Encrypt: Encrypt with AWS Key Vault - Policy

Encrypt with AWS Key Vault

Use an AWS Key Vault to encrypt message values.

Prerequisites

A Decrypt policy to pair with this Encrypt policy. The AWS ARN links the Encrypt and Decrypt policies.
An AWS KMS key ARN.

Environment variables

AWS_KEY_ARN: The KMS key ARN in this format: arn:aws:kms:REGION:ACCOUNT_ID:key/KEY_ID

Set up the policy

curl -X POST https://{region}.api.konghq.com/v1/event-gateways/{eventGatewayId}/virtual-clusters/{virtualClusterId}/produce-policies \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "encrypt-using-aws",
      "type": "encrypt",
      "config": {
        "failure_mode": "passthrough",
        "part_of_record": [
          "value"
        ],
        "encryption_key": {
          "type": "aws",
          "arn": "'$AWS_KEY_ARN'"
        }
      }
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
virtualClusterId: The id of the Virtual Cluster.
eventGatewayId: The id of the Event Gateway.
eventGatewayListenerId: The id of the Event Gateway Listener.

See the Konnect Event Gateway API reference to learn about region-specific URLs and personal access tokens.

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect-beta = {
      source  = "kong/konnect-beta"
    }
  }
}

provider "konnect-beta" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Copied!

Add the following to your Terraform configuration:

resource "konnect_event_gateway_produce_policy_encrypt" "my_virtual_cluster_policy_encrypt" {
  provider = konnect-beta
  type = "encrypt"
  config = {
    failure_mode = "passthrough"
    part_of_record = ["value"]

    encryption_key = {
      type = "aws"
      arn = var.aws_key_arn
    }
  }


  virtual_cluster_id = konnect_event_gateway_virtual_cluster.my_virtual_cluster.id

  gateway_id = konnect_event_gateway.my_event_gateway.id
}

Copied!

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "aws_key_arn" {
  type = string
}

Copied!

The following example creates a new encrypt policy.

Add this snippet to an event_gateways resource in your declarative configuration file, and then manage it with kongctl:

event_gateway_policy.yaml

Copied!

event_gateways:
  - ref: eventGatewayName
    name: eventGatewayName
    virtual_clusters:
    - ref: virtualClusterName
      name: virtualClusterName
      produce_policies:
      - ref: encrypt-using-aws
        type: encrypt
        encrypt:
          name: encrypt-using-aws
          config:
            failure_mode: passthrough
            part_of_record:
            - value
            encryption_key:
              type: aws
              arn: "${key_id}"

Make sure to replace the following placeholders with your own values:

eventGatewayName: The name of your Event Gateway.
virtualClusterName: The name of the Virtual Cluster.

Encrypt

Encrypt with AWS Key Vault

Prerequisites

Environment variables

Set up the policy

Help us make these docs great!

Still need help?