decK can back up the configuration of your running Kong Gateway using the deck gateway dump command.
See the reference for Entities managed by decK to find out which entity configurations can be backed up.
The exact command that you need to run changes if you’re using Workspaces (on-prem only) or not.
The following commands will back up all of the configuration in to a single file. See tags to learn how to segment configuration.
decK can export one control plane at a time from Konnect. To choose which control plane is backed up, specify the --konnect-control-plane-name flag:
deck gateway dump \
-o $YOUR_CP_NAME.yaml \
--konnect-control-plane-name $YOUR_CP_NAME \
--konnect-token $KONNECT_TOKEN
If you’re using the default Workspace, decK automatically identifies the Workspace to back up:
deck gateway dump -o kong.yaml
To back up a different Workspace, pass the -w flag:
deck gateway dump -w $WORKSPACE_NAME -o $WORKSPACE_NAME.yaml
To back up all Workspaces, pass the --all-workspaces flag.
This creates multiple files in the current directory. Each file is named the same as its Workspace:
deck gateway dump --all-workspaces
The deck gateway dump command contains a --sanitize flag that obfuscates your configuration while maintaining referential integrity. The sanitized file can be applied to a running Kong Gateway with deck gateway sync, but no private details will be available.
This flag should be used when sharing configuration files that contain sensitive information, such as internal service names or upstream targets.
Free-form strings such as names, tags, usernames, passwords, consumer IDs, hostnames, and paths are hashed to prevent leakage of original values while ensuring consistent references across linked entities.
For structured secrets like certificates and keys that must follow a specific format, the algorithm inserts unique mock examples instead of hashes, allowing them to pass validators without exposing real values.
To calculate the hash, deck uses the following process:
Usage:
deck gateway dump [flags]
Flags:
--all-workspaces dump configuration of all Workspaces (Kong Enterprise only).
--consumer-group-policy-overrides allow deck to dump consumer-group policy overrides.
This allows policy overrides to work with Kong GW versions >= 3.4
Warning: do not mix with consumer-group scoped plugins
--format string output file format: json or yaml. (default "yaml")
-h, --help help for dump
-o, --output-file - file to which to write Kong's configuration.Use - to write to stdout. (default "-")
--rbac-resources-only export only the RBAC resources (Kong Enterprise only).
--sanitize dumps a sanitized version of the gateway configuration.
This feature hashes passwords, keys and other sensitive details.
--select-tag strings only entities matching tags specified with this flag are exported.
When this setting has multiple tag values, entities must match every tag.
--skip-ca-certificates do not dump CA certificates.
--skip-consumers skip exporting consumers, consumer-groups and any plugins associated with them.
--skip-consumers-with-consumer-groups do not show the association between consumer and consumer-group.
If set to true, deck skips listing consumers with consumer-groups,
thus gaining some performance with large configs. This flag is not valid with Konnect.
--with-id write ID of all entities in the output
-w, --workspace string dump configuration of a specific Workspace(Kong Enterprise only).
--yes yes assume yes to prompts and run non-interactively.