sign",
"algorithm": "HS256",
"expires_in": 300,
"static_claims": {
"iss": "kong"
},
"inputs": {
"claims": "BUILD_CLAIMS",
"key": "vault.jwt_hmac_key"
}
},
{
"name": "BUILD_HEADER",
"type": "jq",
"input": "SIGN_JWT.token",
"jq": "{\n \"X-Consumer-JWT\": .\n}\n",
"output": "service_request.headers"
}
]
},
"tags": []
}
'
Copied!
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "datakit",
"config": {
"resources": {
"vault": {
"jwt_hmac_key": "{vault://env/JWT_HMAC_SECRET}"
}
},
"nodes": [
{
"name": "GET_CONSUMER",
"type": "property",
"property": "kong.client.consumer"
},
{
"name": "BUILD_CLAIMS",
"type": "jq",
"input": "GET_CONSUMER",
"jq": "{\n \"sub\": .id\n}\n"
},
{
"name": "SIGN_JWT",
"type": "jwt_sign",
"algorithm": "HS256",
"expires_in": 300,
"static_claims": {
"iss": "kong"
},
"inputs": {
"claims": "BUILD_CLAIMS",
"key": "vault.jwt_hmac_key"
}
},
{
"name": "BUILD_HEADER",
"type": "jq",
"input": "SIGN_JWT.token",
"jq": "{\n \"X-Consumer-JWT\": .\n}\n",
"output": "service_request.headers"
}
]
},
"tags": []
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
controlPlaneId: Theidof the control plane.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
name: datakit
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
labels:
global: 'true'
config:
resources:
vault:
jwt_hmac_key: '{vault://env/JWT_HMAC_SECRET}'
nodes:
- name: GET_CONSUMER
type: property
property: kong.client.consumer
- name: BUILD_CLAIMS
type: jq
input: GET_CONSUMER
jq: |
{
'sub': .id
}
- name: SIGN_JWT
type: jwt_sign
algorithm: HS256
expires_in: 300
static_claims:
iss: kong
inputs:
claims: BUILD_CLAIMS
key: vault.jwt_hmac_key
- name: BUILD_HEADER
type: jq
input: SIGN_JWT.token
jq: |
{
'X-Consumer-JWT': .
}
output: service_request.headers
plugin: datakit
" | kubectl apply -f -
Copied!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_datakit" "my_datakit" {
enabled = true
config = {
resources = {
vault = {
jwt_hmac_key = "{vault://env/JWT_HMAC_SECRET}"
}
}
nodes = [
{
name = "GET_CONSUMER"
type = "property"
property = "kong.client.consumer"
},
{
name = "BUILD_CLAIMS"
type = "jq"
input = "GET_CONSUMER"
jq = <<EOF
{
"sub": .id
}
EOF
},
{
name = "SIGN_JWT"
type = "jwt_sign"
algorithm = "HS256"
expires_in = 300
static_claims = {
iss = "kong"
}
inputs = {
claims = "BUILD_CLAIMS"
key = "vault.jwt_hmac_key"
}
},
{
name = "BUILD_HEADER"
type = "jq"
input = "SIGN_JWT.token"
jq = <<EOF
{
"X-Consumer-JWT": .
}
EOF
output = "service_request.headers"
} ]
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}
Copied!
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: datakit
service: serviceName|Id
config:
resources:
vault:
jwt_hmac_key: "{vault://env/JWT_HMAC_SECRET}"
nodes:
- name: GET_CONSUMER
type: property
property: kong.client.consumer
- name: BUILD_CLAIMS
type: jq
input: GET_CONSUMER
jq: |
{
"sub": .id
}
- name: SIGN_JWT
type: jwt_sign
algorithm: HS256
expires_in: 300
static_claims:
iss: kong
inputs:
claims: BUILD_CLAIMS
key: vault.jwt_hmac_key
- name: BUILD_HEADER
type: jq
input: SIGN_JWT.token
jq: |
{
"X-Consumer-JWT": .
