Decrypt using an AWS key vault
Decrypt a message value using a specific AWS key vault.
Prerequisites
- A corresponding Encrypt policy. Event Gateway uses the AWS ARN from the Encrypt policy to find the key for the Decrypt policy.
curl -X POST https://{region}.api.konghq.com/v1/event-gateways/{eventGatewayId}/virtual-clusters/{virtualClusterId}/consume-policies \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "decrypt-using-aws",
"type": "decrypt",
"config": {
"failure_mode": "passthrough",
"part_of_record": [
"value"
],
"key_sources": [
{
"type": "aws"
}
]
}
}
'Make sure to replace the following placeholders with your own values:
-
region: Geographic region where your Kong Konnect is hosted and operates. -
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account. -
virtualClusterId: Theidof the Virtual Cluster. -
eventGatewayId: Theidof the Event Gateway. -
eventGatewayListenerId: Theidof the Event Gateway Listener.
See the Konnect Event Gateway API reference to learn about region-specific URLs and personal access tokens.
Prerequisite: Configure your Personal Access Token
terraform {
required_providers {
konnect-beta = {
source = "kong/konnect-beta"
}
}
}
provider "konnect-beta" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}resource "konnect_event_gateway_consume_policy_decrypt" "my_virtual_cluster_policy_decrypt" {
provider = konnect-beta
type = "decrypt"
config = {
failure_mode = "passthrough"
part_of_record = ["value"]
key_sources = [
{
type = "aws"
} ]
}
virtual_cluster_id = konnect_event_gateway_virtual_cluster.my_virtual_cluster.id
gateway_id = konnect_event_gateway.my_event_gateway.id
}The following example creates a new decrypt policy.
Add this snippet to an event_gateways resource in your declarative configuration file, and then manage it with kongctl:
event_gateways:
- ref: eventGatewayName
name: eventGatewayName
virtual_clusters:
- ref: virtualClusterName
name: virtualClusterName
consume_policies:
- ref: decrypt-using-aws
type: decrypt
decrypt:
name: decrypt-using-aws
config:
failure_mode: passthrough
part_of_record:
- value
key_sources:
- type: awsMake sure to replace the following placeholders with your own values:
-
eventGatewayName: Thenameof your Event Gateway. -
virtualClusterName: Thenameof the Virtual Cluster.