Konnect Config Store

You can store your sensitive data directly in Konnect via the Konnect Config Store. Konnect Config Store is scoped to a control plane today and works directly with Gateway’s Vaults entity in Gateway Manager to easily manage security and governance policies. Konnect Config Store is built with security in mind such that once a secret is stored in Konnect, you cannot view the value again. This ensures that sensitive data is not visible in plain text anywhere.

Configure the Konnect config store

API

decK

Create a config store entity in Konnect and save the config_store_id from the response body.

curl -i -X POST https://{region}.api.konghq.com/v2/control-planes/{control-plane-id}/config-stores \
  --header 'Authorization: Bearer {kpat_token}' \
  --header 'Content-Type: application/json' \
  --data '{
	"name": "my-config-store"
}'

Using the config_store_id create a POST request to associate the config store with the vault.

curl -i -X POST https://{region}.api.konghq.com/v2/control-planes/{control-plane-id}/core-entities/vaults/  \
  --header 'Authorization: Bearer {kpat_token}' \
  --header 'Content-Type: application/json' \
  --data '{
	"config":{
		"config_store_id": "{my-config-store-id}"
	},
	"description": "Description of your vault",
	"name": "konnect",
	"prefix": "mysecretvault"
}'

In Gateway Manager select a control plane.
Click New vault.
Choose Konnect
Enter the configuration settings for your vault and Save.

decK doesn’t support creating a Konnect config store, but you can reference secrets stored in a config store with decK.

Using the Control Plane Config API, create a config store entity in Konnect and save the config_store_id from the response body:

curl -i -X POST https://{region}.api.konghq.com/v2/control-planes/{control-plane-id}/config-stores \
  --header 'Authorization: Bearer {kpat_token}' \
  --header 'Content-Type: application/json' \
  --data '{
	"name": "my-config-store"
}'

Using the generated config_store_id, send a POST request to associate the config store with the vault:

curl -i -X POST https://{region}.api.konghq.com/v2/control-planes/{control-plane-id}/core-entities/vaults/  \
  --header 'Authorization: Bearer {kpat_token}' \
  --header 'Content-Type: application/json' \
  --data '{
	"config":{
		"config_store_id": "{my-config-store-id}"
	},
	"description": "Description of your vault",
	"name": "konnect",
	"prefix": "mysecretvault"
}'

Reference the Konnect config store in your decK file:

_format_version: "3.0"
vaults:
- config:
    config_store_id: {my-config-store-id}
  description: Storing secrets in Konnect
  name: konnect
  prefix: mysecretvault

Reference Konnect Config Store secrets

You can now store secrets in the Konnect Config Store and reference them throughout the control plane.

For instance, a secret named secret-name can be referenced using:

{vault://mysecretvault/secret-name}

This allows Kong Gateway to recognize and retrieve the stored secrets. Additionally, a secret can hold multiple key-value pairs if needed:

{
  "foo": "bar",
  "snip": "snap"
}

To make these secrets accessible to Kong Gateway, reference the vault using a specific URL format. For the example above, the references would be:

{vault://mysecretvault/secret-name/foo}
{vault://mysecretvault/secret-name/snip}

Supported fields

Parameter	Field Name	Description
`vaults.description`	Description	An optional description for your vault.
`vaults.name`	Name	The type of vault. Accepts one of: `konnect`, `env`, `gcp`, `aws`, or `hcv`.
`vaults.prefix`	Prefix	The reference prefix. You need this prefix to access secrets stored in this vault. For example, `{vault://<vault-prefix>/<some-secret>}`.