Advanced Secrets Configuration

    You can configure your vault backend with query arguments.

    For example, the following query uses an option called with the value SECURE_:

    For more information on available configuration options, refer to respective .

    You can configure your vault backend with KONG_VAULT_<vault-backend>_<config_opt> environment variables.

      You can configure your vault backend using the entity.

      The Vault entity can only be used once the database is initialized. Secrets for values that are used before the database is initialized can’t make use of the Vaults entity.

      Create a Vault entity:

      cURL

      HTTPie

      1. http -f PUT :8001/vaults/my-env-vault-1 \
      2.   name=env \
      3.   description="ENV vault for secrets" \
      4.   config.prefix=SECRET_

      Config options depend on the associated backend used.

      This lets you drop the configuration from environment variables and query arguments and use the entity name in the reference:

      Secrets management is supported in decK 1.16 and later.

      You can configure a vault backend with decK. For example:

      1. - config:
      2.     prefix: MY_SECRET_
      3.   description: ENV vault for secrets
      5.   prefix: my-env-vault

      For more information on configuring vaults and using secret references in declarative configuration files, see .