Since Konnect data plane container names can vary, set your container name as an environment variable:
export KONNECT_DP_CONTAINER='your-dp-container-name'
Copied!
Configure HashiCorp Vault as a vault backend with OAuth2
Deployment Platform
Related Documentation
Related Resources
Minimum Version
Kong Gateway - 3.13
TL;DR
- Get your OAuth2 application domain, client ID, and client secret from your IdP.
- Create a HashiCorp vault with the JWT role type.
- In Kong Gateway, create a Vault entity with the
config.auth_methodset tooauth2, and the requires HashiCorp and OAuth2 parameters.
Prerequisites
Kong Konnect
This is a Konnect tutorial and requires a Konnect personal access token.
-
Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
-
Export your token to an environment variable:
export KONNECT_TOKEN='YOUR_KONNECT_PAT'Copied! -
Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN --deck-outputCopied!This sets up a Konnect Control Plane named
quickstart, provisions a local Data Plane, and prints out the following environment variable exports:export DECK_KONNECT_TOKEN=$KONNECT_TOKEN export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com export KONNECT_PROXY_URL='http://localhost:8000'Copied!Copy and paste these into your terminal to configure your session.
Kong Gateway running
This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.
-
Export your license to an environment variable:
export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'Copied! -
Run the quickstart script:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATACopied!Once Kong Gateway is ready, you will see the following message:
Kong Gateway Ready
decK v1.43+
decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial, install decK version 1.43 or later.
This guide uses deck gateway apply, which directly applies entity configuration to your Gateway instance.
We recommend upgrading your decK installation to take advantage of this tool.
You can check your current decK version with deck version.
Auth0
You’ll need an Auth0 account to complete this tutorial.
Configure access to the Auth0 Management API
To use OAuth2 authentication for your HashiCorp Vault with Auth0 as the identity provider (IdP), there are two important configurations to prepare in Auth0. First, you must authorize an Auth0 application so Kong Gateway can use the Auth0 Management API on your behalf. Next, you will create an API audience that Kong Gateway applications will be granted access to.
To get started configuring Auth0, log in to your Auth0 dashboard and complete the following:
-
From the sidebar, select Applications > Applications.
-
Click Create Application.
-
Give the application a memorable name, like “HashiCorp Vault OAuth2”.
-
Select the application type Machine to Machine Applications and click Create.
-
Select Auth0 Management API from the drop-down list.
- In the Permissions section, select the following permissions to grant access, then click Authorize:
read:client_grantscreate:client_grantsdelete:client_grantsupdate:client_grantsread:clientscreate:clientsdelete:clientsupdate:clientsupdate:client_keys
Note: If you’re using Developer Managed Scopes, add
read:resource_serversto the permissions for your initial client application. -
Click Authorize.
-
On the application page, click the Settings tab, locate the values for Domain, Client ID and Client Secret, and export them as environment variables:
export DECK_DOMAIN="YOUR AUTH0 DOMAIN" export DECK_CLIENT_ID="YOUR AUTH0 CLIENT ID" export DECK_CLIENT_SECRET="YOUR AUTH0 CLIENT SECRET"Copied!
Configure your HashiCorp Vault
Important: This tutorial uses the literal
rootstring as your token, which should only be used in testing and development environments.
- Install HashiCorp Vault.
- In a new terminal, start your Vault dev server with
rootas your token.vault server -dev -dev-root-token-id rootCopied! - In the output from the previous command, copy the
VAULT_ADDRto export. - In the terminal window where you exported your Auth0 variables, export your
VAULT_ADDRas an environment variable. - Verify that your Vault is running correctly:
vault statusCopied! - Enable JWT and add the Auth0 JWKS URL:
vault auth enable jwt vault write auth/jwt/config jwks_url="https://$DECK_DOMAIN/.well-known/jwks.json"Copied! - Configure a JWT role named
demo:vault write auth/jwt/role/demo \ role_type=jwt \ user_claim=sub \ token_type=batch \ token_policies="default" \ bound_subject="$DECK_CLIENT_ID@clients" \ bound_audiences="https://$DECK_DOMAIN/api/v2/"Copied! - Add a secret:
vault kv put -mount="secret" "password" pass1=my-passwordCopied! - Export the HashiCorp host and token to your environment:
export DECK_HCV_HOST=host.docker.internal export DECK_HCV_TOKEN=rootCopied!In this tutorial, we’re using
host.docker.internalas our host instead of thelocalhostvariable that HashiCorp Vault uses by default. This is because if you used the quick-start script Kong Gateway is running in a Docker container and uses a differentlocalhost. Because we are running HashiCorp Vault in dev mode, we are usingrootfor ourtokenvalue.
Allow read access to your HashiCorpVault
-
Navigate to http://localhost:8200/ to access the HashiCorp Vault UI.
-
Enter “root” in the Token field and click Sign in.
-
Click Policies.
-
Click default.
- Click Edit policy and append the following to the policy file:
path "secret/*" { capabilities = ["read"] }Copied! - Click Save
Create a Vault entity for HashiCorp Vault
Create a Vault entity with the required parameters for HashiCorp Vault:
echo '
_format_version: "3.0"
vaults:
- name: hcv
prefix: hashicorp-vault
description: Storing secrets in HashiCorp Vault
config:
host: "${{ env "DECK_HCV_HOST" }}"
token: "${{ env "DECK_HCV_TOKEN" }}"
kv: v2
mount: secret
port: 8200
protocol: http
auth_method: oauth2
oauth2_role_name: demo
oauth2_token_endpoint: https://${{ env "DECK_DOMAIN" }}/oauth/token
oauth2_client_id: "${{ env "DECK_CLIENT_ID" }}"
oauth2_client_secret: "${{ env "DECK_CLIENT_SECRET" }}"
oauth2_audiences: https://${{ env "DECK_DOMAIN" }}/api/v2/
' | deck gateway apply -
Copied!
Validate
To validate that the secret was stored correctly in HashiCorp Vault, you can call a secret from your vault using the kong vault get command within the Data Plane container.
docker exec $KONNECT_DP_CONTAINER kong vault get {vault://hashicorp-vault/password/pass1}
Copied!
docker exec kong-quickstart-gateway kong vault get {vault://hashicorp-vault/password/pass1}
Copied!
If the vault was configured correctly, this command should return the value of the secret. You can use {vault://hashicorp-vault/password/pass1} to reference the secret in any referenceable field.
For more information about supported secret types, see What can be stored as a secret.
Cleanup
Clean up HashiCorp Vault
Stop the HashiCorp Vault dev server container by running the following:
docker rm -f vault
Copied!
Destroy the Kong Gateway container
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d
Copied!
Clean up Konnect environment
If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.
FAQs
Can I configure Vault in a different way without using the Vault entity directly?
Yes, you can also configure a Vault in one of the following ways:
- Using environment variables, set at Kong Gateway startup
- Using parameters in
kong.conf, set at Kong Gateway startup
See the Vault reference for your provider for the available parameters and their format in each method.