Manage everything in one place? Explore Konnect, our unified API platform.
Learn more →Vaults allow you to securely store and then reference secrets from within other entities. This ensures that secrets aren’t visible in plaintext throughout the platform, in places such as kong.conf,
declarative configuration files, logs, or the UI.
For example, you could store a certificate and a key in a Vault, then reference them from a Certificate entity. This way, the certificate and key are not stored in the entity directly and are more secure.
You can add secrets to Vaults in one of the following ways:
You can store and reference the following as secrets in a Vault:
kong.conf values1. For example:
Konnect Config Store limitations:
- 1: You can’t reference secrets stored in a Konnect Config Store Vault in
kong.confbecause Konnect resolves the secret after Kong Gateway connects to the Control Plane. For this same reason, you can’t use Konnect Config Store secrets directly in Lua code via the Kong PDK, for example.- 2: In Konnect, the Kong Gateway license is managed and stored by Konnect, and doesn’t need to be stored manually in any Vault.
The following plugin fields can be stored and referenced as secrets:
| Plugin | Referenceable Plugin Fields |
|---|---|
| ACME |
|
| AI Azure Content Safety |
|
| AI Proxy |
|
| AI Proxy Advanced |
|
| AI RAG Injector |
|
| AI Rate Limiting Advanced |
|
| AI Request Transformer |
|
| AI Response Transformer |
|
| AI Semantic Cache |
|
| AI Semantic Prompt Guard |
|
| AWS Lambda |
|
| Azure Functions |
|
| Confluent |
|
| Confluent Consume |
|
| Datadog |
|
| Forward Proxy Advanced |
|
| GraphQL Proxy Caching Advanced |
|
| GraphQL Rate Limiting Advanced |
|
| HTTP Log |
|
| JWT Signer |
|
| Kafka Consume |
|
| Kafka Log |
|
| Kafka Upstream |
|
| LDAP Authentication Advanced |
|
| Loggly |
|
| OAuth 2.0 Introspection |
|
| OpenID Connect |
|
| OpenTelemetry |
|
| Proxy Caching Advanced |
|
| Rate Limiting |
|
| Rate Limiting Advanced |
|
| Request Callout |
|
| Request Transformer Advanced |
|
| Response Rate Limiting |
|
| SAML |
|
| Service Protection |
|
| Session |
|
| Standard Webhooks |
|
| Upstream OAuth |
|
| Plugin | Referenceable Plugin Fields |
|---|---|
| ACME |
|
| AI Azure Content Safety |
|
| AI Proxy |
|
| AI Proxy Advanced |
|
| AI Rate Limiting Advanced |
|
| AI Request Transformer |
|
| AI Response Transformer |
|
| AI Semantic Cache |
|
| AI Semantic Prompt Guard |
|
| AWS Lambda |
|
| Azure Functions |
|
| Confluent |
|
| Datadog |
|
| Forward Proxy Advanced |
|
| GraphQL Proxy Caching Advanced |
|
| GraphQL Rate Limiting Advanced |
|
| HTTP Log |
|
| JWT Signer |
|
| Kafka Log |
|
| Kafka Upstream |
|
| LDAP Authentication Advanced |
|
| Loggly |
|
| OAuth 2.0 Introspection |
|
| OpenID Connect |
|
| OpenTelemetry |
|
| Proxy Caching Advanced |
|
| Rate Limiting |
|
| Rate Limiting Advanced |
|
| Request Transformer Advanced |
|
| Response Rate Limiting |
|
| SAML |
|
| Service Protection |
|
| Session |
|
| Standard Webhooks |
|
| Upstream OAuth |
|
| Plugin | Referenceable Plugin Fields |
|---|---|
| ACME |
|
| AI Azure Content Safety |
|
| AI Proxy |
|
| AI Proxy Advanced |
|
| AI Rate Limiting Advanced |
|
| AI Request Transformer |
|
| AI Response Transformer |
|
| AI Semantic Cache |
|
| AI Semantic Prompt Guard |
|
| AWS Lambda |
|
| Azure Functions |
|
| Confluent |
|
| Datadog |
|
| Forward Proxy Advanced |
|
| GraphQL Proxy Caching Advanced |
|
| GraphQL Rate Limiting Advanced |
|
| HTTP Log |
|
| JWT Signer |
|
| Kafka Log |
|
| Kafka Upstream |
|
| LDAP Authentication Advanced |
|
| Loggly |
|
| OAuth 2.0 Introspection |
|
| OpenID Connect |
|
| OpenTelemetry |
|
| Proxy Caching Advanced |
|
| Rate Limiting |
|
| Rate Limiting Advanced |
|
| Request Transformer Advanced |
|
| Response Rate Limiting |
|
| SAML |
|
| Session |
|
| Standard Webhooks |
|
| Upstream OAuth |
|
| Plugin | Referenceable Plugin Fields |
|---|---|
| ACME |
|