}
output: service_request.headers
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "datakit",
"config": {
"resources": {
"vault": {
"jwt_hmac_key": "{vault://env/JWT_HMAC_SECRET}"
}
},
"nodes": [
{
"name": "GET_CONSUMER",
"type": "property",
"property": "kong.client.consumer"
},
{
"name": "BUILD_CLAIMS",
"type": "jq",
"input": "GET_CONSUMER",
"jq": "{\n \"sub\": .id\n}\n"
},
{
"name": "SIGN_JWT",
"type": "jwt_sign",
"algorithm": "HS256",
"expires_in": 300,
"static_claims": {
"iss": "kong"
},
"inputs": {
"claims": "BUILD_CLAIMS",
"key": "vault.jwt_hmac_key"
}
},
{
"name": "BUILD_HEADER",
"type": "jq",
"input": "SIGN_JWT.token",
"jq": "{\n \"X-Consumer-JWT\": .\n}\n",
"output": "service_request.headers"
}
]
},
"tags": []
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "datakit",
"config": {
"resources": {
"vault": {
"jwt_hmac_key": "{vault://env/JWT_HMAC_SECRET}"
}
},
"nodes": [
{
"name": "GET_CONSUMER",
"type": "property",
"property": "kong.client.consumer"
},
{
"name": "BUILD_CLAIMS",
"type": "jq",
"input": "GET_CONSUMER",
"jq": "{\n \"sub\": .id\n}\n"
},
{
"name": "SIGN_JWT",
"type": "jwt_sign",
"algorithm": "HS256",
"expires_in": 300,
"static_claims": {
"iss": "kong"
},
"inputs": {
"claims": "BUILD_CLAIMS",
"key": "vault.jwt_hmac_key"
}
},
{
"name": "BUILD_HEADER",
"type": "jq",
"input": "SIGN_JWT.token",
"jq": "{\n \"X-Consumer-JWT\": .\n}\n",
"output": "service_request.headers"
}
]
},
"tags": []
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
controlPlaneId: Theidof the control plane. -
serviceId: Theidof the service the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: datakit
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
config:
resources:
vault:
jwt_hmac_key: '{vault://env/JWT_HMAC_SECRET}'
nodes:
- name: GET_CONSUMER
type: property
property: kong.client.consumer
- name: BUILD_CLAIMS
type: jq
input: GET_CONSUMER
jq: |
{
'sub': .id
}
- name: SIGN_JWT
type: jwt_sign
algorithm: HS256
expires_in: 300
static_claims:
iss: kong
inputs:
claims: BUILD_CLAIMS
key: vault.jwt_hmac_key
- name: BUILD_HEADER
type: jq
input: SIGN_JWT.token
jq: |
{
'X-Consumer-JWT': .
}
output: service_request.headers
plugin: datakit
" | kubectl apply -f -
Copied!
Next, apply the KongPlugin resource by annotating the service resource:
kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=datakit
Copied!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_datakit" "my_datakit" {
enabled = true
config = {
resources = {
vault = {
jwt_hmac_key = "{vault://env/JWT_HMAC_SECRET}"
}
}
nodes = [
{
name = "GET_CONSUMER"
type = "property"
property = "kong.client.consumer"
},
{
name = "BUILD_CLAIMS"
type = "jq"
input = "GET_CONSUMER"
jq = <<EOF
{
"sub": .id
}
EOF
},
{
name = "SIGN_JWT"
type = "jwt_sign"
algorithm = "HS256"
expires_in = 300
static_claims = {
iss = "kong"
}
inputs = {
claims = "BUILD_CLAIMS"
key = "vault.jwt_hmac_key"
}
},
{
name = "BUILD_HEADER"
type = "jq"
input = "SIGN_JWT.token"
jq = <<EOF
{
"X-Consumer-JWT": .
}
EOF
output = "service_request.headers"
} ]
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
service = {
id = konnect_gateway_service.my_service.id
}
}
Copied!
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: datakit
route: routeName|Id
config:
resources:
vault:
jwt_hmac_key: "{vault://env/JWT_HMAC_SECRET}"
nodes:
- name: GET_CONSUMER
type: property
property: kong.client.consumer
- name: BUILD_CLAIMS
type: jq
input: GET_CONSUMER
jq: |
{
"sub": .id
}
- name: SIGN_JWT
type: jwt_sign
algorithm: HS256
expires_in: 300
static_claims:
iss: kong
inputs:
claims: BUILD_CLAIMS
key: vault.jwt_hmac_key
- name: BUILD_HEADER
type: jq
input: SIGN_JWT.token
jq: |
{
"X-Consumer-JWT": .
