/config-stores endpoint./vaults/ endpoint or UI./secrets endpoint or the UI.{vault://mysecretvault/secret-key}).This is a Konnect tutorial and requires a Konnect personal access token.
Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
Export your token to an environment variable:
export KONNECT_TOKEN='YOUR_KONNECT_PAT'
Run the quickstart script to automatically provision a Control Plane and Data Plane, and configure your environment:
curl -Ls https://get.konghq.com/quickstart | bash -s -- -k $KONNECT_TOKEN --deck-output
This sets up a Konnect Control Plane named quickstart, provisions a local Data Plane, and prints out the following environment variable exports:
export DECK_KONNECT_TOKEN=$KONNECT_TOKEN
export DECK_KONNECT_CONTROL_PLANE_NAME=quickstart
export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com
export KONNECT_PROXY_URL='http://localhost:8000'
Copy and paste these into your terminal to configure your session.
decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial, install decK version 1.43 or later.
This guide uses deck gateway apply, which directly applies entity configuration to your Gateway instance.
We recommend upgrading your decK installation to take advantage of this tool.
You can check your current decK version with deck version.
To use the copy, paste, and run the instructions in this how-to, you must export the additional environmental variable CONTROL_PLANE_ID:
export CONTROL_PLANE_ID='YOUR CONTROL PLANE ID'
You can find your control plane UUID by navigating to the control plane in the Konnect UI or by sending a GET request to the /control-planes endpoint.
Before you can configure a Konnect Vault, you must first create a Config Store using the Control Planes Configuration API by sending a POST request to the /config-stores endpoint:
curl -X POST "https://us.api.konghq.com/v2/control-planes/$CONTROL_PLANE_ID/config-stores" \
--no-progress-meter --fail-with-body \
-H "Authorization: Bearer $KONNECT_TOKEN" \
--json '{
"name": "my-config-store"
}'
Export the Config Store ID in the response body as an environment variable so you can use it later:
export DECK_CONFIG_STORE_ID='CONFIG STORE ID'
Note: If you’re configuring the Konnect Vault via the Konnect UI, you can skip this step as the UI creates the Config Store for you.
Enable Konnect as your vault with the Vault entity:
By storing a secret in a Konnect Vault, you can reference it within kong.conf or as a referenceable plugin fields without having to store any values in plain-text.
You can validate that your secret was stored correctly by sending a GET request to the /secrets endpoint:
curl -X GET "https://us.api.konghq.com/v2/control-planes/$CONTROL_PLANE_ID/config-stores/$DECK_CONFIG_STORE_ID/secrets/" \
--no-progress-meter --fail-with-body \
-H "Authorization: Bearer $KONNECT_TOKEN"
Note: If you configured your Vault and secret using the UI, you can find your Config Store ID by sending a GET request to the
/control-planes/{controlPlaneId}/config-storesendpoint.
If your secret was successfully stored in Konnect, the endpoint should return a 201 status code and your secret-key key in the output.
You can now reference your Konnect secret in configurations as {vault://mysecretvault/secret-key}. For more information about supported secret types, see What can be stored as a secret.
If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.
Can I reference Konnect Config Store Vault secrets in kong.conf?
No. You can’t reference secrets stored in a Konnect Config Store Vault in kong.conf because Konnect resolves the secret after Kong Gateway connects to the control plane. For more information about the fields you can reference as secrets, see What can be stored as a secret?.