| AI Azure Content Safety |
|
| AI Proxy |
|
| AI Rate Limiting Advanced |
|
| AI Request Transformer |
|
| AI Response Transformer |
|
| AWS Lambda |
|
| Azure Functions |
|
| Datadog |
|
| Forward Proxy Advanced |
|
| GraphQL Proxy Caching Advanced |
|
| GraphQL Rate Limiting Advanced |
|
| HTTP Log |
|
| JWT Signer |
|
| Kafka Log |
|
| Kafka Upstream |
|
| LDAP Authentication Advanced |
|
| Loggly |
|
| OAuth 2.0 Introspection |
|
| OpenID Connect |
|
| OpenTelemetry |
|
| Proxy Caching Advanced |
|
| Rate Limiting |
|
| Rate Limiting Advanced |
|
| Request Transformer Advanced |
|
| Response Rate Limiting |
|
| SAML |
|
| Session |
|
| Plugin | Referenceable Plugin Fields |
|---|---|
| ACME |
|
| AWS Lambda |
|
| Azure Functions |
|
| Datadog |
|
| Forward Proxy Advanced |
|
| GraphQL Rate Limiting Advanced |
|
| HTTP Log |
|
| Kafka Log |
|
| Kafka Upstream |
|
| LDAP Authentication Advanced |
|
| Loggly |
|
| OAuth 2.0 Introspection |
|
| OpenID Connect |
|
| OpenTelemetry |
|
| Proxy Caching Advanced |
|
| Rate Limiting |
|
| Rate Limiting Advanced |
|
| Request Transformer Advanced |
|
| Response Rate Limiting |
|
| SAML |
|
| Session |
|
Each vault has its own required configuration. You can provide this configuration by creating a Vault entity, or by configuring specific environment variables before starting Kong Gateway.
For more information, choose a Vault below to see the specific configuration required.
| Backend | Kong Gateway OSS | Kong Gateway Enterprise | Konnect supported |
|---|---|---|---|
| Environment variable | |||
| Konnect Config Store | |||
| AWS Secrets Manager | |||
| Azure Key Vaults | |||
| Google Cloud Secret | |||
| HashiCorp Vault |
When you want to use a secret stored in a Vault, you can reference the secret with a vault reference. You can use the vault reference in places such as kong.conf, declarative configuration files, logs, or in the UI.
The Vault backend may store multiple related secrets inside an object, but the reference should always point to a key that resolves to a string value. For example, the following reference:
{vault://hcv/pg/username}
Would point to a secret object called pg inside a HashiCorp Vault, which may return the following value:
{
"username": "john",
"password": "doe"
}
Kong Gateway receives the payload and extracts the "username" value of "john" for the secret reference of
{vault://hcv/pg/username}.
Vault references must be used for the whole referenced value.
Imagine that you’re calling a upstream service with the authentication token ABC123:
| Works | Configuration Value | Vault Value |
|---|---|---|
| ❌ | Bearer {vault://hcv/myservice-auth-token} | ABC123 |
| ✅ | {vault://hcv/myservice-auth-token} | Bearer ABC123 |
By default, Kong Gateway automatically refreshes secrets once every minute in the background. You can also configure how often Kong Gateway refreshes secrets using the Vault entity configuration.
There are two types of refresh configuration available:
For more information, see Secret management.
The Vault entity can only be used once the database is initialized. Secrets for values that are used before the database is initialized can’t make use of the Vaults entity.
When you set up a Vault, each provider has specific parameters that you can or must configure to integrate the Vault entity with a provider.
|
Parameter |
Field name |
Description |
|---|---|---|
vaults.config.prefix
|
config-prefix (Kong Manager) Environment variable prefix (Konnect) |
The prefix for the environment variable that the value will be stored in. |
|
Parameter |
Field name |
Description |
|---|---|---|
vaults.config.region
|
AWS region | The AWS region where your vault is located. |
vaults.config.endpoint_url v3.4+
|
AWS Secrets Manager Endpoint URL |
The endpoint URL of the AWS Secrets Manager service. If not specified, the default is https://secretsmanager.{region}.amazonaws.com. You can override this by specifying a complete URL including the http/https scheme.
