Home / Kong Plugin Hub
Edit
Report

Access Control Enforcement

Overview ExamplesGuidesConfiguration reference Changelog
Related Documentation
Gateway Documentation
Made by
Kong Inc.
Incompatible with
on-prem
Supported Gateway Topologies
hybrid
Supported Konnect Deployments
hybrid cloud-gateways serverless
Compatible Protocols
grpc grpcs http https
Priority
955
Minimum Version
Kong Gateway - 3.13
Tags
#traffic-control
Related Resources
Dev Portal API packaging

The Access Control Enforcement (ACE) plugin manages developer access control to APIs published with Dev Portal.

You can use the ACE plugin as an alternative to the Konnect application auth (KAA) plugin to link APIs to a Gateway instead of linking APIs to a Gateway Service. Unlike the KAA plugin, the ACE plugin can link to control planes to configure access control and create API package operations for Gateway Services. API packages use the ACE plugin to manage developer access control to APIs.

The ACE plugin runs after all other authentication plugins run. For example, if you have Key Authentication configured and it rejects a request, the ACE plugin will not run.

To allow for multiple authentication plugins, each one must set the config.anonymous plugin configuration. Additionally, the choice to allow or reject an anonymous result after all authentication plugins have run needs to be controlled as described in using multiple authentication methods.

When to use the ACE plugin instead of KAA

When you link an API to a Gateway, you have two options:

These plugins are responsible for applying authentication and authorization on the Gateway Service or control plane. The authentication strategy that you select for the API defines how clients authenticate.

The following table can help you decide which option to pick:

Option

KAA plugin

ACE plugin
Scope Linked to a single Gateway Service Linked to an entire control plane
Plugin applied… Automatically on the Gateway Service linked to the API Manually
Managed by… Konnect. You can only modify it by configuring JSON in the advanced configuration for your application auth strategy. You, by manually configuring the plugin.
Kong Gateway version 3.6 or later 3.13 or later
Can be used with declarative configuration No, because the plugin is applied automatically Yes, because you must configure the plugin
Can be used with API packages No Yes

Do not configure the KAA and ACE plugins on the same control plane because their overlapping interactions can be unpredictable.

Route matching policy

When you configure the ACE plugin, you must set either required or present for config.match_policy. This determines how the ACE plugin will behave when a request doesn’t match an existing Route.

Keep in mind that misconfigurations can overexpose unintended Routes.

The following table describes what the match_policy values do and when to use each:

Setting

Description

Limitations

Use cases
required Requires every incoming request to match a defined operation from an API or API package in Dev Portal. If a request doesn’t match, ACE rejects the request outright with a 404. All traffic will be rejected except operations or Routes in published APIs linked to an ACE-enabled Kong Gateway.

Warning: Setting the match_policy to required can block all traffic with a 404. Any undefined endpoints will be blocked. If you accidentally enable this in your control planes, this could cause a potential outage in production.
  • Shuts down all traffic outside of ACE-enabled Dev Portal APIs.
  • If the plugin is improperly configured, potentially all traffic could be terminated.
  • You want to lock down Konnect so that only traffic that is part of an explicitly defined API operation is allowed through.
  • You only plan to provide self-service access via your Dev Portal.
if_present By default, the ACE plugin only engages with a request when it matches an operation. If a request doesn’t match, ACE lets the request pass through untouched. This means that non-matching requests aren’t rejected, but ACE also won’t perform authentication and authorization on them. This allows a request to still be processed by other plugins with a lower priority than ACE.
  • All traffic outside of published APIs linked to an ACE-enabled Kong Gateway won’t be access controlled; this must be configured with a different authentication plugin. Dev Portal will not be able to protect all operations.
  • Since Routes aren’t protected by default in this mode, any mistyped or omitted operation in API entities could result in open access.
  • You have an environment where some Gateway Services or Routes are governed by Dev Portal–exposed APIs (with ACE), while others are regular Routes that should be left alone.
  • You already have existing traffic and other access controls in place and want to avoid interruption.
Something wrong?
Report an Issue | Edit this Page
View all Kong documentation

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help?

Ask in our Slack Community
Contact Support