}
output: service_request.headers
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "datakit",
"config": {
"resources": {
"vault": {
"jwt_hmac_key": "{vault://env/JWT_HMAC_SECRET}"
}
},
"nodes": [
{
"name": "GET_CONSUMER",
"type": "property",
"property": "kong.client.consumer"
},
{
"name": "BUILD_CLAIMS",
"type": "jq",
"input": "GET_CONSUMER",
"jq": "{\n \"sub\": .id\n}\n"
},
{
"name": "SIGN_JWT",
"type": "jwt_sign",
"algorithm": "HS256",
"expires_in": 300,
"static_claims": {
"iss": "kong"
},
"inputs": {
"claims": "BUILD_CLAIMS",
"key": "vault.jwt_hmac_key"
}
},
{
"name": "BUILD_HEADER",
"type": "jq",
"input": "SIGN_JWT.token",
"jq": "{\n \"X-Consumer-JWT\": .\n}\n",
"output": "service_request.headers"
}
]
},
"tags": []
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "datakit",
"config": {
"resources": {
"vault": {
"jwt_hmac_key": "{vault://env/JWT_HMAC_SECRET}"
}
},
"nodes": [
{
"name": "GET_CONSUMER",
"type": "property",
"property": "kong.client.consumer"
},
{
"name": "BUILD_CLAIMS",
"type": "jq",
"input": "GET_CONSUMER",
"jq": "{\n \"sub\": .id\n}\n"
},
{
"name": "SIGN_JWT",
"type": "jwt_sign",
"algorithm": "HS256",
"expires_in": 300,
"static_claims": {
"iss": "kong"
},
"inputs": {
"claims": "BUILD_CLAIMS",
"key": "vault.jwt_hmac_key"
}
},
{
"name": "BUILD_HEADER",
"type": "jq",
"input": "SIGN_JWT.token",
"jq": "{\n \"X-Consumer-JWT\": .\n}\n",
"output": "service_request.headers"
}
]
},
"tags": []
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
controlPlaneId: Theidof the control plane. -
routeId: Theidof the route the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: datakit
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
config:
resources:
vault:
jwt_hmac_key: '{vault://env/JWT_HMAC_SECRET}'
nodes:
- name: GET_CONSUMER
type: property
property: kong.client.consumer
- name: BUILD_CLAIMS
type: jq
input: GET_CONSUMER
jq: |
{
'sub': .id
}
- name: SIGN_JWT
type: jwt_sign
algorithm: HS256
expires_in: 300
static_claims:
iss: kong
inputs:
claims: BUILD_CLAIMS
key: vault.jwt_hmac_key
- name: BUILD_HEADER
type: jq
input: SIGN_JWT.token
jq: |
{
'X-Consumer-JWT': .
}
output: service_request.headers
plugin: datakit
" | kubectl apply -f -
Copied!
Next, apply the KongPlugin resource by annotating the httproute or ingress resource:
kubectl annotate -n kong httproute konghq.com/plugins=datakit
Copied!
kubectl annotate -n kong ingress konghq.com/plugins=datakit
Copied!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_datakit" "my_datakit" {
enabled = true
config = {
resources = {
vault = {
jwt_hmac_key = "{vault://env/JWT_HMAC_SECRET}"
}
}
nodes = [
{
name = "GET_CONSUMER"
type = "property"
property = "kong.client.consumer"
},
{
name = "BUILD_CLAIMS"
type = "jq"
input = "GET_CONSUMER"
jq = <<EOF
{
"sub": .id
}
EOF
},
{
name = "SIGN_JWT"
type = "jwt_sign"
algorithm = "HS256"
expires_in = 300
static_claims = {
iss = "kong"
}
inputs = {
claims = "BUILD_CLAIMS"
key = "vault.jwt_hmac_key"
}
},
{
name = "BUILD_HEADER"
type = "jq"
input = "SIGN_JWT.token"
jq = <<EOF
{
"X-Consumer-JWT": .
}
EOF
output = "service_request.headers"
} ]
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
route = {
id = konnect_gateway_route.my_route.id
}
}
Copied!
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: datakit
consumer: consumerName|Id
config:
resources:
vault:
jwt_hmac_key: "{vault://env/JWT_HMAC_SECRET}"
nodes:
- name: GET_CONSUMER
type: property
property: kong.client.consumer
- name: BUILD_CLAIMS
type: jq
input: GET_CONSUMER
jq: |
{
"sub": .id
}
- name: SIGN_JWT
type: jwt_sign
algorithm: HS256
expires_in: 300
static_claims:
iss: kong
inputs:
claims: BUILD_CLAIMS
key: vault.jwt_hmac_key
- name: BUILD_HEADER
type: jq
input: SIGN_JWT.token
jq: |
{
"X-Consumer-JWT": .