|
vaults.config.assume_role_arn v3.4+
|
Assume AWS IAM role ARN | The target IAM role ARN to assume when accessing AWS Secrets Manager. If specified, the backend will assume this role using your current runtime’s IAM Role. Leave empty if not using an assumed role. |
vaults.config.role_session_name v3.4+
|
Role Session Name |
The session name used when assuming a role. Defaults to KongVault.
|
vaults.config.sts_endpoint_url v3.8+
|
AWS STS Endpoint URL |
A custom STS endpoint URL used for IAM role assumption. Overrides the default https://sts.amazonaws.com or regional variant https://sts.<region>.amazonaws.com. Include the full http/https scheme. Only specify this if using a private VPC endpoint for STS.
|
vaults.config.ttl
|
TTL | The time-to-live (in seconds) for cached secrets. A value of 0 (default) disables rotation. If non-zero, use at least 60 seconds. |
vaults.config.neg_ttl
|
Negative TTL | The TTL (in seconds) for caching failed secret lookups. A value of 0 (default) disables negative caching. When the TTL expires, Kong will retry fetching the secret. |
vaults.config.resurrect_ttl
|
Resurrect TTL | The duration (in seconds) for which expired secrets will continue to be used if the vault is unreachable or the secret is deleted. After this time, Kong stops retrying. The default is 1e8 seconds (~3 years) to ensure resilience during unexpected issues. |
|
Parameter |
Field name |
Description |
|---|---|---|
vaults.config.vault_uri
|
Vault URI | The URI from which the vault is reachable. This value can be found in your Azure Key Vault Dashboard under the Vault URI entry. |
vaults.config.client_id
|
Client ID | The client ID for your registered application. You can find this in the Azure Dashboard under App Registrations. |
vaults.config.tenant_id
|
Tenant ID |
The DirectoryId and TenantId are the same: both refer to the GUID representing your Azure Active Directory tenant. Microsoft documentation and products may use either term depending on context.
|
vaults.config.location
|
Location | Each Azure geography includes one or more regions that meet specific data residency and compliance requirements. |
vaults.config.type
|
Type |
Azure Key Vault supports different data types such as keys, secrets, and certificates. Kong currently supports only secrets.
|
vaults.config.ttl
|
TTL | Time-to-live (in seconds) for a cached secret. A value of 0 (default) means no rotation. For non-zero values, it is recommended to use intervals of at least 60 seconds. |
vaults.config.neg_ttl
|
Negative TTL |
Time-to-live (in seconds) for caching failed secret lookups. A value of 0 (default) disables negative caching. After neg_ttl expires, Kong retries fetching the secret.
|
vaults.config.resurrect_ttl
|
Resurrect TTL |
Duration (in seconds) that secrets remain usable after expiration (config.ttl limit). Useful when the vault is unreachable or a secret is deleted. Kong retries refreshing the secret for this duration. Afterward, it stops. The default is 1e8 seconds (~3 years) to ensure resiliency during issues.
|
|
Parameter |
Field name |
Description |
|---|---|---|
vaults.config.project_id
|
Google Project ID | The project ID from your Google API Console. You can find it by visiting your Google API Console and selecting “Manage all projects” in the projects list. |
vaults.config.ttl
|
TTL | Time-to-live (in seconds) for a cached secret. A value of 0 (default) disables rotation. For non-zero values, use a minimum of 60 seconds. |
vaults.config.neg_ttl
|
Negative TTL |
Time-to-live (in seconds) for caching failed secret lookups. A value of 0 (default) disables negative caching. Kong will retry fetching the secret after neg_ttl expires.
|
vaults.config.resurrect_ttl
|
Resurrect TTL |
Time (in seconds) that secrets remain in use after expiration (config.ttl ends). Useful if the vault is unreachable or the secret is deleted but not yet replaced. Kong continues to retry for resurrect_ttl seconds before giving up. The default is 1e8 seconds (~3 years) to support uninterrupted service during outages.
|
|
Parameter |
Field name |
Description |
|---|---|---|
vaults.config.protocol
|
config-protocol (Kong Manager) Protocol (Konnect) |
The protocol to connect with. Accepts one of http or https.
|
vaults.config.host
|
config-host (Kong Manager) Host (Konnect) |
The hostname of your HashiCorp vault. |
vaults.config.port
|
config-port (Kong Manager) Port (Konnect) |
The port number of your HashiCorp vault. |
vaults.config.mount
|
config-mount (Kong Manager) Mount (Konnect) |
The mount point. |
vaults.config.kv
|
config-kv (Kong Manager) Kv (Konnect) |
The secrets engine version. Accepts v1 or v2.
