Use an AWS Key Vault to encrypt message values.
A Decrypt policy to pair with this Encrypt policy. The AWS ARN links the Encrypt and Decrypt policies.
An AWS KMS key ARN.
AWS_KEY_ARN: The KMS key ARN in this format: arn:aws:kms:REGION:ACCOUNT_ID:key/KEY_ID
curl -X POST https://{region}.api.konghq.com/v1/event-gateways/{eventGatewayId}/virtual-clusters/{virtualClusterId}/produce-policies \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "encrypt-using-aws",
"type": "encrypt",
"config": {
"failure_mode": "passthrough",
"part_of_record": [
"value"
],
"encryption_key": {
"type": "aws",
"arn": "'$AWS_KEY_ARN'"
}
}
}
'Make sure to replace the following placeholders with your own values:
region: Geographic region where your Kong Konnect is hosted and operates.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
virtualClusterId: The id of the Virtual Cluster.
eventGatewayId: The id of the Event Gateway.
eventGatewayListenerId: The id of the Event Gateway Listener.
See the Konnect Event Gateway API reference to learn about region-specific URLs and personal access tokens.
terraform {
required_providers {
konnect-beta = {
source = "kong/konnect-beta"
}
}
}
provider "konnect-beta" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}resource "konnect_event_gateway_produce_policy_encrypt" "my_virtual_cluster_policy_encrypt" {
provider = konnect-beta
type = "encrypt"
config = {
failure_mode = "passthrough"
part_of_record = ["value"]
encryption_key = {
type = "aws"
arn = var.aws_key_arn
}
}
virtual_cluster_id = konnect_event_gateway_virtual_cluster.my_virtual_cluster.id
gateway_id = konnect_event_gateway.my_event_gateway.id
}This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.
variable "aws_key_arn" {
type = string
}The following example creates a new encrypt policy.
Add this snippet to an event_gateways resource in your declarative configuration file, and then manage it with kongctl:
event_gateways:
- ref: eventGatewayName
name: eventGatewayName
virtual_clusters:
- ref: virtualClusterName
name: virtualClusterName
produce_policies:
- ref: encrypt-using-aws
type: encrypt
encrypt:
name: encrypt-using-aws
config:
failure_mode: passthrough
part_of_record:
- value
encryption_key:
type: aws
arn: "${key_id}"Make sure to replace the following placeholders with your own values:
eventGatewayName: The name of your Event Gateway.
virtualClusterName: The name of the Virtual Cluster.