Home / How-to Guides
Edit
Report

Store a Mistral API key as a secret in Konnect Config Store

Uses: Kong Gateway AI Gateway decK
Related Documentation
All Gateway Documentation
All decK Documentation
Incompatible with
on-prem
Tags
#security #secrets-management #ai
Related Resources
Secrets management
Vault entity
Configure the Konnect Config Store
AI Proxy plugin
Mistral AI documentation
Minimum Version
Kong Gateway - 3.4
TL;DR
  1. Use the Konnect API to create a Config Store using the /config-stores endpoint.
  2. Create a Konnect Vault using the /vaults/ endpoint.
  3. Store your Mistral API key as a key/value pair using the /secrets endpoint.
  4. Reference the secret using the Vault prefix and key (for example: {vault://mysecretvault/mistral-key}) in the AI Proxy plugin header_value.

Prerequisites

Kong Konnect

This is a Konnect tutorial. If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

  1. The following Konnect items are required to complete this tutorial:

    • Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
    • Control Plane Name: You can use an existing Control Plane or create a new one to use for this tutorial.
    • Konnect Proxy URL: By default, a self-hosted Data Plane uses http://localhost:8000. You can set up Data Plane nodes for your Control Plane from the Gateway Manager in Konnect.

  2. Set the personal access token, the Control Plane name, the Control Plane URL, and the Konnect proxy URL as environment variables:

     export DECK_KONNECT_TOKEN='YOUR KONNECT TOKEN'
 export DECK_KONNECT_CONTROL_PLANE_NAME='YOUR CONTROL PLANE NAME'
 export KONNECT_CONTROL_PLANE_URL=https://us.api.konghq.com
 export KONNECT_PROXY_URL='KONNECT PROXY URL'

Kong Gateway running

This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.

  1. Export your license to an environment variable:

     export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'

  2. Run the quickstart script:

     curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATA

    Once Kong Gateway is ready, you will see the following message:

     Kong Gateway Ready

decK

decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial you will first need to install decK.

Required entities

For this tutorial, you’ll need Kong Gateway entities, like Gateway Services and Routes, pre-configured. These entities are essential for Kong Gateway to function but installing them isn’t the focus of this guide. Follow these steps to pre-configure them:

  1. Run the following command:

    echo '
_format_version: "3.0"
services:
  - name: example-service
    url: http://httpbin.konghq.com/anything
routes:
  - name: example-route
    paths:
    - "/anything"
    service:
      name: example-service
' | deck gateway apply -

To learn more about entities, you can read our entities documentation.

Mistral AI API key

In this tutorial, you’ll be storing your Mistral AI API key as a secret in a Konnect Vault.

In the Mistral AI console, create an API key and copy it. You’ll add this API key as a secret to your vault.

Export the API key as an environment variable:

export MISTRAL_API_KEY='YOUR API KEY'

Konnect API

To use the copy, paste, and run the instructions in this how-to, you must export the additional environmental variable CONTROL_PLANE_ID:

export CONTROL_PLANE_ID='YOUR CONTROL PLANE ID'

You can find your control plane UUID by navigating to the control plane in the Konnect UI or by sending a GET request to the /control-planes endpoint.

Configure a Konnect Config Store

Before you can configure a Konnect Vault, you must first create a Config Store using the Control Planes Configuration API by sending a POST request to the /config-stores endpoint:

curl -X POST "$KONNECT_CONTROL_PLANE_URL/v2/control-planes/$CONTROL_PLANE_ID/config-stores" \
     -H "Accept: application/json"\
     -H "Content-Type: application/json"\
     -H "Authorization: Bearer $DECK_KONNECT_TOKEN" \
     --json '{
       "name": "my-config-store"
     }'

Export your Config Store ID as an environment variable so you can use it later:

export DECK_CONFIG_STORE_ID='CONFIG STORE ID'

Configure Konnect as your Vault

Enable Konnect as your vault with the Vault entity:

echo '
_format_version: "3.0"
vaults:
  - name: konnect
    prefix: mysecretvault
    description: Storing secrets in Konnect
    config:
      config_store_id: "${{ env "DECK_CONFIG_STORE_ID" }}"
' | deck gateway apply -

Store the Mistral AI key as a secret

In this tutorial, you’ll be storing the Mistral API key you set previously and using it to generate an answer to a question using the AI Proxy plugin. By storing it as a secret in a Konnect Vault, you can reference it during plugin configuration in the next step.

Store your Mistral key as a secret by sending a POST request to the /secrets endpoint:

curl -X POST "$KONNECT_CONTROL_PLANE_URL/v2/control-planes/$CONTROL_PLANE_ID/config-stores/$DECK_CONFIG_STORE_ID/secrets/" \
     -H "Accept: application/json"\
     -H "Content-Type: application/json"\
     -H "Authorization: Bearer $DECK_KONNECT_TOKEN" \
     --json '{
       "key": "mistral-key",
       "value": "Bearer '$MISTRAL_API_KEY'"
     }'

Reference your stored Mistral API key

To reference your stored Mistral API key, you use the prefix from your Vault config, the name of the secret, and optionally the property in the secret you want to use. Now, you’ll reference the Mistral API key as a secret in the authorization header of the AI Proxy plugin configuration.

Enable the AI Proxy plugin on your Route:

echo '
_format_version: "3.0"
plugins:
  - name: ai-proxy
    route: example-route
    config:
      route_type: llm/v1/chat
      auth:
        header_name: Authorization
        header_value: "{vault://mysecretvault/mistral-key}"
      model:
        provider: mistral
        name: mistral-tiny
        options:
          mistral_format: openai
          upstream_url: https://api.mistral.ai/v1/chat/completions
' | deck gateway apply -

Validate

You can use the AI Proxy plugin to confirm that the plugin is using the correct API key when a request is made:

curl -X POST "$KONNECT_PROXY_URL/anything" \
     -H "Accept: application/json"\
     -H "Content-Type: application/json" \
     --json '{
       "messages": [
         {
           "role": "system",
           "content": "You are a mathematician"
         },
         {
           "role": "user",
           "content": "What is 1+1?"
         }
       ]
     }'

Cleanup

Clean up Konnect environment

If you created a new control plane and want to conserve your free trial credits or avoid unnecessary charges, delete the new control plane used in this tutorial.

FAQs

How do I replace certificates used in Kong Gateway data plane nodes with a secret reference?

Set up a Konnect or any other Vault and define the certificate and key in a secret in the Vault.

Next Steps

Review the Vaults entity
Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support