|
vaults.config.token
|
config-token (Kong Manager) Token (Konnect) |
A token string. |
vaults.config.ttl
|
TTL | Time-to-live (in seconds) for a cached secret. A value of 0 (default) disables rotation. For non-zero values, use at least 60 seconds. |
vaults.config.neg_ttl
|
Negative TTL |
Time-to-live (in seconds) for caching failed secret lookups. A value of 0 (default) disables negative caching. Kong retries after neg_ttl expires.
|
vaults.config.resurrect_ttl
|
Resurrect TTL |
Time (in seconds) that secrets remain in use after expiration (config.ttl is over). Useful if the vault is unreachable or a secret is deleted. Kong continues retrying for resurrect_ttl seconds, then stops. Default is 1e8 seconds (~3 years).
|
vaults.config.namespace v3.1+
|
namespace | Namespace for the Vault. Vault Enterprise requires a namespace to connect successfully. |
vaults.config.auth_method v3.1+
|
auth-method |
Defines the authentication mechanism for connecting to the HashiCorp Vault service. Accepts token, kubernetes, or approle.
|
vaults.config.kube_role v3.1+
|
kube-role |
Role assigned to the Kubernetes service account. Only used when keyring_vault_auth_method is set to kubernetes.
|
vaults.config.kube_api_token_file v3.1+
|
kube-api-token-file |
Path to the Kubernetes service account token file. Defaults to /run/secrets/kubernetes.io/serviceaccount/token if unspecified.
|
vaults.config.kube_auth_path v3.4+
|
kube-auth-path |
Path for enabling the Kubernetes auth method. Defaults to kubernetes. Single leading/trailing slashes are trimmed.
|
vaults.config.approle_auth_path v3.4+
|
approle_auth_path |
Path for enabling the AppRole auth method. Defaults to AppRole. Single leading/trailing slashes are trimmed.
|
vaults.config.approle_role_id v3.4+
|
approle_role_id | Specifies the AppRole role ID in HashiCorp Vault. |
vaults.config.approle_secret_id v3.4+
|
approle_secret_id | Defines the AppRole’s secret ID in HashiCorp Vault. |
vaults.config.approle_secret_id_file v3.4+
|
approle_secret_id_file | Path to a file containing the AppRole secret ID. |
vaults.config.approle_response_wrapping v3.4+
|
approle_response_wrapping |
Whether the secret ID is a response-wrapping token. Defaults to false. When true, Kong unwraps the token to get the actual secret ID. Note: tokens can only be unwrapped once; distribute them individually to Kong nodes.
|
_format_version: "3.0"
vaults:
- name: env
description: ENV vault for secrets
prefix: my-env-vault
config:
prefix: MY_SECRET_
curl -i -X POST http://localhost:8001/vaults/ \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--data '
{
"name": "env",
"description": "ENV vault for secrets",
"prefix": "my-env-vault",
"config": {
"prefix": "MY_SECRET_"
}
}
'
curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/vaults/ \
--header "accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $KONNECT_TOKEN" \
--data '
{
"name": "env",
"description": "ENV vault for secrets",
"prefix": "my-env-vault",
"config": {
"prefix": "MY_SECRET_"
}
}
'
Make sure to replace the following placeholders with your own values:
region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
See the Konnect API reference to learn about region-specific URLs and personal access tokens.
echo "
apiVersion: configuration.konghq.com/v1alpha1
kind: KongVault
metadata:
name: env-vault
namespace: kong
annotations:
kubernetes.io/ingress.class: kong
spec:
backend: env
description: ENV vault for secrets
prefix: my-env-vault
config:
prefix: MY_SECRET_
" | kubectl apply -f -
terraform {
required_providers {
konnect = {
source = "kong/konnect"
}
}
}
provider "konnect" {
personal_access_token = "$KONNECT_TOKEN"
server_url = "https://us.api.konghq.com/"
}
resource "konnect_gateway_vault" "my_vault" {
description = "ENV vault for secrets"
prefix = "my-env-vault"
config = {
prefix = "MY_SECRET_"
}
control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}
The following creates a new Vault with basic configuration:
env
my-env-vault
ENV vault for secrets
You can store secrets as environment variables instead of configuring a Vault entity or third-party backend vault.
|
Use case |
Environment variable example |
Secret reference example |
|---|---|---|
| Single secret value |
export MY_SECRET_VALUE=example-secret
|
{vault://env/my-secret-value}
|
| Multiple secrets (flat JSON string) |
export PG_CREDS='{"username":"user", "password":"pass"}'
|
{vault://env/pg-creds/username}
{vault://env/pg-creds/password}
|
What types of fields can be used in Vaults?