}
output: service_request.headers
Make sure to replace the following placeholders with your own values:
-
consumerName|Id: Theidornameof the consumer the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/consumers/{consumerName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "datakit",
"config": {
"resources": {
"vault": {
"jwt_hmac_key": "{vault://env/JWT_HMAC_SECRET}"
}
},
"nodes": [
{
"name": "GET_CONSUMER",
"type": "property",
"property": "kong.client.consumer"
},
{
"name": "BUILD_CLAIMS",
"type": "jq",
"input": "GET_CONSUMER",
"jq": "{\n \"sub\": .id\n}\n"
},
{
"name": "SIGN_JWT",
"type": "jwt_sign",
"algorithm": "HS256",
"expires_in": 300,
"static_claims": {
"iss": "kong"
},
"inputs": {
"claims": "BUILD_CLAIMS",
"key": "vault.jwt_hmac_key"
}
},
{
"name": "BUILD_HEADER",
"type": "jq",
"input": "SIGN_JWT.token",
"jq": "{\n \"X-Consumer-JWT\": .\n}\n",
"output": "service_request.headers"
}
]
},
"tags": []
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
consumerName|Id: Theidornameof the consumer the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumers/{consumerId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "datakit",
"config": {
"resources": {
"vault": {
"jwt_hmac_key": "{vault://env/JWT_HMAC_SECRET}"
}
},
"nodes": [
{
"name": "GET_CONSUMER",
"type": "property",
"property": "kong.client.consumer"
},
{
"name": "BUILD_CLAIMS",
"type": "jq",
"input": "GET_CONSUMER",
"jq": "{\n \"sub\": .id\n}\n"
},
{
"name": "SIGN_JWT",
"type": "jwt_sign",
"algorithm": "HS256",
"expires_in": 300,
"static_claims": {
"iss": "kong"
},
"inputs": {
"claims": "BUILD_CLAIMS",
"key": "vault.jwt_hmac_key"
}
},
{
"name": "BUILD_HEADER",
"type": "jq",
"input": "SIGN_JWT.token",
"jq": "{\n \"X-Consumer-JWT\": .\n}\n",
"output": "service_request.headers"
}
]
},
"tags": []
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
controlPlaneId: Theidof the control plane. -
consumerId: Theidof the consumer the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: datakit
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
config:
resources:
vault:
jwt_hmac_key: '{vault://env/JWT_HMAC_SECRET}'
nodes:
- name: GET_CONSUMER
type: property
property: kong.client.consumer
- name: BUILD_CLAIMS
type: jq
input: GET_CONSUMER
jq: |
{
'sub': .id
}
- name: SIGN_JWT
type: jwt_sign
algorithm: HS256
expires_in: 300
static_claims:
iss: kong
inputs:
claims: BUILD_CLAIMS
key: vault.jwt_hmac_key
- name: BUILD_HEADER
type: jq
input: SIGN_JWT.token
jq: |
{
'X-Consumer-JWT': .
}
output: service_request.headers
plugin: datakit
" | kubectl apply -f -
Copied!
Next, apply the KongPlugin resource by annotating the KongConsumer resource:
kubectl annotate -n kong kongconsumer CONSUMER_NAME konghq.com/plugins=datakit
Copied!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_datakit" "my_datakit" {
enabled = true
config = {
resources = {
vault = {
jwt_hmac_key = "{vault://env/JWT_HMAC_SECRET}"
}
}
nodes = [
{
name = "GET_CONSUMER"
type = "property"
property = "kong.client.consumer"
},
{
name = "BUILD_CLAIMS"
type = "jq"
input = "GET_CONSUMER"
jq = <<EOF
{
"sub": .id
}
EOF
},
{
name = "SIGN_JWT"
type = "jwt_sign"
algorithm = "HS256"
expires_in = 300
static_claims = {
iss = "kong"
}
inputs = {
claims = "BUILD_CLAIMS"
key = "vault.jwt_hmac_key"
}
},
{
name = "BUILD_HEADER"
type = "jq"
input = "SIGN_JWT.token"
jq = <<EOF
{
"X-Consumer-JWT": .
}
EOF
output = "service_request.headers"
} ]
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
consumer = {
id = konnect_gateway_consumer.my_consumer.id
}
}
Copied!
Add this section to your kong.yaml configuration file:
kong.yaml
Copied!
_format_version: "3.0"
plugins:
- name: datakit
consumer_group: consumerGroupName|Id
config:
resources:
vault:
jwt_hmac_key: "{vault://env/JWT_HMAC_SECRET}"
nodes:
- name: GET_CONSUMER
type: property
property: kong.client.consumer
- name: BUILD_CLAIMS
type: jq
input: GET_CONSUMER
jq: |
{
"sub": .id
}
- name: SIGN_JWT
type: jwt_sign
algorithm: HS256
expires_in: 300
static_claims:
iss: kong
inputs:
claims: BUILD_CLAIMS
key: vault.jwt_hmac_key
- name: BUILD_HEADER
type: jq
input: SIGN_JWT.token
jq: |
{
"X-Consumer-JWT": .
