Realms for external Consumers in Konnect
You can authenticate consumers that are managed centrally in Konnect by configuring the identity_realms field in the Key Auth plugin. A Data Plane can only reach out to realms in the same region as they are deployed.
identity_realms are scoped to the Control Plane by default (scope: cp).
The order in which you configure the identity_realms dictates the priority in which the Data Plane attempts to authenticate the provided API keys.
See the realm priority reference for details.
For a full tutorial of this example, see Create a centrally-managed Consumer in Konnect.
Prerequisites
- You have a realm configured with an associated Control Plane in Konnect.
You can do this with the
/realmsendpoint.
Environment variables
-
REGION: Region for your Konnect instance. -
REALM_ID: The ID of the realm you created in the prerequisites.
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: key-auth
config:
key_names:
- apikey
identity_realms:
- scope: realm
region: ${{ env "DECK_REGION" }}
id: ${{ env "DECK_REALM_ID" }}
- scope: cp
Make the following request:
curl -X POST https://.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "key-auth",
"config": {
"key_names": [
"apikey"
],
"identity_realms": [
{
"scope": "realm",
"region": "'$REGION'",
"id": "'$REALM_ID'"
},
{
"scope": "cp"
}
]
}
}
'
Make sure to replace the following placeholders with your own values:
-
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
name: key-auth
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
labels:
global: 'true'
config:
key_names:
- apikey
identity_realms:
- scope: realm
region: '$REGION'
id: '$REALM_ID'
- scope: cp
plugin: key-auth
" | kubectl apply -f -
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_key_auth" "my_key_auth" {
enabled = true
config = {
key_names = ["apikey"]
identity_realms = [
{
scope = "realm"
region = var.region
id = var.realm_id
},
{
scope = "cp"
} ]
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "realm_id" {
type = string
}
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: key-auth
service: serviceName|Id
config:
key_names:
- apikey
identity_realms:
- scope: realm
region: ${{ env "DECK_REGION" }}
id: ${{ env "DECK_REALM_ID" }}
- scope: cp
Make sure to replace the following placeholders with your own values:
-
serviceName|Id: Theidornameof the service the plugin configuration will target.
Make the following request:
curl -X POST https://.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "key-auth",
"config": {
"key_names": [
"apikey"
],
"identity_realms": [
{
"scope": "realm",
"region": "'$REGION'",
"id": "'$REALM_ID'"
},
{
"scope": "cp"
}
]
}
}
'
Make sure to replace the following placeholders with your own values:
-
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
serviceId: Theidof the service the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: key-auth
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
key_names:
- apikey
identity_realms:
- scope: realm
region: '$REGION'
id: '$REALM_ID'
- scope: cp
plugin: key-auth
" | kubectl apply -f -
Next, apply the KongPlugin resource by annotating the service resource:
kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=key-auth
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_key_auth" "my_key_auth" {
enabled = true
config = {
key_names = ["apikey"]
identity_realms = [
{
scope = "realm"
region = var.region
id = var.realm_id
},
{
scope = "cp"
} ]
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
service = {
id = konnect_gateway_service.my_service.id
}
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "realm_id" {
type = string
}
Add this section to your declarative configuration file:
_format_version: "3.0"
plugins:
- name: key-auth
route: routeName|Id
config:
key_names:
- apikey
identity_realms:
- scope: realm
region: ${{ env "DECK_REGION" }}
id: ${{ env "DECK_REALM_ID" }}
- scope: cp
Make sure to replace the following placeholders with your own values:
-
routeName|Id: Theidornameof the route the plugin configuration will target.
Make the following request:
curl -X POST https://.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "key-auth",
"config": {
"key_names": [
"apikey"
],
"identity_realms": [
{
"scope": "realm",
"region": "'$REGION'",
"id": "'$REALM_ID'"
},
{
"scope": "cp"
}
]
}
}
'
Make sure to replace the following placeholders with your own values:
-
controlPlaneId: Theidof the control plane. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
routeId: Theidof the route the plugin configuration will target.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: key-auth
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
config:
key_names:
- apikey
identity_realms:
- scope: realm
region: '$REGION'
id: '$REALM_ID'
- scope: cp
plugin: key-auth
" | kubectl apply -f -
Next, apply the KongPlugin resource by annotating the httproute or ingress resource:
kubectl annotate -n kong httproute konghq.com/plugins=key-auth
kubectl annotate -n kong ingress konghq.com/plugins=key-auth
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
Add the following to your Terraform configuration to create a Konnect Gateway Plugin:
resource "konnect_gateway_plugin_key_auth" "my_key_auth" {
enabled = true
config = {
key_names = ["apikey"]
identity_realms = [
{
scope = "realm"
region = var.region
id = var.realm_id
},
{
scope = "cp"
} ]
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
route = {
id = konnect_gateway_route.my_route.id
}
}
This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "realm_id" {
type = string
}