Vaults work with “referenceable” fields. All fields in kong.conf are referenceable and some fields within entities (for example, plugins, certificates) are also. Refer to the appropriate entity documentation to learn more.
Can Vaults be referenced during custom plugin development?
Yes. The plugin development kit (PDK) offers a Vaults module (kong.vault) that can be used to resolve, parse, and verify Vault references.
What data types can I use when referencing a secret in a Vault?
A secret reference points to a string value. No other data types are currently supported.
I have a secret with multiple versions, how do I specify an earlier version when I’m referencing the secret?
If you have a secret with multiple versions, you can access the current version or any previous version of the secret by specifying a version in the reference.
In the following AWS example, AWSCURRENT refers to the latest secret version and AWSPREVIOUS refers to an older version:
# For AWSCURRENT, not specifying version
{vault://aws/secret-name/foo}
# For AWSCURRENT, specifying version == 1
{vault://aws/secret-name/foo#1}
# For AWSPREVIOUS, specifying version == 2
{vault://aws/secret-name/foo#2}
This applies to all providers with versioned secrets.
My secret in AWS Secret Manager has a / backslash in the secret name. How do I reference this secret in Kong Gateway?
The slash symbol (/) is a valid character for the secret name in AWS Secrets Manager. If you want to reference a secret name that starts with a slash or has two consecutive slashes, transform one of the slashes in the name into URL-encoded format. For example:
/secret/key should be referenced as {vault://aws/%2Fsecret/key}
secret/path//aaa/key should be referenced as {vault://aws/secret/path/%2Faaa/key}
Since Kong Gateway tries to resolve the secret reference as a valid URL, using a slash instead of a URL-encoded slash will result in unexpected secret name fetching.
I have secrets stored in multiple AWS Secret Manager regions, how do I reference those secrets in Kong Gateway?
You can create multiple Vault entities, one per region with the config.region parameter. You’d then reference the secret by the name of the Vault:
{vault://aws-eu-central-vault/secret-name/foo}
{vault://aws-us-west-vault/secret-name/snip}
I’m using Google Workload Identity, how do I configure a Vault?
To use GCP Secret Manager with
Workload Identity
on a GKE cluster, update your pod spec so that the service account (GCP_SERVICE_ACCOUNT) is
attached to the pod. For configuration information, read the Workload
Identity configuration
documentation.
Notes:
- With Workload Identity, setting the
GCP_SERVICE_ACCOUNTisn’t necessary.- When using GCP Vault as a backend, make sure you have configured
systemas part of thelua_ssl_trusted_certificateconfiguration directive so that the SSL certificates used by the official GCP API can be trusted by Kong Gateway.
How does Kong Gateway retrieve secrets from HashiCorp Vault?
Kong Gateway retrieves secrets from HashiCorp Vault’s HTTP API through a two-step process: authentication and secret retrieval.
Step 1: Authentication
Depending on the authentication method defined in config.auth_method, Kong Gateway authenticates to HashiCorp Vault using one of the following methods:
token auth method, Kong Gateway uses the config.token as the client token.kubernetes auth method, Kong Gateway uses the service account JWT token mounted in the pod (path defined in the config.kube_api_token_file) to call the login API for the Kubernetes auth path on the HashiCorp Vault server and retrieve a client token.approle auth method, Kong Gateway uses the AppRole credentials to retrieve a client token. The AppRole role ID is configured by field config.approle_role_id, and the secret ID is configured by field config.approle_secret_id or config.approle_secret_id_file.
config.approle_response_wrapping to true, then the secret ID configured by
config.approle_secret_id or config.approle_secret_id_file will be a response wrapping token,
and Kong Gateway will call the unwrap API /v1/sys/wrapping/unwrap to unwrap the response wrapping token to fetch
the real secret ID. Kong Gateway will use the AppRole role ID and secret ID to call the login API for the AppRole auth path
on the HashiCorp Vault server and retrieve a client token.By calling the login API, Kong Gateway will retrieve a client token and then use it in the next step as the value of X-Vault-Token header to retrieve a secret.
Step 2: Retrieving the secret
Kong Gateway uses the client token retrieved in the authentication step to call the Read Secret API and retrieve the secret value. The request varies depending on the secrets engine version you’re using. Kong Gateway will parse the response of the read secret API automatically and return the secret value.