}
output: service_request.headers
Make sure to replace the following placeholders with your own values:
-
consumerGroupName|Id: Theidornameof the consumer group the plugin configuration will target.
Make the following request:
curl -i -X POST http://localhost:8001/consumer_groups/{consumerGroupName|Id}/plugins/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "datakit",
"config": {
"resources": {
"vault": {
"jwt_hmac_key": "{vault://env/JWT_HMAC_SECRET}"
}
},
"nodes": [
{
"name": "GET_CONSUMER",
"type": "property",
"property": "kong.client.consumer"
},
{
"name": "BUILD_CLAIMS",
"type": "jq",
"input": "GET_CONSUMER",
"jq": "{\n \"sub\": .id\n}\n"
},
{
"name": "SIGN_JWT",
"type": "jwt_sign",
"algorithm": "HS256",
"expires_in": 300,
"static_claims": {
"iss": "kong"
},
"inputs": {
"claims": "BUILD_CLAIMS",
"key": "vault.jwt_hmac_key"
}
},
{
"name": "BUILD_HEADER",
"type": "jq",
"input": "SIGN_JWT.token",
"jq": "{\n \"X-Consumer-JWT\": .\n}\n",
"output": "service_request.headers"
}
]
},
"tags": []
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
consumerGroupName|Id: Theidornameof the consumer group the plugin configuration will target.
Make the following request:
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumer_groups/{consumerGroupId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "datakit",
"config": {
"resources": {
"vault": {
"jwt_hmac_key": "{vault://env/JWT_HMAC_SECRET}"
}
},
"nodes": [
{
"name": "GET_CONSUMER",
"type": "property",
"property": "kong.client.consumer"
},
{
"name": "BUILD_CLAIMS",
"type": "jq",
"input": "GET_CONSUMER",
"jq": "{\n \"sub\": .id\n}\n"
},
{
"name": "SIGN_JWT",
"type": "jwt_sign",
"algorithm": "HS256",
"expires_in": 300,
"static_claims": {
"iss": "kong"
},
"inputs": {
"claims": "BUILD_CLAIMS",
"key": "vault.jwt_hmac_key"
}
},
{
"name": "BUILD_HEADER",
"type": "jq",
"input": "SIGN_JWT.token",
"jq": "{\n \"X-Consumer-JWT\": .\n}\n",
"output": "service_request.headers"
}
]
},
"tags": []
}
'
Copied!
Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
controlPlaneId: Theidof the control plane. -
consumerGroupId: Theidof the consumer group the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: datakit
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
konghq.com/tags: ''
config:
resources:
vault:
jwt_hmac_key: '{vault://env/JWT_HMAC_SECRET}'
nodes:
- name: GET_CONSUMER
type: property
property: kong.client.consumer
- name: BUILD_CLAIMS
type: jq
input: GET_CONSUMER
jq: |
{
'sub': .id
}
- name: SIGN_JWT
type: jwt_sign
algorithm: HS256
expires_in: 300
static_claims:
iss: kong
inputs:
claims: BUILD_CLAIMS
key: vault.jwt_hmac_key
- name: BUILD_HEADER
type: jq
input: SIGN_JWT.token
jq: |
{
'X-Consumer-JWT': .
}
output: service_request.headers
plugin: datakit
" | kubectl apply -f -
Copied!
Next, apply the KongPlugin resource by annotating the KongConsumerGroup resource:
kubectl annotate -n kong kongconsumergroup CONSUMERGROUP_NAME konghq.com/plugins=datakit
Copied!
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Copied!
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_datakit" "my_datakit" {
enabled = true
config = {
resources = {
vault = {
jwt_hmac_key = "{vault://env/JWT_HMAC_SECRET}"
}
}
nodes = [
{
name = "GET_CONSUMER"
type = "property"
property = "kong.client.consumer"
},
{
name = "BUILD_CLAIMS"
type = "jq"
input = "GET_CONSUMER"
jq = <<EOF
{
"sub": .id
}
EOF
},
{
name = "SIGN_JWT"
type = "jwt_sign"
algorithm = "HS256"
expires_in = 300
static_claims = {
iss = "kong"
}
inputs = {
claims = "BUILD_CLAIMS"
key = "vault.jwt_hmac_key"
}
},
{
name = "BUILD_HEADER"
type = "jq"
input = "SIGN_JWT.token"
jq = <<EOF
{
"X-Consumer-JWT": .
}
EOF
output = "service_request.headers"
} ]
}
tags = []
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
consumer_group = {
id = konnect_gateway_consumer_group.my_consumer_group.id
}
}
Copied!